9

The Problem

When I pull my team's code and run npm install a number of items in package-lock.json have their resolved property change from a URL to false. E.g.

"debug": {
  "version": "3.2.6",
  "resolved": "https://registry.npmjs.org/debug/-/debug-3.2.6.tgz",
  …
},

// changes to 

"debug": {
  "version": "3.2.6",
  "resolved": false,
  …
},

The Ask

I would like this not to happen. I don't understand why it is happening or what could be causing it. It seems like a pretty odd and serious bug. What would happen if I checked this in and deployed? ‍♂️

The Details

npm -v #=> 6.14.5

node -v #=> v12.13.0

Aaron
  • 13,349
  • 11
  • 66
  • 105
  • 1
    This is a bug and seems to have to do with using npm link. But it’s also mostly inconsequential as since npm 5, the resolved field is basically ignored. Just messes with your commit history a little. – bryan60 May 25 '20 at 23:06
  • Thanks @bryan60. I'm not aware of us using `npm link` anywhere. Is this something that is done automatically or by the packages I'm installing? – Aaron May 26 '20 at 03:43
  • 1
    it's an issue with npm itself, slated to be resolved in 7. but for the time being, it's just annoying more than it is harmful. People have said you can fix it by deleting your node modules and doing a fresh install – bryan60 May 26 '20 at 12:48
  • Interesting! I've confirmed that `rm -rf node_modules && npm i` does not reproduce the error. Is this happening for _everyone_ using npm because I haven't heard much about it at work (maybe people are used to ignoring it) and didn't find much in my search before posting this question. – Aaron May 27 '20 at 13:37
  • 1
    well, it's mostly associated with using npm link, which is newer and less commonly used, though apparently not in all cases. It's possible most people affected don't even notice it. I mostly just accept any package lock changes without reviewing them so long as the package.json itself is correct since it's a generated file and all. idc what npm is doing under the hood so long as it works – bryan60 May 27 '20 at 13:42

1 Answers1

8

Solution

As @bryan60 has pointed out this is a bug in NPM, specifically with npm link. There's nothing we can do at this point except wait for the update.

Work Around

If you are having problem and have a few minutes rm -rf node_modules/ && npm install will reinstall all of your node modules and you won't have the package-lock.json problem.

Aaron
  • 13,349
  • 11
  • 66
  • 105