My understanding is that:
There are certain npm packages that are intended only for use on certain operating systems.
For example fsevents is only for macOS - it's for listening to file changes in a directory tree.
The os and cpu properties of package.json can be used to mark said packages this way.
The purpose of a package-lock.json is to have the exact same dependencies be installed on each run of npm i - this way you don't have 100 different developers all working with 100 different versions of dependencies and constant 'it works on my machine' type problems.
How does this work as it relates to an application that might be being built by some users on macOS and others on Windows?
What happens if a dependency is required and but the host operating system does not match? Does npm just error?
Does that mean that all OS-specific packages should always be marked as optional (or else the consuming package itself be marked as OS specific).
I note that Vite for example marks fsevents as an optional dependency.
Or does the package get installed, and it's up to the consuming code to detect OS/CPU architecture and use/not use it?
What happens to the package-lock.json when two different operating systems install the dependencies?
I assume that you wouldn't have a situation where the package-lock.json keeps changing between different OS installation runs.
Historically (npm v6 and older), this was a major pain point known as "Lockfile Thrashing," where a Windows user would install, commit the lockfile, and break the build for macOS users.
However, in modern npm (v7+), this is handled via Universal Lockfiles and Optional Dependencies.
Here is the breakdown of how it works:
The "Universal" Lockfile
You asked: What happens to the package-lock.json when two different operating systems install the dependencies?
In modern npm, the package-lock.json is a superset blueprint. It describes the dependency tree for every possible operating system, not just the one currently running the install.
fsevents (or other OS-specific binaries), notes that it matches the current OS, and downloads the tarball to node_modules.fsevents, checks the os metadata, sees it is macOS-only, and skips the download.fsevents entry from package-lock.json. It leaves the metadata there so that the lockfile remains consistent for the rest of the team.optionalDependencies is key
You asked: Does that mean that all OS-specific packages should always be marked as optional?
Yes. If a package relies on native bindings or specific OS features (like fsevents), it should be listed in optionalDependencies.
dependencies and the OS check fails, npm may throw EBADPLATFORM and stop the install.optionalDependencies, npm attempts to install it. If the os or cpu check fails (or compilation fails), npm ignores the error and continues the installation process.Runtime Detection
You asked: Does the package get installed, and it's up to the consuming code to detect it?
If the OS check fails, the package folder is not created in node_modules. The code is physically missing from the disk. Therefore, the consuming library must handle this at runtime.
A common pattern (used by libraries like chokidar) looks like this:
let fsevents;
try {
fsevents = require('fsevents');
} catch (error) {
// Dependency is missing (likely on Windows/Linux)
// Fallback to standard fs.watch
}
package-lock.json files do not change between OS runs; they store metadata for all platforms simultaneously.npm selectively installs only the binaries relevant to the current machine's architecture.