npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm install installs dependency from package-lock.json if package.json switches to github dependency

What I Wanted to Do

I wanted to switch a previously installed npm dependency to a version hosted on github.

What Happened Instead

Since that dependency existed already in the package-lock.json, npm decided to install that version instead.

Reproduction Steps

  1. Install a dependency from npm
  2. Make sure the package-lock.json was updated
  3. Check out that dependency with git, make a change, and push that dependency to github.
  4. Go in your package.json and change the dependency’s version to github:myname/reponame#mybranch
  5. Run npm install (even try deleting node_modules first for good measure)
  6. Observe that the installed version is the same one from npm as before

Not really acceptable but kind of ok workaround

  1. Delete the package-lock.json and node_modules
  2. Run npm install
  3. Your dependency should be the version from github

Platform Info

$ npm --versions
{ spectacle: '5.0.0',
  npm: '6.0.0',
  ares: '1.10.1-DEV',
  cldr: '31.0.1',
  http_parser: '2.7.0',
  icu: '59.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.9.0',
  openssl: '1.0.2l',
  tz: '2017b',
  unicode: '9.0',
  uv: '1.15.0',
  v8: '6.1.534.46',
  zlib: '1.2.11' }
$ node -p process.platform

Triage notes: I guess pkglock verification is getting skipped for toplevel deps if the name at least exists?