Successive npm installs resulting in slight differences in lockfile (npm@5)

cli
priority:medium
triaged

(Rich Trott) #1

Copying (and editing) from https://github.com/npm/npm/issues/16728. I’m not the original reporter, but this bug affects a project I care about so I’m moving the bug report to the current issue tracker.

What I Wanted to Do

I started with a package_lock.json which was copied from an old npm_shrinkwrap.json - it was updated when I ran npm install with a clean node_modules directory.

Then I git committed and pushed the changed lockfile.

Then I ran npm install again, expecting no changes

What Happened Instead

…and there were a few slight changes to the lockfile.

Reproduction Steps

package.json dependencies: https://gist.github.com/thomblake/29fa300ba7a701696f4eefdb2d4ab8ae
package_lock.json after first install: https://gist.github.com/thomblake/7d5dc1f9d5f32ce22f2a9a3b6a5f2adf
package_lock.json after second install: https://gist.github.com/thomblake/fa0c351f01ec17ec3cde5e22ef6388dd
diff between lockfiles: https://gist.github.com/thomblake/65ac6f2c30e7289b520149519f1c2b49

Details

Platform Info

  • npm -v prints: 5.0.0
  • node -v prints: v6.9.5
  • npm config get registry prints: https://registry.npmjs.org/
  • Windows, OS X/macOS, or Linux?: OS X
  • Network issues:
    • Geographic location where npm was run: San Leandro, CA
$ npm --versions
<!-- paste output here -->
$ node -p process.platform
<!-- paste output here -->

(Rich Trott) #2

Subsequent conversation in the original issue suggest that this may have been fixed, but there was some uncertainty. I don’t see the issue with npm@5.10.0, so maybe it was fixed in that release line. I still get shrinkwrap file changes using npm@6.4.0 though. Bug or simple breaking change between versions of npm?


(Kat Marchán) #3

5.0.0 had a lot of these issues. Can you post the repro with 6.4.0? I assume it’s different things changing. We’re working on hunting down the last few cases of this. I think some npm@6 changes related to stabilizing the lockfile ended up causing a regression with some types of specs.

I’d also be interested if you can reproduce this by doing $ rm -rf node_modules package-lock.json (yes, both!) and doing a fresh install.


(Rich Trott) #4

Repro with npm 6.4.0 would be the package.json and npm-shrinkwrap.json file at https://github.com/moodle/moodle/tree/8df868e9e0dc684c9746c91b2fa7ff21417264d4.

No changes to npm-shrinkwrap.json with npm@5.10.0, but changes with npm@6.4.0.

Removing node_modules and npm-shrinkwrap.json did not change the results.


(Rich Trott) #5

Wanted to upload the two relevant files to minimize friction for everyone else, but I’m being told new users can only upload one file per post. So here’s the shrinkwrap file:

npm-shrinkwrap.json (203.8 KB)


(Rich Trott) #6

And here’s the package.json:

package.json (681 Bytes)


(Kat Marchán) #7

aha, yes. That diff is expected. When you cross the npm@5 -> npm@6 boundary, there’s a single big diff due to that change that we did precisely so we would get fewer diffs going forward. So just do one npm i with 6 and it should be good from there!


(Rich Trott) #8

Cool. So, previous bug in npm@5 has been fixed. And diff with npm@6 is not a bug. Thanks!


(Kat Marchán) #9

It was one of the breaking changes for npm@6, yeah. See the FORMAT CHANGES section here:


(system) #10

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.