npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Issue: package-lock.json saved with not exact package versions


Node.js v10.5.0
NPM v6.1.0

.npmrc settings


When I’m trying to install some package, all dependencies in my package-lock.json update with not exact versions. Here is git diff after npm install --save-dev *any-package-name*:

What’s wrong?

Full Credits to the author of from which the content of this issue was copied.

I would have tagged this one with security as it is a potential of unrecognised version mismatches. And the wrong version of a dependency might be a security issue, as we all know. As I have learned, only staff can add the security tag ¯_(ツ)_/¯

Starting with npm@6, we save whatever was in the dependent’s package.json into requires. This is done for three reasons:

  1. It makes it so we don’t need to read data off node_modules to do certain actions, so we can go faster
  2. It significantly reduces pkglock thrash. That means you’ll get fewer diffs going forward, once you do the big diff from the npm@6 upgrade.
  3. It makes it trivial to translate pkglock to other lockfile formats, and overall compatibility is important to us.

There’s nothing to be worried about here, and your settings won’t really change anything. Your versions are still locked to exact versions, as the requires field is just for documenting logical tree relationships and is informational.

tl;dr: make sure your whole team is on npm@6 or later, do a single npm install to upgrade your requires fields, and you should stop seeing weird diffs like these.