The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
What's the point of package-lock?
npm install ignores
package-lock file and installs the newest dependencies anyway, what’s the point of having a lock file at all if it does not freeze the dependency tree?
Under what circumstances does
npm install ignore the
package-lock for you?
You might be confused by the big difference between
npm install without a package, which faithfully uses the
package-lock.json for a reproducible install:
and when you specify a package, which installs newest semver compatible version:
npm install some-package
% npm install email@example.com npm notice created a lockfile as package-lock.json. You should commit this file. + firstname.lastname@example.org added 1 package from 1 contributor and audited 1 package in 1.394s found 0 vulnerabilities % npm install audited 1 package in 1.351s found 0 vulnerabilities % npm ls commander email@example.com /Users/john/Documents/Sandpits/npm.community/10444 └── firstname.lastname@example.org % rm -rf node_modules % npm install added 1 package from 1 contributor and audited 1 package in 1.02s found 0 vulnerabilities % npm ls commander email@example.com /Users/john/Documents/Sandpits/npm.community/10444 └── firstname.lastname@example.org % npm install commander + email@example.com updated 1 package and audited 1 package in 1.409s found 0 vulnerabilities % npm install commander@latest + firstname.lastname@example.org updated 1 package and audited 1 package in 0.664s found 0 vulnerabilities
I often see that
npm install leaves dirty
package-lock.json in git, which makes me think that it pulls the newest available packages when non-exact versions of packages are used in
package.json. This hurts the reproducibility of builds and basically forces me to use
npm ci which seems to respect the
package-lock.json. Was this fixed recently or what am I missing?
Let me run some tests here again, maybe I can pin point the problem.
I am closing this because after running some tests with the latest
email@example.com. I can’t reproduce the same issue. I believe
npm might have had bugs related to reproducible builds, and perhaps just running various versions of
npm across the board caused package-lock to be overwritten.
I remember seeing a lot of
dev fields getting in and out of package-lock file. Possible because those fields were added gradually during the npm v6 updates which caused different developer machines using different versions of
npm to pop them in and out making me think that the
package-lock file was not respected.