`npm i` changed my npm-shrinkwrap/package-lock, why?


(Rebecca Turner) #1

When running an npm install, my npm-shrinkwrap.json or package-lock.json changed even though I didn’t install anything new. Why is that?


(Rebecca Turner) #2

It can update it under the following circumstances:

  1. If it was invalid, referring to versions that are declared incompatible. Some versions of npm installed those incompatible versions (resulting in trees npm ls would show as invalid) and others silently fixed them. We do the latter now, but save the results of doing so back to the shrinkwrap so you actually know what happened.
  2. To introduce more metadata to make shrinkwrap support work better (they may not have run into the issues with them, but they were legion).

These were the among breaking changes that necessitated npm@5.

If you upgrade to npm@6 you will gain access to npm ci. npm ci will refuse to run if your package.json is incompatible with your shrinkwrap or lockfile and will never make changes, even to update metadata.

To sum up: npm i is for devs, making changes to their modules. npm ci is for ci and production environments, where something needing a change and slipping through indicates an error a human should correct.