I have this configuration:
$ node -v
v16.13.0
$ npm -v
8.1.2
$ npm config get shrinkwrap
true
$ npm config get package-lock
true
FWIW I'm on macOS 10.15.17 and Node.js is installed via MacPorts.
When I run npm install or npm install --package-lock-only there is no package-lock.json which is created. There is, however, this:
$ ls -l node_modules/.package-lock.json
-rw-r--r-- 1 david admin 301536 Dec 14 18:48 node_modules/.package-lock.json
That date is within the last 10 minutes. I have removed node_modules and rerun the install. And, I have run npm cache clean --force.
When I run npm install the output talks about some moderate severity vulnerabilities. I obviously want to learn more, but get this:
$ npm audit
npm ERR! code ENOLOCK
npm ERR! audit This command requires an existing lockfile.
npm ERR! audit Try creating one first with: npm i --package-lock-only
npm ERR! audit Original error: loadVirtual requires existing shrinkwrap file
npm ERR! A complete log of this run can be found in:
npm ERR! /Users/david/.npm/_logs/2021-12-15T02_48_57_735Z-debug.log
Running npm audit fix or npm audit fix --force doesn't change anything.
The first message - requires a lockfile - why isn't node_modules/.package-lock.json good enough?
The debug log doesn't contain any useful information.
I have read several postings on stackoverflow and elsewhere and have collected the recommended information. Supposedly with this config, the file should be created, and then npm audit would be happy. But, it's not.
