package-lock.json ignored for github semver deps

What I Wanted to Do

I installed a package from GitHub using semver:^4.6.0, which resulted in the following package-lock.json entry:

        "atlas": {
             "version": "github:org/repo#a6de6c8cb1ca2dee2726fd1cd9e859ac068d3032",

Upon running npm i, I want to get 4.6.0, which is the commit sha above.

What Happened Instead

I’m ending up with commit 71204dbebdf4bdb428dddc426cfa238c9489e222 which is version 4.6.1, even though i did not run npm update and update the lockfile

Reproduction Steps

Install private github dependency using semver, update to within range, see lockfile isnt respected

Platform Info

Using the node:dubnium docker image.

$ npm --versions
{ 'boro-hall': '5.11.0',
  npm: '6.4.1',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

Thanks for the report! This is a known bug but I can’t find the other post for it right now. We should definitely fix this soon.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.