npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Transitive dependency update generating invalid package-lock.json

What I Wanted to Do

Generate a valid package-lock.json after updating package.json and running npm i --package-lock-only

What Happened Instead

npm generated an invalid package-lock.json, dropping a transitive dependency.

Reproduction Steps

The following generates an invalid package-lock.json:

git clone
npm i --package-lock-only


diff --git a/package-lock.json b/package-lock.json
index a22925a..2735c14 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -6,73 +6,185 @@
   "dependencies": {
	 "bar": {
	   "version": "file:bar-1.0.0.tgz",
-      "integrity": "sha512-i0C/TLZdUgjs7IUGebzGMtmHD2OI63mrGNCT2Ck5fIerzvQrdmsIf0uCS2oMEn9+Vc7rpRADomeLwyx7YzcNrQ==",
-      "requires": {
-        "ioredis": "^2.5.0"
-      }
+      "integrity": "sha512-i0C/TLZdUgjs7IUGebzGMtmHD2OI63mrGNCT2Ck5fIerzvQrdmsIf0uCS2oMEn9+Vc7rpRADomeLwyx7YzcNrQ=="

The following generates a valid package-lock.json:

git clone
rm -f package-lock.json
npm i --package-lock-only


diff --git a/package-lock.json b/package-lock.json
index a22925a..0baec8c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,6 +9,23 @@
	   "integrity": "sha512-i0C/TLZdUgjs7IUGebzGMtmHD2OI63mrGNCT2Ck5fIerzvQrdmsIf0uCS2oMEn9+Vc7rpRADomeLwyx7YzcNrQ==",
	   "requires": {
		 "ioredis": "^2.5.0"
+      },
+      "dependencies": {
+        "ioredis": {
+          "version": "2.5.0",
+          "resolved": "",
+          "integrity": "sha1-+2/fChp+CXRhTGe25eETCKjPlbk=",
+          "requires": {
+            "bluebird": "^3.3.4",
+            "cluster-key-slot": "^1.0.6",
+            "debug": "^2.2.0",
+            "double-ended-queue": "^2.1.0-0",
+            "flexbuffer": "0.0.6",
+            "lodash": "^4.8.2",
+            "redis-commands": "^1.2.0",
+            "redis-parser": "^1.3.0"
+          }
+        }

i.e. the existing package-lock.json needs to be removed to get a valid lock file generated.

Interestingly, when I tried to reproduce this with transitive published dependencies all hosted on npmjs (instead of an archive) then both cases worked (I think this is what @iarna fixed in 6.1.0, which also seemed to half-fix this remaining edge case too, because previously both of the above cases failed).



{ 'renovate-config-group': '0.13.0',
  npm: '6.1.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.11.1',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.50',
  zlib: '1.2.11' }

The bug template isn’t really optional. Please try and keep it in place in the future.

@zkat edited/fixed in place. Sorry, I don’t even remember seeing it/deleting it in the first place

Thank you! Hopefully it was a hiccup. We’re still getting used to this so there’s probably stuff we haven’t really understood about how it works yet. Thanks for the edit!

@iarna do you expect you can address this failure case in the next release?

@rarkins not likely, as the next release may be this week and I’m on vacation.

@iarna do you have any visibility on when you might have time to look at this one?