npm install installs incorrect version of git dependencies and doesn't install new sub-dependencies

What I Wanted to Do

Install all dependencies for a project with missing node_modules. Depencencies include module installed from git, and I want to install the same version that’s specified in package-lock.json

What Happened Instead

npm installed the newest version of the module, without changing package-lock. So package lock said "version": "git+ssh://git@example.com/module.git#6467a80c7ea2ce0380860b6444a64c05b5c362fb", but the module in node_modules is the newest version in git repo. Addittionally npm did not install any new dependencies introduced by the updated module, leading to a broken build.

Just to clarify, after npm install, node_modules\somedep\package.json can list some-package as dependency, but some-package is not installed at all.

Reproduction Steps

  • Create git repo which is valid module
  • Install the module to your local project
  • Add new dependency to your repo and commit & push
  • Delete node_modules from your local project
  • Run npm install

Now npm has loaded the newest version of your dependency (check node_modules), but didn’t install the dependency introduced by the new version.

I’d imagine npm is supposed to respect package-lock.json and install the correct version, but even if it always installs the newest version, it should obviously install all subdependencies.

Platform Info

$ npm --versions
{ npm_test: '0.0.0',
  npm: '6.11.3',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.1',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.12',
  zlib: '1.2.11' }
$ node -p process.platform
win32