3

Our project uses npm for package management. After upgrading from npm 4 to npm 5, we decided to opt-in for the new package-lock.json.

After committing it and performing npm install on other machines, we spotted differences in the way the version and resolved entries are specified:

1) example of package-lock.json dependencies with version encoded as URL:

"jspm": {
  "version": "https://registry.npmjs.org/jspm/-/jspm-0.16.52.tgz",
  "integrity": "sha1-axhH4I8TGsm9JnzFiXSXmudnXS4=",
  "dev": true
},
 "systemjs": {
  "version": "https://registry.npmjs.org/systemjs/-/systemjs-0.19.46.tgz",
  "integrity": "sha1-wEV0szNfBSoOPHoA7kGIxuTB444=",
  "dev": true
},

2) example of package-lock.json dependencies with version and resolved properties:

"jspm": {
  "version": "0.16.53",
  "resolved": "https://registry.npmjs.org/jspm/-/jspm-0.16.53.tgz",
  "integrity": "sha1-VvNR9JWUyJM+XgG2UUWsrr/PtZ4=",
  "dev": true,
  "dependencies": {
    ...
  }
},
"systemjs": {
  "version": "0.19.46",
  "resolved": "https://registry.npmjs.org/systemjs/-/systemjs-0.19.46.tgz",
  "integrity": "sha1-wEV0szNfBSoOPHoA7kGIxuTB444=",
  "dev": true
},
...

In addition to having an unstable package-lock.json, our build server is having issues when installing the first example.

Mobiletainment
  • 22,201
  • 9
  • 82
  • 98

2 Answers2

6

Follow this procedure to produce a stable version of the package-lock.json:

  1. delete the existing node_modules folder
  2. delete the existing package-lock.json
  3. perform npm install
  4. commit and push the package-lock.json

For the rest of the team:

  1. delete the existing node_modules folder
  2. pull the new package-lock.json
  3. perform npm install

Deleting the existing node_modules before continuing is an essential step because the package-lock.json does parse existing metadata from the node_modules folder. This means that if your node_modules folder has leftovers, they may get added to the package-lock's dependencies, even if they're not an actual dependency (anymore).

Mobiletainment
  • 22,201
  • 9
  • 82
  • 98
  • This worked for me (make sure to delete the node_modules folder and existing package-lock.json, if it exists, before doing `npm install` when creating the package-lock.json). But for the "For the rest of the team" steps, I needed to add steps 1a: Run `npm install` (without the package-lock.json and node_modules folder), 1b: Delete node_modules folder again and newly created package-lock.json. Continuing with steps 2 & 3 to `npm install` then worked as expected. – tbmpls Oct 15 '17 at 18:30
  • It does not work for me. The team still gets a new package-lock.json file. – Yogesh Kumar Gupta Jul 12 '22 at 04:58
1

You may want to check in this situation on both machines that:

  • your node + npm version are the same and maybe doing npm -g update npm.
  • the npm configuration property save-exact has the same value on both machines. (otherwise doing npm config set save_exact true/false)
Pierre Maoui
  • 5,976
  • 2
  • 27
  • 28