npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

package-lock.json ignored for github semver deps

What I Wanted to Do

I installed a package from GitHub using semver:^4.6.0, which resulted in the following package-lock.json entry:

        "atlas": {
             "version": "github:org/repo#a6de6c8cb1ca2dee2726fd1cd9e859ac068d3032",

Upon running npm i, I want to get 4.6.0, which is the commit sha above.

What Happened Instead

I’m ending up with commit 71204dbebdf4bdb428dddc426cfa238c9489e222 which is version 4.6.1, even though i did not run npm update and update the lockfile

Reproduction Steps

Install private github dependency using semver, update to within range, see lockfile isnt respected

Platform Info

Using the node:dubnium docker image.

$ npm --versions
{ 'boro-hall': '5.11.0',
  npm: '6.4.1',
  ares: '1.15.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.15.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

Thanks for the report! This is a known bug but I can’t find the other post for it right now. We should definitely fix this soon.