0

How is this package-lock.json change possible:

Before:

...
    "chokidar": {
      "version": "1.7.0",
      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-1.7.0.tgz",
      "integrity": "sha1-eY5ol3gVHIB2tLNg5e3SjNortGg=",
      "requires": {
        "anymatch": "1.3.2",
        "async-each": "1.0.3",
        "glob-parent": "2.0.0",
        "inherits": "2.0.4",
        "is-binary-path": "1.0.1",
        "is-glob": "2.0.1",
        "path-is-absolute": "1.0.1",
        "readdirp": "2.2.1"
      }
    },
...

After:

...
    "chokidar": {
      "version": "1.7.0",
      "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-1.7.0.tgz",
      "integrity": "sha1-eY5ol3gVHIB2tLNg5e3SjNortGg=",
      "requires": {
        "anymatch": "^1.3.0",
        "async-each": "^1.0.0",
        "fsevents": "^1.0.0",
        "glob-parent": "^2.0.0",
        "inherits": "^2.0.1",
        "is-binary-path": "^1.0.0",
        "is-glob": "^2.0.0",
        "path-is-absolute": "^1.0.0",
        "readdirp": "^2.0.0"
      }
    },
...

This happens inside a docker container -- so platform is not an issue. integrity field matches -- so WTF. Required versions change (that could be npm audit) but fsevents as a requirement is new while the package has not changed. Can anybody give me a clue?

Nemesarial
  • 487
  • 5
  • 12
  • Are you sure you have the before and after listed in the correct order? – jwdonahue Jan 30 '20 at 18:36
  • Yes.. I checked this many times over.. Also -- notice that even if I did have it the wrong way around -- the resolved url is identical, the integrity fingerprint is identical and still, the requirements are very different – Nemesarial Jan 31 '20 at 10:42
  • Did the version of NPM change? – jwdonahue Jan 31 '20 at 20:23
  • Nope.. The npm version have changed _since_ then but same npm version across those two `package-lock` files. Even if it were different -- still does not make sense a requirement appears out of nowhere for the same version of a dependency. – Nemesarial Feb 03 '20 at 11:10
  • You should file a bug: https://github.com/npm/cli/issues – jwdonahue Feb 03 '20 at 18:37
  • Why would a `package-lock.json` file have version ranges listed in it? Unless perhaps it was unable to resolve a set of packages for `chokidar-1.7.0`? My limited knowledge of NPM, tells me that tool records a set of package-version strings that will satisfy the dependent's requirements at that moment in time. It does this by checking its own local cache and querying the remote feeds you've configured it for. – jwdonahue Feb 03 '20 at 18:55
  • The whole point of the tool is to record the exact versions resolved, such that you can later use that lock file to reproduce an earlier build. It can't possibly do that, if it finds version ranges in the lock file. – jwdonahue Feb 03 '20 at 18:58
  • Great point -- there should not be version ranges in a package-lock file. – Nemesarial Feb 04 '20 at 14:20

0 Answers0