7

Here is the relevant part of my package.json file:

  "devDependencies": {
    "ajv": "^6.0.0",
    "webpack": "^4.0.0",
    "websocket": "^1.0.0",
    "bignumber.js": "^7.0.0",
    "decimal.js": "^10.0.0",
    "truffle": "4.1.11",
    "ganache-cli": "6.1.0",
    "solidity-coverage": "0.5.4",
    "ethereumjs-testrpc-sc": "6.1.2",
    "web3": "1.0.0-beta.34"
  }

I have this file in two different repositories, on the same PC.

When I run npm install in each one of these repositories at the same time, I get a different package-lock.json file in each repository.

How could this be?

Here is a possible clue:

If I delete the package-lock.json file beforehand, then npm install aborts with an error.

So the answer to my question is possibly related to the fact that npm install relies on an already existing package-lock.json file.

And initially, I had different package-lock.json files in these repositories, because the corresponding package.json files were different.

Now that I've changed the package.json file in one of the repositories to be identical to the other, I am expecting that the corresponding package-lock.json files will also become identical.

Elias Zamaria
  • 96,623
  • 33
  • 114
  • 148
goodvibration
  • 5,980
  • 4
  • 28
  • 61
  • Did you ever figure this out? This is happening to me too. Same repo, same machine, exact same node/npm versions, exact same package.json. Just swapping branches with everything identical except package-lock.json and I get different generated package-lock.json files. – Adam Johns Mar 10 '23 at 03:22

1 Answers1

4

From https://docs.npmjs.com/files/package-locks

"Conceptually, the "input" to npm-install is a package.json, while its "output" is a fully-formed node_modules tree: a representation of the dependencies you declared. In an ideal world, npm would work like a pure function: the same package.json should produce the exact same node_modules tree, any time. In some cases, this is indeed true. But in many others, npm is unable to do this. There are multiple reasons for this:

  • different versions of npm (or other package managers) may have been used to install a package, each using slightly different installation algorithms."

The package-lock file is going to ensure that nothing breaks due to having slightly different package versions, running npm install on the same machine at the exact same time is not going to guarantee that the same version of all dependencies is acquired.

Another point that may clarify how a package file differs from a package-lock file. Two identical package.json files do not guarantee the same node_modules folder structure. But two identical package-lock files will guarantee the exact same node_modules file structure.

Tyler Yanke
  • 71
  • 5
  • Thanks, but I have used the same `npm` version (6.1.0) in both cases. Also, please see my update to the question. I have a feeling that `npm install` somehow relies on the `package-lock.json` file as input. – goodvibration Jun 11 '18 at 14:27
  • @goodvibration the package-lock file can be used as an input for npm install. Say I am developing a node.js app, if I want to recruit a second developer, I would give them my package lock file to install the packages, that ensures they run the exact same version of all packages. – Tyler Yanke Jun 11 '18 at 14:29