npm install rewrites author field of installed packages; npm ci installs as-is

What I Wanted to Do

React Native packages generate a CocoaPods Podspec which is derived from the package.json file of the installed package. This includes the author field. This spec is checksummed, and the resulting checksums end up in a Podfile.lock file.

Ideally, no matter how we install our packages we end up with the same checksums in the Podfile.lock file.

What Happened Instead

npm install rewrites the author field of the installed package.json, resulting in a different checksum than if npm ci is used.

Reproduction Steps

I’ve shared a package and lockfile here: https://gist.github.com/novemberborn/5eb09416d340f64501944209fcf1dfd5

Set up a directory with those files.

Run npm install.

With jq run cat ./node_modules/react-native-camera/package.json|jq -r .author. This prints:

{
  "name": "Lochlan Wansbrough",
  "email": "lochie@live.com",
  "url": "http://lwansbrough.com"
}

Now run npm ci and run cat ./node_modules/react-native-camera/package.json|jq -r .author again. This now prints:

Lochlan Wansbrough <lochie@live.com> (http://lwansbrough.com)

This value matches what’s actually committed in the react-native-camera repository: https://github.com/react-native-community/react-native-camera/blob/0158ebfd39e053cdaf2385e7088074b375fa268d/package.json#L5

Platform Info

$ npm --versions
{
  'tmp.bo1RtuYbY8': '1.0.0',
  npm: '6.12.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  llhttp: '1.1.4',
  modules: '72',
  napi: '5',
  nghttp2: '1.39.2',
  node: '12.12.0',
  openssl: '1.1.1d',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.32.0',
  v8: '7.7.299.13-node.12',
  zlib: '1.2.11'
}
$ node -p process.platform
darwin