I have a problem with the registry references in
package-lock.json spuriously changing for no apparent reason.
I define a custom registry in my
.npmrc file, that proxies to the primary npm registry for most packages, and hosts our internal organization packages at another URL:
registry=https://myregistry.myorg.com/repository/npmorg-proxy/ @myorg:registry=https://myregistry.myorg.com/repository/npm-hosted/ ... registry auth stuff here...
I find that
package-lock.json inconsistently includes either the “correct” registry
https://myregistry.myorg.com/repository/npmorg-proxy/ vs the default npmjs.org registry:
grep -R "https://myregistry.myorg.com/repository/npmorg-proxy" package-lock.json | wc -l 1095 grep -R "https://registry.npmjs.org" package-lock.json | wc -l 392
You might be tempted to posit that the registry.npmjs.org references are from before the
.npmrc was configured, but no, you’d be wrong:
npm i regularly switches references from
registry.npmjs.org for apparently no reason at all.
Currently I am using npm 6.4.1.
UPDATE: After receiving no responses here, I migrated to yarn, which has a sane lockfile (understandable and merge-friendly by being ordered consistently), which never changes unless there are real changes.