Our company uses an Artifactory repository for storing internally-published packages and as a proxy for the NPM registry. Sometimes the
resolved field in lockfiles/shrinkwrap files is as expected, containing URLs for our internal repository, but occasionally they show up as something like this (line break added for clarity):
Then, from pull request to pull requests, these
dl parameters constantly oscillate to being present or removed depending on which developer does an
npm install , leading to a lot of pull request & commit noise.
I don’t know whether this is something the NPM CLI is doing directly or if it’s something happening somewhere in the interactions between the CLI, Artifactory, and the NPM registry. Does anyone know why this happens? Can we disable this behavior? And is it safe to strip this parameter as a
postshrinkwrap script workaround?
(this is cross-posted on Stack Overflow if you want Fake Internet Points: https://stackoverflow.com/questions/53127140/npm-lockfiles-shrinkwrap-get-random-dl-parameter-tacked-on-to-the-resolved-u)