The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Issue: package-lock.json saved with not exact package versions
When I’m trying to install some package, all dependencies in my
package-lock.json update with not exact versions. Here is git diff after
npm install --save-dev *any-package-name*:
Full Credits to the author of https://github.com/npm/npm/issues/21110 from which the content of this issue was copied.
I would have tagged this one with
security as it is a potential of unrecognised version mismatches. And the wrong version of a dependency might be a security issue, as we all know. As I have learned, only staff can add the
security tag ¯_(ツ)_/¯
Starting with npm@6, we save whatever was in the dependent’s package.json into
requires. This is done for three reasons:
- It makes it so we don’t need to read data off node_modules to do certain actions, so we can go faster
- It significantly reduces pkglock thrash. That means you’ll get fewer diffs going forward, once you do the big diff from the npm@6 upgrade.
- It makes it trivial to translate pkglock to other lockfile formats, and overall compatibility is important to us.
There’s nothing to be worried about here, and your settings won’t really change anything. Your versions are still locked to exact versions, as the
requires field is just for documenting logical tree relationships and is informational.
tl;dr: make sure your whole team is on npm@6 or later, do a single
npm install to upgrade your
requires fields, and you should stop seeing weird diffs like these.