Difference between `npm update` and `remove package-lock.json` plus `npm install`?

Question

What is essential difference between these commands, except that npm update modify package.json?

rm package-lock.json
npm install

npm update --dev

Answer 1

In package-lock.json basically the indirect dependencies are locked. The indirect dependencies mean those dependencies, that are not specified in the package.json of your project but they are the dependencies of your dependencies.

When npm update --dev is called some dependencies are updated in the package.json. After the entries are updated an install is called, this install updates in package-lock.json those thirdparties that are in connection with the modified ones in the package.json. This means that both the direct and indirect dependencies are updated in the package-lock.json. But only for those, that were modified in package.json. The thirdparties that remained the same in the package.json won't be touched in the package-lock.json. (Both direct and indirect dependencies of them remain the same.)

When rm package-lock.json and npm install is called, then the information is lost about the indirect dependencies with the removing of the package-lock.json. As npm install is called, a new package-lock.json is generated and the indirect dependencies could be changed for all of your dependencies.

Let's see an example for this.

In package-lock.json we have an indirect dependency the tslib: 1.9.0.

"tslib": {
  "version": "1.9.0",
  "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.9.0.tgz",
  "integrity": "sha512-f/qGG2tUkrISBlQZEjEqoZ3B2+npJjIf04H1wuAv9iA8i04Icp+61KRXxFdha22670NJopsZCIjhC3SnjPRKrQ=="
},

The tslib is a dependency of all Angular modules, that are specified directly in thepackage.json:

"dependencies": {
  "@angular/animations": "8.2.12",
  "@angular/cdk": "~8.2.3",
  "@angular/common": "8.2.12",
  "@angular/compiler": "8.2.12",
  "@angular/core": "8.2.12",
  "@angular/flex-layout": "^8.0.0-beta.27",
  "@angular/forms": "8.2.12",
  "@angular/material": "^8.2.3",
  "@angular/platform-browser": "8.2.12",
  "@angular/platform-browser-dynamic": "8.2.12",
  "@angular/platform-server": "8.2.12",
  "@angular/router": "8.2.12",
  "@nguniversal/module-map-ngfactory-loader": "8.1.1",
  "aspnet-prerendering": "^3.0.1",
  "bootstrap": "^4.3.1",
  "core-js": "^2.6.5",
  "hammerjs": "^2.0.8",
  "jquery": "3.4.1",
  "oidc-client": "^1.9.0",
  "popper.js": "^1.14.3",
  "rxjs": "^6.4.0",
  "zone.js": "~0.9.1"
},
"devDependencies": {
  "@angular-devkit/build-angular": "^0.800.6",
  "@angular/cli": "8.3.18",
  "@angular/compiler-cli": "8.2.12",
  "@angular/language-service": "8.2.12",
  "@types/jasmine": "~3.3.9",
  "@types/jasminewd2": "~2.0.6",
  "@types/node": "~11.10.5",
  "codelyzer": "^5.0.1",
  "jasmine-core": "~3.3.0",
  "jasmine-spec-reporter": "~4.2.1",
  "karma": "^4.0.0",
  "karma-chrome-launcher": "~2.2.0",
  "karma-coverage-istanbul-reporter": "~2.0.5",
  "karma-jasmine": "~2.0.1",
  "karma-jasmine-html-reporter": "^1.4.0",
  "typescript": "3.4.5"
},
"optionalDependencies": {
  "node-sass": "^4.9.3",
  "protractor": "~5.4.0",
  "ts-node": "~5.0.1",
  "tslint": "~5.9.1"
}

If we call npm update --dev, following changes are done:

+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ [email protected]
+ @types/[email protected]
+ @types/[email protected]
+ [email protected]
+ [email protected]

We can see, that in the package.json the Angular dependencies are not touched. It follows that the tslib is also remained on version 1.9.0 in the package-lock.json.

However if we remove the package-lock.json, remove the node_modules, do the above updates in the package.json manually and call npm install we can see in the newly generated package-lock.json that the tslib is also updated to 1.12.0. (If we do not remove the node_modules the same version could be put back in the package-lock.json as previously.)

Conclusion

So the difference is, that in case of npm update --dev only those direct and indirect dependencies are updated, which were in connection with the changed ones in the package.json. But in case of rm package-lock.json and npm install all indirect dependencies can change.