1

I have a project where I removed some no-longer needed libraries from my package.json file, removed node_modules, ran npm install, and everything continued to work as expected.

Unfortunately if I follow the same steps above after having deleted package-lock.json, my build suddenly breaks. A new package-lock.json is generated but I now get hundreds of deprecation warnings from some dependencies and even though the project continues to build those same dependencies will break in unexpected places.

If I revert to the previous package-lock.json and again run the same steps (remove node_modules, run npm install), the warnings once again disappear and the build is once more in a safe state.

My understanding is that package-lock.json will update every time we run npm install with the most recent package versions, respecting the caret^ and tilde~ restrictions. Does this update differ if we have an existing package-lock.json vs a fresh install?

Some additional details:
-I'm using Vue and vue-cli and my build scripts run vue-cli-service build.
-This happened in between a migration from one css framework to another (bootstrap-vue/vuetify) so there may be sub-dependencies that both frameworks include that are the same
-Sass is what was throwing hundreds of deprecation warnings

Even if there is somehow a conflict between sub-dependencies I'm still confused why updating a package-lock.json with npm install works great but running npm install after deleting that file creates a new package-lock.json that breaks. This happens consistently over many attempts.

dyslexit
  • 568
  • 1
  • 7
  • 16
  • Don't delete `package-lock.json`? Modern node+npm uses `package.json` to determine which dependency version ranges are permitted, and `package-lock.json` to determine which _actual versions_ should be used (especially due to security issues in older versions of dependencies). If you're seeing lots of warnings: read the warnings. There's different kinds, and without saying what you're seeing, there's not much we can say about them other than "peg versions you need pegged, and run `npm audit fix` to make sure any insecure dependency is uplifted to a secure version". – Mike 'Pomax' Kamermans May 26 '21 at 19:15
  • With package-lock.json still available npm install will install the packages in exactly the versions that are specified in the package-lock.json. if you remove it, some packages may be installed in newer versions, which may break dependencies – derpirscher May 26 '21 at 19:15
  • @derpirscher Thanks for the response, but my understanding is that since npm v5.1.0 `npm install` *will not* install the packages inside package-lock.json. From that version on we need to do `npm ci` for that behavior. That is why I'm confused about what's going on. https://stackoverflow.com/questions/45022048/why-does-npm-install-rewrite-package-lock-json – dyslexit May 26 '21 at 20:26

0 Answers0