package-lock.json file, package with "optional": true

Question

One of my work mate's PRs contains a package-lock.json update, which added "optional": true:

 "minimist": {    "version": "0.0.8",    "bundled": true, -  "dev": true +  "dev": true, +  "optional": true  },  "minipass": { 

I am not sure what this means even after googling around. Could someone please explain?

Answer 1

From https://docs.npmjs.com/files/package-lock.json#optional:

If true then this dependency is either an optional dependency ONLY of the top level module or a transitive dependency of one. This is false for dependencies that are both an optional dependency of the top level and a transitive dependency of a non-optional dependency of the top level.

It's safe to merge this change.

The reason you see this change is most likely because npm slightly changed how package-lock.json is structured in version 6.6. Your mate basically ran npm install with npm 6.6+ on a package-lock.json previously generated with npm 6.5-.

You should be able to avoid this kind of issue by making sure everyone on your team uses a recent version of npm.

Answer 2

After a package is removed from dependencies, its dependencies are marked "optional": true in package-lock.json.

It is usually safe to remove such packages either by hand or by

$ rm -rf package-lock.json node_modules/ $ npm install 

However, this is not 100% safe, as some packages will be updated to newer versions.