npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

NPM CI not requiring package.json and package-lock.json to match

What I Wanted to Do

I removed a dependency manually from package.json and ran npm ci expectign it to fail because package.json and package-lock.json did not “match”

What Happened Instead

npm ci ran without errors

Reproduction Steps

remove a dependency manually from package.json
run npm ci
no errors are returned


It appears that as long as package-lock.json knows how to satisfy all dependencies listed in package.json everything is fine. However, this is not strictly a “match” as described in the documentation

If dependencies in the package lock do not match those in package.json , npm ci will exit with an error, instead of updating the package lock.

Platform Info

$ npm --versions
{ demo: '0.1.0',
  npm: '6.9.0',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.3',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }

$ node -p process.platform