NPM ignores git hashes in lockfile

help-wanted
cli
triaged
priority:medium

(Bart Riepe) #1

What I Wanted to Do

I wanted to install the exact version of all dependencies specified in the my package-lock.json. Which is kind of the point of the file.

What Happened Instead

NPM went and installed the latest version of my git based dependencies.

Reproduction Steps

See https://github.com/npm/npm/issues/18095

Details

I do not understand who, or why anyone thought this was an acceptable idea. There is no other package manager in existence where a lock file is not an actual lock on what packages get installed when you run ‘install’.

Platform Info

$ npm --versions
6.4.1
$ node -p process.platform
v8.11.4

(Lars Willighagen) #2

Do you have a more recent way to reproduce this issue? The repository in the repro you linked isn’t available anymore, and I only succeeded to reproduce this myself in a situation where node_modules already had the new commit installed.


(system) closed #3

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.