Why does package-lock.json have different listed dependencies to package.json?

Question

I installed eslint and noticed that it initialized a package-lock.json file and installed a bunch of modules in my node_module folder that I didn't request. I'm not sure why.

More importantly, theres discrepancies between my package.json and package-lock.json listed dependencies. My understanding was that package.json listed my installed dependencies with their semver and package-lock ensured that the exact version i was using is also used by anyone else installing the modules.

So my questions are:

1. Why are there discrepancies ad shouldn't they have mirror listed dependecies?
2. Which .json will install dependencies upon request and why?
3. Why were these installed in the first place from eslint?

Thanks

Answer 1

The dependencies listed on package.json are the ones you install by using npm install.

When you run npm install eslint, npm will add a line in dependencies with eslint and the installed version.

"dependencies": {
    "eslint": "^7.5.0"
}

The package-lock.json file contains all dependencies - the ones you installed and the ones required by the other packages. For example, eslint has 36 Dependencies (check the Dependencies tab).

To install a specific version of eslint you should do npm install [email protected]. The package.json file will now reference that specific version:

"dependencies": {
    "eslint": "7.5.0"
}

Note that the ^ symbol is not showing. This symbol means compatible with version and follows semver. You can check other options here.