The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
Warn when package-lock.json is present, but package-lock=false in config
Just debugged a confusing problem with a user, where the
package-lock.json file wasn’t being updated when installing a new version of a dep. Turns out they had a
.npmrc file with
It’d be nice if npm warned when doing an install, if the package-lock.json file is present, and would be updated, but isn’t because of a config.
Maybe something like this:
npm WARN package-lock.json file present, but `package-lock=false` in config file: npm WARN /path/to/some/project/.npmrc npm WARN Update config or delete package-lock.json to silence this warning.
Something similar happened to me when I tried to get
npm audit to work in a project that has
$ npm audit npm ERR! code EAUDITNOLOCK npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile npm ERR! audit Try creating one first with: npm i --package-lock-only npm ERR! A complete log of this run can be found in: npm ERR! /home/andreas/.npm/_logs/2018-10-26T22_43_47_021Z-debug.log
Oh well, let me try that, then:
$ npm i --package-lock-only [...] added 67 packages from 25 contributors and audited 22207 packages in 14.93s found 3 vulnerabilities (2 low, 1 moderate) run `npm audit fix` to fix them, or `npm audit` for details
package-lock.json was generated. The presence of
package-lock=false suppresses that step even though that’s literally the entire point of
npm i --package-lock-only.
I fail to understand the logic of
package-lock=false turning off the feature completely. For myself I really just want to prevent the automatic creation of a package-lock.json.
If the file exists, I want the package-lock feature to work. No warning. Just update the package-lock normally.