0

I believe I understand how npm i works, using the package.json file with the dependencies and versions of those libraries. I understand package-lock.json is the output of that build, with the specific versions down the tree. Future npm i will use the versions as specified in this lock file. Great!

My current issue is when we delete the package-lock.json file, npm i pulls down the latest version of the libraries, ignoring the version specified in package.json! Why would it do that?

We have a few libraries it was doing it on, but one that wreaked havoc in our new builds is: "react-lazyload": "^2.6.2",. When the lock file is deleted, it downloads 2.6.8 which introduces breaking changes to our UI. Why would npm grab the latest?

I checked the lock file and this is the only instance throughout the libraries using it, no other library is requesting a new version.

By the way, this only seems to happen on our Jenkins server, deploying all our code, which is running the same version of Node/npm as our dev machines:

node -v
v10.16.3
npm -v
6.9.0
David Lozzi
  • 14,697
  • 9
  • 28
  • 44

1 Answers1

3

It does not ignore the version in the package.json it just follows semantic versioning rules.

If you use "react-lazyload": "^2.6.2" this means that npm will download version 2.X.X of the package, getting the latest minor release (second number) and the latest patch (third number).

If you use "react-lazyload": "~2.6.2" it will download version 2.6.X of the package, getting only the latest patch (third number).

If you use "react-lazyload": "2.6.2" it will always download version 2.6.2

Lenni
  • 186
  • 2