The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
NPM ignores git hashes in lockfile
What I Wanted to Do
I wanted to install the exact version of all dependencies specified in the my package-lock.json. Which is kind of the point of the file.
What Happened Instead
NPM went and installed the latest version of my git based dependencies.
I do not understand who, or why anyone thought this was an acceptable idea. There is no other package manager in existence where a lock file is not an actual lock on what packages get installed when you run ‘install’.
$ npm --versions 6.4.1 $ node -p process.platform v8.11.4
Do you have a more recent way to reproduce this issue? The repository in the repro you linked isn’t available anymore, and I only succeeded to reproduce this myself in a situation where
node_modules already had the new commit installed.