What's the point of package-lock?

Hi,

Since npm install ignores package-lock file and installs the newest dependencies anyway, what’s the point of having a lock file at all if it does not freeze the dependency tree?

Under what circumstances does npm install ignore the package-lock for you?

You might be confused by the big difference between npm install without a package, which faithfully uses the package-lock.json for a reproducible install:

npm install

and when you specify a package, which installs newest semver compatible version:

npm install some-package

For example:

% npm install commander@2.2.0
npm notice created a lockfile as package-lock.json. You should commit this file.
+ commander@2.2.0
added 1 package from 1 contributor and audited 1 package in 1.394s
found 0 vulnerabilities

% npm install
audited 1 package in 1.351s
found 0 vulnerabilities

% npm ls commander
example@1.0.0 /Users/john/Documents/Sandpits/npm.community/10444
└── commander@2.2.0 

% rm -rf node_modules 
% npm install
added 1 package from 1 contributor and audited 1 package in 1.02s
found 0 vulnerabilities

% npm ls commander
example@1.0.0 /Users/john/Documents/Sandpits/npm.community/10444
└── commander@2.2.0 

% npm install commander
+ commander@2.20.1
updated 1 package and audited 1 package in 1.409s
found 0 vulnerabilities

% npm install commander@latest
+ commander@3.0.2
updated 1 package and audited 1 package in 0.664s
found 0 vulnerabilities

I often see that npm install leaves dirty package-lock.json in git, which makes me think that it pulls the newest available packages when non-exact versions of packages are used in package.json. This hurts the reproducibility of builds and basically forces me to use npm ci which seems to respect the package-lock.json. Was this fixed recently or what am I missing?

Let me run some tests here again, maybe I can pin point the problem.

I am closing this because after running some tests with the latest npm@6.12. I can’t reproduce the same issue. I believe npm might have had bugs related to reproducible builds, and perhaps just running various versions of npm across the board caused package-lock to be overwritten.

I remember seeing a lot of optional and dev fields getting in and out of package-lock file. Possible because those fields were added gradually during the npm v6 updates which caused different developer machines using different versions of npm to pop them in and out making me think that the package-lock file was not respected.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.