Stack Overflow
Stack Overflow

Questions tagged [package-lock.json]

224 questions
40
votes
1 answer

What is the NPM equivalent of "yarn install --frozen-lockfile"?

I'm using npm as part of me building the production docker image. I want to make sure the package-lock.json doesn't change and matches.
user972014
  • 3,296
  • 6
  • 49
  • 89
34
votes
10 answers

How to solve `package-json found. ... To clear this warning, remove package-lock.json`, I think it was overlapped by npm when yarn install

I used the command yarn install in Visual Studio Code, but it ocurred error. following error message. package-lock.json found. Your project contains lock files generated by tools other than Yarn. It is advised not to mix package managers in order to…
Quack
  • 680
  • 1
  • 8
  • 22
32
votes
4 answers

What is the point of putting npm's "package-lock.json" under version control?

What is the point of putting npm's package-lock.json under version control? In my experience having this file source controlled has caused more trouble and confusion than efficiency gains. Having package-lock.json under source control makes for a…
Cumulo Nimbus
  • 8,785
  • 9
  • 47
  • 68
30
votes
3 answers

npm "resolved"-fields in package-lock.json change constantly with JFrog artifactory

We have a private JFrog artifactory (name anonymised below) that npm is configured in a project root .npmrc -file: registry=https://artifactory.jfrog.private.com:443/api/npm/npm-registry-virtual/ The resolved-field in the package-lock.json file…
Ville Heikkilä
  • 301
  • 3
  • 3
30
votes
2 answers

NPM - How to install a new package without update or add packages described on package.json

This is a hard question and I'll try to explain. How to add new packages without install dependencies or new packages (defined in package/-lock.json)? For example: Currently, we have our package.json and package-lock.json to maintain the versioning.…
Dan
  • 1,518
  • 5
  • 20
  • 48
23
votes
2 answers

npm5 equivalent to yarn's --pure-lockfile flag?

I'm looking for an equivalent for yarn's --pure-lockfile flag. This flag is useful when installing dependencies in CI, when you want it to read your lockfile but not modify it. Does npm v5 have an equivalent?
callum
  • 34,206
  • 35
  • 106
  • 163
19
votes
3 answers

dependabot only updates lock file

We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was. On the other hand, greenkeeper, was committing changes…
Johnny
  • 1,063
  • 1
  • 11
  • 23
19
votes
1 answer

npm install removes "dev": true from several packages in package-lock.json?

Today I pulled latest from a shared Git repository and noticed that another developer on my team added an NPM package. So I ran npm install, and then saw that my package-lock.json file had changed. When I dug into what had changed, I found that…
AJ.
  • 16,368
  • 20
  • 95
  • 150
19
votes
2 answers

How to update a dependency in package-lock.json

I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message: url-parse vulnerability found in package-lock.json And this is…
Bruno Mazza
  • 675
  • 1
  • 10
  • 24
19
votes
8 answers

Github potential security vulnerability error for hoek node module

Today github is showing following error on my github repository: We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated. On…
Yuvraj Patil
  • 7,944
  • 5
  • 56
  • 56
16
votes
2 answers

Why does `package-lock.json` causes a failure in a docker container build when `npm install`?

There are a lot of people online asking this same question in different ways but there is no clear answer. Can anybody understand enough to explain why a docker build fails when package-lock.json file exists in the application, but runs successfully…
dugong
  • 3,690
  • 4
  • 11
  • 27
16
votes
1 answer

Can I delete package-lock.json when switching to pnpm?

I'm in the process of switching from npm to pnpm, which has a different set of features that I prefer. The former uses package-lock.json to lock exact packages versions, the latter pnpm-lock.yaml. According to the docs, pnpm ignores…
Sekhemty
  • 1,222
  • 2
  • 13
  • 33
16
votes
1 answer

Why do I get vastly different `package-lock.json` files when I run `npm install` on different systems

With the same git repository, if I delete node_modules and package-lock.json, my expectation is that running npm install should generate the same package-lock.json file each time (give or take a few modules that might get updated by the publisher in…
Dancrumb
  • 26,597
  • 10
  • 74
  • 130
13
votes
6 answers

SassError: Undefined variable. Failing dependencies

I have a CI/CD pipeline for an Angular project which yesterday worked fine, but today the same code is returning several errors on the…
SirGaspAlot
  • 143
  • 1
  • 1
  • 6
12
votes
1 answer

After Upgrading my npm from version 6 to version 7 (node version was 10) I cant install dependencies for some projects

I had node version 10 installed in my system, after upgrading my npm from version 6 to version 7 I couldn't install the dependencies, and I'm getting error so I had to downgrade my node to 6, (both npm ci and npm i was failing) And the project I was…
Mohammad Ranjbar Z
  • 1,487
  • 1
  • 10
  • 20
1
2
3
14 15