How to override package.json "latest" dist-tag with version from package-lock.json?

Question

I want to use latest distribution tag in my package.json for internal packages. This allows me to always get their latest versions when I npm install in local environment, without updating all external 3rd parties.

The issue comes when I'm hotfixing deployed verion:

• For hotfix purpose I generate and save package-lock.json for each deployed version of the application.
• But when I npm install during hotfix preparation, there is a conflict between versions of internal package in package.json and package-lock.json: package-lock.json points to version that was used in deployed application, but package.json point to latest distribution tag, which itself points to later version.
• Since version specified in package-lock.json doesn't suit to version range specified in package.json (which is very specific - only the latest version will suit), npm install ignores package-lock.json and installs the latest version.

I searched through documentation and internet and didn't find any existing solution for the issue:

• I didn't find any npm install flag that would treat package-lock.json versions with higher priority than distribution tag in package.json
• I dind't find any tool that would reconstruct package.json from package-lock.json, or at least replace aliases (distribution tags) in package.json with specific versions from package-lock.json.

Is there any solution for my issue (besides writing a tool that will implement last approach)?

Sandbox: https://github.com/maxlk/npm-lock-version-should-override-latest (clone and run npm install or its alternative)

Answer 1

I found a solution - to use npm ci instead of npm install.

It doesn't exit with error, despite the claim in the documentation: https://docs.npmjs.com/cli/ci

If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.