When you select a package version to install through the Package Manager window, you are adding a “dependency” to your project manifest. This is a declaration that you need a specific version of a particular package in order for the project to work. To add a dependency to your project, you add a reference to the package and version in the form
package-name@package-version to the dependencies property of the
<project-root>/Packages/manifest.json file. These are called “direct” dependencies because your project directly depends on them.
Packages can also require other packages in order to work. These are called “indirect”, or transitive, dependencies. The package developer adds these to the dependencies property of the package manifest file during development (
<package-root>/package.json). For example, in the diagram below, the
firstname.lastname@example.org package has a dependency on the
email@example.com package, so the timeline package is an “indirect ”dependency. On the other hand, the project has dependencies on the
firstname.lastname@example.org packages, so those are both “direct” dependencies.
When you add a package version as a dependency, that version is not necessarily the version that the Package Manager installs, because it has to consider all of the dependencies in your project, whether direct or indirect. For example, in this case, the Settings Manager package requested was version 1.0.1, but the installed version is actually version 1.0.3 because another package depended on the higher version, as indicated in the information message (B):
The Package Manager can only install one package version at a time, so it has to construct a dependency graph, which is a list of every direct and indirect dependency for the project. The dependency graph determines which version of each package to install.
When the Package Manager successfully resolves all version conflicts, it saves the resolution in a lock file to ensure determinism (so that the same packages are reliably installed every time), and to reduce the amount of time and resources it takes to compute the dependency graph again.