npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

`npm i --package-lock-only` changes lock file incorrectly when file: references used in dependencies

What I Wanted to Do

Use npm i --package-lock-only interchangeably with npm i for the purposes of lock file updating.

What Happened Instead

npm i --package-lock-only made significant changes to a package-lock.json when npm i does not make any changes.

Reproduction Steps

First of all, this way works as neither npm step updates package-lock.json:

git clone
cd apollo-server
    git checkout a88574d731d5fb84f0baaf2484ff596361e0ff3c
npm i
npm i --package-lock-json

After each of the above npm commands, git status returns no results. But if you do this non-working way:

git clone
cd apollo-server
    git checkout a88574d731d5fb84f0baaf2484ff596361e0ff3c
npm i --package-lock-json

Then git status shows major changes. In other words, npm i --package-lock-only only functions as expected if the node_modules are in place first, which defeats the purpose of --package-lock-only.

git diff extract:

diff --git a/package-lock.json b/package-lock.json
index 76d95b5a..5c448ce0 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1459,6 +1459,7 @@
	   "resolved": "",
	   "integrity": "sha1-DNkKVhCT810KmSVsIrcGlDP60Rc=",
	   "dev": true,
+      "optional": true,
	   "requires": {
		 "kind-of": "^3.0.2",
		 "longest": "^1.0.1",
@@ -1560,36 +1561,21 @@
	 "apollo-cache-control": {
-      "version": "file:packages/apollo-cache-control",
-      "requires": {
-        "apollo-server-env": "file:packages/apollo-server-env",
-        "graphql-extensions": "file:packages/graphql-extensions"
-      }
+      "version": "file:packages/apollo-cache-control"
	 "apollo-datasource": {
-      "version": "file:packages/apollo-datasource",
-      "requires": {
-        "apollo-server-caching": "file:packages/apollo-server-caching",
-        "apollo-server-env": "file:packages/apollo-server-env"
-      }
+      "version": "file:packages/apollo-datasource"

Platform Info

❯ npm --versions
{ npm: '6.3.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.11.1',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.50',
  zlib: '1.2.11' }
$ node -p process.platform

Note: I don’t think this is OSX-specific as it happens on Linux too.

I can confirm the experience that @rarkins has described above is not isolated to their own setup.

I also experience this issue on the same platform (macOS) when using npm install --package-lock-only (without npm install first) on the Apollo Server repository (where we utilize file: references).

I looked at it a bit, could it be because of these lines?

I think postInstallSteps extracts into node_modules before saving to dependencies. Maybe switching to installSteps could fix this as it seems it doesn’t go through the same extraction? I’m not sure, will wait on someone more knowledgeable than me to comment.