npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm install changes package-lock extensively

From what I can find by reading old github issues and stack overflow posts, back in the npm v5 days, the package versions in the “requires” section would simply be a bare version number such as “7.4.4”. In npm v6, this was changed so that the versions in the “requires” section would match the containing packages’ package.json. So if the package.json required “^7.4.4”, then, in the “requires” section, the package would specify “^7.4.4” (note the caret).

However, it appears that npm 6 will sometimes output the npm 5 style? For example, I have a coworker… We’re using the same version of npm (v6.9.0). Our configs are the same (comparing the output of npm config ls -l). We’re both on Mac’s. The only difference is that I’m using node v10.15.3 installed via asdf, and he’s using v11.12.0 installed via nvm. When he runs npm install, he gets bare version numbers in the “requires” section ala npm 5 style (ie, “7.4.4”) and I get the npm 6 style (ie, “^7.4.4”). Would the node version affect the way npm runs?

Another fun thing that likes to change from one dev to the next is that "optional": true will get added or dropped from dependencies’ dependencies.

These two problems combined essentially guarantee that package-lock.json changes significantly every time someone on our team does an npm install and it’s causing a lot of annoying merge conflicts. What’s going on here?

Two general tips to make it more likely two different machines see the same results by removing stale state, paranoia:

There are other reports about issues with package-lock.json churn under some circumstances but not simple answers, so FYI: