What I Wanted to Do
Replicate dependencies across devices
What Happened Instead
dep-lock automatically broken.
npm install does not respect the checked in dependency manifest and
liberally modifies the lock-file that should be considered immutable.
$ git reset --hard && git status nothing to commit, working tree clean $ npm install && git status Changes not staged for commit: (use "git add <file>..." to update what will be committed) (use "git checkout -- <file>..." to discard changes in working directory) modified: package-lock.json
It’s quite a absurd that I have to educate you guys on what the purpose of a lock-file is, but here it goes:
A dependency lock is an immutable manifest containing the total sum of all dependencies and their versions.
The point of having such a file is that It ensures that the exact dependencies that are verified and checked in - get replicated in their exact form to the next device at any cost, be it a production environment or another developer’s computer.
Failure to honour the lock means failure to reproduce an asserted environment - ultimately failing to to be fit for production.
Changes to a lock should only ever be done as a response to manual action such as installing a previously unknown dependency or manually upgrading a dependency.
Automatic changes are strictly forbidden.
If I have misinterpreted the purpose of
package-lock.json file then please rename it to something more fitting as
package-cache.json to avoid further confusion.
Here’s a duplicate of this issue that was carelessly closed and locked:
$ npm --versions npm: '6.4.1', ares: '1.15.0', cldr: '33.1', http_parser: '2.8.0', icu: '62.1', modules: '64', napi: '3', nghttp2: '1.34.0', node: '10.14.2', openssl: '1.1.0j', tz: '2018e', unicode: '11.0', uv: '1.23.2', v8: '6.8.275.32-node.45', zlib: '1.2.11' } $ node -p process.platform linux