npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Successive npm installs resulting in slight differences in lockfile (npm@5)

Copying (and editing) from I’m not the original reporter, but this bug affects a project I care about so I’m moving the bug report to the current issue tracker.

What I Wanted to Do

I started with a package_lock.json which was copied from an old npm_shrinkwrap.json - it was updated when I ran npm install with a clean node_modules directory.

Then I git committed and pushed the changed lockfile.

Then I ran npm install again, expecting no changes

What Happened Instead

…and there were a few slight changes to the lockfile.

Reproduction Steps

package.json dependencies:
package_lock.json after first install:
package_lock.json after second install:
diff between lockfiles:


Platform Info

$ npm --versions
<!-- paste output here -->
$ node -p process.platform
<!-- paste output here -->

Subsequent conversation in the original issue suggest that this may have been fixed, but there was some uncertainty. I don’t see the issue with npm@5.10.0, so maybe it was fixed in that release line. I still get shrinkwrap file changes using npm@6.4.0 though. Bug or simple breaking change between versions of npm?

5.0.0 had a lot of these issues. Can you post the repro with 6.4.0? I assume it’s different things changing. We’re working on hunting down the last few cases of this. I think some npm@6 changes related to stabilizing the lockfile ended up causing a regression with some types of specs.

I’d also be interested if you can reproduce this by doing $ rm -rf node_modules package-lock.json (yes, both!) and doing a fresh install.

Repro with npm 6.4.0 would be the package.json and npm-shrinkwrap.json file at

No changes to npm-shrinkwrap.json with npm@5.10.0, but changes with npm@6.4.0.

Removing node_modules and npm-shrinkwrap.json did not change the results.

Wanted to upload the two relevant files to minimize friction for everyone else, but I’m being told new users can only upload one file per post. So here’s the shrinkwrap file:

npm-shrinkwrap.json (203.8 KB)

And here’s the package.json:

package.json (681 Bytes)

aha, yes. That diff is expected. When you cross the npm@5 -> npm@6 boundary, there’s a single big diff due to that change that we did precisely so we would get fewer diffs going forward. So just do one npm i with 6 and it should be good from there!

Cool. So, previous bug in npm@5 has been fixed. And diff with npm@6 is not a bug. Thanks!

It was one of the breaking changes for npm@6, yeah. See the FORMAT CHANGES section here: