npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm install changes package-lock.json resolve from http to https

What I Wanted to Do

npm install and have package-lock.json not change

What Happened Instead

npm install changed package-lock.json

Jesses-MacBook-Pro:node jesse$ git diff
diff --git a/package-lock.json b/package-lock.json
index e61c146..16776da 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1453,7 +1453,7 @@
     "@sinonjs/formatio": {
       "version": "2.0.0",
-      "resolved": "",
+      "resolved": "",
       "integrity": "sha512-ls6CAMA6/5gG+O/IdsBcblvnd8qcO/l1TYoNeAzp3wcISOxlPXQEus0mLcdwazEkWjaBdaJ3TaxmNgCLWwvWzg==",
       "requires": {
         "samsam": "1.3.0"
@@ -1906,7 +1906,7 @@
       "dependencies": {
         "readable-stream": {
           "version": "2.3.6",
-          "resolved": "",
+          "resolved": "",
           "integrity": "sha512-tQtKA9WIAhBF3+VLAseyMqZeBjW0AHJoxOtYqSUZNJxauErmLbVm2FW1y+J/YA9dUrAC39ITejlZWhVIwawkKw==",
           "requires": {
             "core-util-is": "~1.0.0",

Reproduction Steps

I don’t know how to reproduce it. It happens randomly. But the fix seems to be to git checkout package-lock.json && rm -Rf node_modules && npm install.


running npm 6.9.0

Platform Info

Mac mojave

$ npm --versions
{ 'censored': '1.0.0',
  npm: '6.9.0',
  ares: '1.10.1-DEV',
  cldr: '34.0',
  http_parser: '2.8.0',
  icu: '63.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.33.0',
  node: '8.15.1',
  openssl: '1.0.2r',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.2.414.75',
  zlib: '1.2.11' }
$ node -p process.platform

The lock file changing from http to https should be a one-time* good thing. See also Some packages have dist.tarball as http and not https.

* it may take a few runs actually, depending on the cache state. You can try --prefer-online, but that may not work like I think it does.

I’m also seeing this issue.
I’ve followed the steps in this post: Some packages have dist.tarball as http and not https

rm -rf ./node_modules
git checkout package-lock.json
npm cache clean --force
npm install --prefer-online

It seemed to take repeating that multiple times until there wasn’t instances of https being downgraded to http. Not sure if it’s a fluke or actually going to be consistent now.

According to this post: stream publishing really old events it may be a server side issue and a fix was in progress in January. This is a couple months later so do we know if the process is still ongoing?

The second issue for me was the optional property which looks like it was fixed in 6.9.0 by this commit

This requires everyone on the team to upgrade to npm >= 6.9.0

npm install -g npm

Do you have private npm packages in your project or are you logged in on the npm cli for other reasons? I also had this problem occasionally and it helped to log out before cleaning the cache and removing node_modules. I even did an npm install while logged out (which of course failed for the private packages) to make sure it didn’t use any caches.