Great question—this is a common scenario when you want to keep your dependency tree stable while adding new packages. Here are two reliable ways to add a new npm package to your package.json and package-lock.json without updating existing dependencies or installing anything extra:

Method 1: Use npm install with --package-lock-only #

This is the simplest, most direct approach. The --package-lock-only flag tells npm to only update your package-lock.json and sync the new package entry to package.json—it skips all actual installation steps, so no changes are made to your node_modules folder or existing dependencies.

• For production dependencies (packages your app needs to run):

  npm install <your-package-name> --save --package-lock-only
  

• For development dependencies (tools like linters, test runners):

  npm install <your-package-name> --save-dev --package-lock-only
  

• To pin an exact version (instead of using a version range), append @<version-number>:

  npm install lodash@4.17.21 --save --package-lock-only
  

What this does exactly: #

• Adds the new package to your package.json under the correct section (dependencies or devDependencies), using the resolved exact version.
• Updates package-lock.json with the new package's full dependency tree, but leaves all existing dependency versions and entries completely untouched.
• No packages are downloaded or installed—your node_modules stays exactly as it was.

Method 2: Manual package.json Edit + Sync Lock File #

If you prefer to manually add the package entry first, you can then sync it to package-lock.json without installing anything:

1. Open your package.json and add the new package to either dependencies or devDependencies with your desired version. For example:

   "dependencies": {
     // ... your existing dependencies
     "axios": "^1.6.0"
   }
   

2. Run this command to generate the corresponding entries in package-lock.json without installing any packages:

   npm install --package-lock-only
   

Key Tips to Avoid Accidental Updates: #

• Never run plain npm install without the --package-lock-only flag here—it will install all packages, and may update existing ones if their version ranges allow.
• If you want to ensure the new package's version is strictly locked (no minor/patch updates automatically), use an exact version (remove ^ or ~ from the version string) or add the --save-exact flag:

  npm install <package-name> --save --save-exact --package-lock-only
  

内容的提问来源于stack exchange，提问作者Dan