Ultimately, npm install is a command that takes a package.json and builds a node_modules folder from it. However, does it always product the same one? The answer is sometimes, and we will cover the details in a bit.

If you've made a new project, or recently updated npm to version 5, you may have noticed a new file alongside the familiar package.json—package-lock.json. Inside, the contents looks like this:

{  "name": "app1",  "version": "1.0.0",  "lockfileVersion": 1,  "dependencies": {    "align-text": {      "version": "0.1.4",      "resolved": "https://registry.npmjs.org/align-text/-/align-text-0.1.4.tgz",      "integrity": "sha1-DNkKVhCT810KmSVsIrcGlDP60Rc=",      "dev": true    },    "babel-core": {      "version": "6.25.0",      "resolved": "https://registry.npmjs.org/babel-core/-/babel-core-6.25.0.tgz" ...

Get Mastering Node.js - Second Edition now with the O’Reilly learning platform.

O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.