package-lock.json registry references keep changing


(Raman Gupta) #1

I have a problem with the registry references in package-lock.json spuriously changing for no apparent reason.

I define a custom registry in my .npmrc file, that proxies to the primary npm registry for most packages, and hosts our internal organization packages at another URL:

registry=https://myregistry.myorg.com/repository/npmorg-proxy/
@myorg:registry=https://myregistry.myorg.com/repository/npm-hosted/
... registry auth stuff here...

I find that package-lock.json inconsistently includes either the “correct” registry https://myregistry.myorg.com/repository/npmorg-proxy/ vs the default npmjs.org registry:

grep -R "https://myregistry.myorg.com/repository/npmorg-proxy" package-lock.json | wc -l
1095

grep -R "https://registry.npmjs.org" package-lock.json  | wc -l
392

You might be tempted to posit that the registry.npmjs.org references are from before the .npmrc was configured, but no, you’d be wrong: npm i regularly switches references from myregistry.myorg.com TO registry.npmjs.org for apparently no reason at all.

Currently I am using npm 6.4.1.

UPDATE: After receiving no responses here, I migrated to yarn, which has a sane lockfile (understandable and merge-friendly by being ordered consistently), which never changes unless there are real changes.


(system) #2

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.