package-lock.json is not complete on first run for some modules.

cli
priority:medium
triaged

(Ægir Örn Símonarson) #1

What I Wanted to Do

Run npm install and not see any changes to the package-lock.json file recently been committed to git and no new dependencies have been introduced.

What Happened Instead

The package-local.json file should not have changed on the second run for npm install. The first time I installed nodemon the loc file should have been fully generated with all the required fields set.

But instead it generated this diff

diff --git a/package-lock.json b/package-lock.json
index c22a22c..f71c6f9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -288,11 +288,13 @@
         },
         "balanced-match": {
           "version": "1.0.0",
-          "bundled": true
+          "bundled": true,
+          "optional": true
         },
         "brace-expansion": {
           "version": "1.1.11",
           "bundled": true,
+          "optional": true,
           "requires": {
             "balanced-match": "^1.0.0",
             "concat-map": "0.0.1"
@@ -305,15 +307,18 @@
         },
         "code-point-at": {
           "version": "1.1.0",
-          "bundled": true
+          "bundled": true,
+          "optional": true
         },
         "concat-map": {
           "version": "0.0.1",
-          "bundled": true
+          "bundled": true,
+          "optional": true
         },
         "console-control-strings": {
           "version": "1.1.0",
-          "bundled": true
+          "bundled": true,
+          "optional": true
         },
         "core-util-is": {
           "version": "1.0.2",
@@ -416,7 +421,8 @@
         },
         "inherits": {
           "version": "2.0.3",
-          "bundled": true
+          "bundled": true,
+          "optional": true
         },
         "ini": {
           "version": "1.3.5",
@@ -426,6 +432,7 @@
         "is-fullwidth-code-point": {
           "version": "1.0.0",
           "bundled": true,
+          "optional": true,
           "requires": {
             "number-is-nan": "^1.0.0"
           }
@@ -438,17 +445,20 @@
         "minimatch": {
           "version": "3.0.4",
           "bundled": true,
+          "optional": true,
           "requires": {
             "brace-expansion": "^1.1.7"
           }
         },
         "minimist": {
           "version": "0.0.8",
-          "bundled": true
+          "bundled": true,
+          "optional": true
         },
         "minipass": {
           "version": "2.2.4",
           "bundled": true,
+          "optional": true,
           "requires": {
             "safe-buffer": "^5.1.1",
             "yallist": "^3.0.0"
@@ -465,6 +475,7 @@
         "mkdirp": {
           "version": "0.5.1",
           "bundled": true,
+          "optional": true,
           "requires": {
             "minimist": "0.0.8"
           }
@@ -537,7 +548,8 @@
         },
         "number-is-nan": {
           "version": "1.0.1",
-          "bundled": true
+          "bundled": true,
+          "optional": true
         },
         "object-assign": {
           "version": "4.1.1",
@@ -547,6 +559,7 @@
         "once": {
           "version": "1.4.0",
           "bundled": true,
+          "optional": true,
           "requires": {
             "wrappy": "1"
           }
@@ -652,6 +665,7 @@
         "string-width": {
           "version": "1.0.2",
           "bundled": true,
+          "optional": true,
           "requires": {
             "code-point-at": "^1.0.0",
             "is-fullwidth-code-point": "^1.0.0",

Reproduction Steps

Run this script

#!/usr/bin/env bash

mkdir test-dir
cd test-dir
npm init --yes
npm intall nodemon@1.11.0 --save
git init .
git add package.json package-lock.json
git commit -m 'Initial commit'
rm -Rf node_modules
npm install
git status

Details

Platform Info

$ npm --versions
6.4.1
$ node --version
8.11.4
$ node -p process.platform
linux

(Brian Olore) #2

Possibly related to package-lock.json changes from one `npm install` to the next