Issue: package-lock.json saved with not exact package versions

cli

(iilei) #1

Environment

Node.js v10.5.0
NPM v6.1.0

.npmrc settings

save-exact=true
loglevel=silent

When I’m trying to install some package, all dependencies in my package-lock.json update with not exact versions. Here is git diff after npm install --save-dev *any-package-name*:

What’s wrong?

Full Credits to the author of https://github.com/npm/npm/issues/21110 from which the content of this issue was copied.

I would have tagged this one with security as it is a potential of unrecognised version mismatches. And the wrong version of a dependency might be a security issue, as we all know. As I have learned, only staff can add the security tag ¯_(ツ)_/¯


(Kat Marchán) #2

Starting with npm@6, we save whatever was in the dependent’s package.json into requires. This is done for three reasons:

  1. It makes it so we don’t need to read data off node_modules to do certain actions, so we can go faster
  2. It significantly reduces pkglock thrash. That means you’ll get fewer diffs going forward, once you do the big diff from the npm@6 upgrade.
  3. It makes it trivial to translate pkglock to other lockfile formats, and overall compatibility is important to us.

There’s nothing to be worried about here, and your settings won’t really change anything. Your versions are still locked to exact versions, as the requires field is just for documenting logical tree relationships and is informational.

tl;dr: make sure your whole team is on npm@6 or later, do a single npm install to upgrade your requires fields, and you should stop seeing weird diffs like these.


(system) #3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.