By default, npm installs all packages directly in node_modules
.
However, let’s say that package X
is dependent on package Z
in version 1.0 and package Y
is dependent on the same package Z
, but in version 2.0. In this case we have to install two versions of this package. One will be installed in root node_modules
folder, and another one will be installed in node_modules
folder of dependant package, e.g.
package.json
node_modules
/X
/Y
/node_modules
/Z@2.0
/Z@1.0
Equally likely, npm could build a different, but still correct, package tree:
package.json
node_modules
/X
/node_modules
/Z@1.0
/Y
/Z@2.0
The package-lock.json
file will attempt to describe not only the dependencies of your project, but this tree structure as well. Which of the two trees above to build will be encoded in the JSON.
With this knowledge, it’s easy to understand:
“requires” reflects dependencies from package.json
file of this dependency, while dependencies
reflects actually installed dependencies in node_modules folder of this dependency.