npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

Warn when package-lock.json is present, but package-lock=false in config

Just debugged a confusing problem with a user, where the package-lock.json file wasn’t being updated when installing a new version of a dep. Turns out they had a .npmrc file with package-lock=false.

It’d be nice if npm warned when doing an install, if the package-lock.json file is present, and would be updated, but isn’t because of a config.

Maybe something like this:

npm WARN package-lock.json file present, but `package-lock=false` in config file:
npm WARN /path/to/some/project/.npmrc
npm WARN Update config or delete package-lock.json to silence this warning.

Something similar happened to me when I tried to get npm audit to work in a project that has package-lock=false in .npmrc.

$ npm audit
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/andreas/.npm/_logs/2018-10-26T22_43_47_021Z-debug.log

Oh well, let me try that, then:

$ npm i --package-lock-only
added 67 packages from 25 contributors and audited 22207 packages in 14.93s
found 3 vulnerabilities (2 low, 1 moderate)
  run `npm audit fix` to fix them, or `npm audit` for details

No package-lock.json was generated. The presence of package-lock=false suppresses that step even though that’s literally the entire point of npm i --package-lock-only.

I fail to understand the logic of package-lock=false turning off the feature completely. For myself I really just want to prevent the automatic creation of a package-lock.json.

If the file exists, I want the package-lock feature to work. No warning. Just update the package-lock normally.