Questions tagged [package-lock.json]
The package-lock.json tag has no usage guidance.
224
questions
946
votes
12
answers
454k
views
Why does "npm install" rewrite package-lock.json?
I just recently upgraded to npm@5. I now have a package-lock.json file with everything from package.json. I would expect that, when I run npm install that the dependency versions would be pulled ...
417
votes
7
answers
411k
views
Is there a way to force npm to generate package-lock.json?
I deleted it by accident and have made many changes to package.json since. An npm install or npm update do not generate package-lock.json anymore. I tried clearing my npm cache and my nvm cache, but ...
285
votes
9
answers
417k
views
Is there any way to fix package-lock.json lockfileVersion so npm uses a specific format?
If two different developers are using different versions of node (12/15) & npm (6/7) in a project that was originally created using a package-lock.json "lockfileVersion": 1, when the ...
284
votes
3
answers
169k
views
Do I need both package-lock.json and package.json?
After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file.
I can tell package-lock.json gives me an ...
225
votes
6
answers
299k
views
Deleting `package-lock.json` to Resolve Conflicts quickly
In a team set up, usually, I have faced merge conflicts in package-lock.json and my quick fix has always been to delete the file and regenerate it with npm install. I have not seriously thought about ...
208
votes
4
answers
82k
views
What is the difference between npm-shrinkwrap.json and package-lock.json?
With the release of npm@5, it will now write a package-lock.json unless a npm-shrinkwrap.json already exists.
I installed npm@5 globally via:
npm install npm@5 -g
And now, if a npm-shrinkwrap.json ...
198
votes
23
answers
295k
views
Error: Local workspace file ('angular.json') could not be found
I have travis-ci integrated with my GitHub account (https://github.com/pradeep0601/Angular5-Router-App).
When I updated @angular/cli version from 1.7.4 to 6.0.0-rc.3, the build started failing with ...
188
votes
11
answers
106k
views
Why did package-lock.json change the integrity hash from sha1 to sha512?
I just generated a new npm lockfile, package-lock.json, as part of my typical workflow. But I noticed that this time all of the integrity hashes have been changed from sha1 to sha512. What is ...
104
votes
9
answers
60k
views
Proper way to fix potential security vulnerability in a dependency defined in package-lock.json
Github has given me this error on one of my repositories.
We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security ...
85
votes
6
answers
119k
views
npm install not creating a new package-lock.json
I accidentally deleted my package-lock.json file. npm install is not generating a new one. How do I get npm to recreate this file.
52
votes
2
answers
17k
views
Package-lock.json - requires vs dependencies
In package-lock.json in dependency object, I have both requires and dependencies fields, e.g
"requires": {
"@angular-devkit/core": "0.8.5",
"rxjs": "6.2.2",
"tree-kill": "1.2.0",
"...
50
votes
5
answers
47k
views
Create package.json from package-lock.json
I downloaded a theme and it has a package-lock.json file but no package.json file.
Is there a way I can generate the package.json from the package-lock.json file.
How do I install the node modules ...
46
votes
1
answer
34k
views
What is the NPM equivalent of "yarn install --frozen-lockfile"?
I'm using npm as part of me building the production docker image.
I want to make sure the package-lock.json doesn't change and matches.
46
votes
2
answers
26k
views
What is the point of having resolved URL in package-lock.json?
whenever I generate a package-lock file, there is also "resolved" block that looks like this:
"resolved": "http://devel.npm.registry:4873/lodash/-/lodash-4.17.5.tgz"
What is the point of this URL? ...
45
votes
1
answer
10k
views
Should package-lock.json also be published?
npm 5 introduced package-lock.json, of which the documentation is here.
It states that the file is intended to be included with version control, so anyone cloning your package and installing it will ...
36
votes
10
answers
68k
views
How to solve `package-json found. ... To clear this warning, remove package-lock.json`, I think it was overlapped by npm when yarn install
I used the command yarn install in Visual Studio Code, but it ocurred error. following error message.
package-lock.json found.
Your project contains lock files generated by tools other than Yarn.
It ...
33
votes
4
answers
13k
views
What is the point of putting npm's "package-lock.json" under version control?
What is the point of putting npm's package-lock.json under version control? In my experience having this file source controlled has caused more trouble and confusion than efficiency gains.
Having ...
30
votes
2
answers
25k
views
NPM - How to install a new package without update or add packages described on package.json
This is a hard question and I'll try to explain.
How to add new packages without install dependencies or new packages (defined in package/-lock.json)?
For example: Currently, we have our package....
30
votes
3
answers
7k
views
npm "resolved"-fields in package-lock.json change constantly with JFrog artifactory
We have a private JFrog artifactory (name anonymised below) that npm is configured in a project root .npmrc -file:
registry=https://artifactory.jfrog.private.com:443/api/npm/npm-registry-virtual/
...
25
votes
2
answers
7k
views
npm install removes "dev": true from several packages in package-lock.json?
Today I pulled latest from a shared Git repository and noticed that another developer on my team added an NPM package. So I ran npm install, and then saw that my package-lock.json file had changed. ...
24
votes
1
answer
11k
views
Can I delete package-lock.json when switching to pnpm?
I'm in the process of switching from npm to pnpm, which has a different set of features that I prefer.
The former uses package-lock.json to lock exact packages versions, the latter pnpm-lock.yaml.
...
23
votes
2
answers
6k
views
npm5 equivalent to yarn's --pure-lockfile flag?
I'm looking for an equivalent for yarn's --pure-lockfile flag.
This flag is useful when installing dependencies in CI, when you want it to read your lockfile but not modify it.
Does npm v5 have an ...
21
votes
3
answers
24k
views
How to update a dependency in package-lock.json
I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message:
url-parse ...
20
votes
3
answers
8k
views
dependabot only updates lock file
We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was.
On the ...
19
votes
8
answers
9k
views
Github potential security vulnerability error for hoek node module
Today github is showing following error on my github repository:
We found a potential security vulnerability in one of your
dependencies. A dependency defined in ./package-lock.json has known
...
17
votes
6
answers
32k
views
SassError: Undefined variable. Failing dependencies
I have a CI/CD pipeline for an Angular project which yesterday worked fine, but today the same code is returning several errors on the build:
./src/styles.scss.webpack[javascript/auto]!=!./...
17
votes
2
answers
20k
views
Why does `package-lock.json` causes a failure in a docker container build when `npm install`?
There are a lot of people online asking this same question in different ways but there is no clear answer. Can anybody understand enough to explain why a docker build fails when package-lock.json file ...
16
votes
1
answer
4k
views
Why do I get vastly different `package-lock.json` files when I run `npm install` on different systems
With the same git repository, if I delete node_modules and package-lock.json, my expectation is that running npm install should generate the same package-lock.json file each time (give or take a few ...
14
votes
1
answer
5k
views
"resolved" and "integrity" go missing in package-lock.json
Ocassionally, when installing an (unrelated) dependency, I lose the resolved values from each of my private nexus repository dependencies, meaning that when my build server runs npm ci it falls back ...
13
votes
2
answers
25k
views
What would cause lockfileVersion in package-lock.json to decrease by one?
Bumped the patch version in a package.json (manually, edited file). Noted that the lock file had the old version, so I did an npm install to update it. When I did that the lockfileVersion field went ...
12
votes
1
answer
1k
views
After Upgrading my npm from version 6 to version 7 (node version was 10) I cant install dependencies for some projects
I had node version 10 installed in my system, after upgrading my npm from version 6 to version 7 I couldn't install the dependencies, and I'm getting error so I had to downgrade my node to 6,
(both ...
12
votes
0
answers
6k
views
NPM - How do I override one of my dependencies dependency? [duplicate]
Recently, npm released the npm audit command. It runs automatically when you npm i letting you know of any vulnerabilities. I have a simple dependency tree, something like this:
package A
package B
...
11
votes
2
answers
4k
views
No effect when doing git diff -- ':(exclude)package-lock.json'
I want to a do a diff but without package-lock.json which is huge and is a generated file so nothing interesting for me there.
I tried both :
git diff -- ':(exclude)package-lock.json'
git diff -- ':!...
11
votes
3
answers
5k
views
Running `npm ci` returns `pkg-dir not accessible from find-cache-dir`
I'm trying to run this command:
npm ci
And it returns this error:
npm ERR! pkg-dir not accessible from find-cache-dir
What am I missing here?
11
votes
1
answer
6k
views
What does "requires: true" do in package-lock.json
Our team just updated to npm@5. The package-lock.json was unified between Windows and Mac (certain dependencies are optional so they don't get installed on Windows, but they do on Mac) so that no ...
11
votes
1
answer
3k
views
Why does "npm install" modify package-lock.json? Why commit it to git then?
When I run "npm install" in a project it often modifies package-lock.json, for example if I work on the same project from another computer (with different node or npm version).
But at the same time ...
10
votes
2
answers
3k
views
Why does "npm install" prefix my packages with "node_modules" in my "package-lock.json" file?
I've never had this happen before, but now, when I npm install in the root directory of my app, my package-lock.json updates all the packages with node_modules/. What is causing this?
Here's what I ...
10
votes
1
answer
23k
views
Difference between `npm update` and `remove package-lock.json` plus `npm install`?
What is essential difference between these commands, except that npm update modify package.json?
rm package-lock.json
npm install
npm update --dev
10
votes
4
answers
7k
views
Okay to Paste-in Package-Lock.json from 19 Hours Ago to Fix "ValidationError: Progress Plugin Invalid Options" (Vue 3)?
I'm using Vue 3 and I pushed a version of my project that was working well to GitHub 19 hours ago.
About 5 hours later, the problem below occurred when I entered npm run serve which resulted in these ...
10
votes
1
answer
6k
views
Why does `npm install` generate different `package-lock.json` files for the same `package.json` file?
Here is the relevant part of my package.json file:
"devDependencies": {
"ajv": "^6.0.0",
"webpack": "^4.0.0",
"websocket": "^1.0.0",
"bignumber.js": "^7.0.0",
"decimal.js": "^10....
10
votes
0
answers
3k
views
How to generate per-package package-lock.json for existing Lerna mono-repo
We have an existing Lerna mono-repo that has a structure like:
/
/packages
/package1
/package2
/package3
...
We currently use Yarn for our project, and actually only have a top-...
10
votes
1
answer
1k
views
Updating transitive dependencies of a NPM package
Our company has a few web applications which in turn depend on a very long chain of internally created and hosted npm packages (we use JFrog Artifactory) each with their own dependencies (and so on). ...
9
votes
1
answer
6k
views
How to manually confirm integrity field in package-lock.json file?
What commands could I run to manually generate (or confirm) the integrity field contained in a package-lock.json file?
Here's an example with SHA1:
"uglify-js": {
"version": &...
9
votes
1
answer
6k
views
npm install changes resolved from a URL to false
The Problem
When I pull my team's code and run npm install a number of items in package-lock.json have their resolved property change from a URL to false. E.g.
"debug": {
"version": "3.2.6",
"...
9
votes
3
answers
6k
views
How do you bump a transitive dependency in package-lock.json
My project depends on analytics-node which has a dependency on axios: "^0.16.2".
We have been flagged with npm audit that axios has a vulnerability in it but its fixed in 0.18.1.
However, analytics-...
9
votes
1
answer
9k
views
Is there a tool to validate/check that package.json and package-lock.json are consistent?
Sometimes people change package.json and forget to run npm i which will update package-lock.json, or package.json and package-lock.json are otherwise out of sync. This is an assumption not to be ...
9
votes
1
answer
8k
views
Lerna not generating package-lock.json for every package
Below is the description of the issue:-
Expected behaviour is to have a package-lock.json file generated for every package in packages folder.
Current Behaviour
My current project structure look ...
9
votes
0
answers
2k
views
npm install not considering registry/resolved path in package-lock.json
It's pretty straight forward to install a package from a private registry:
npm install my-package --registry https://<private-registry-url>
This will add an entry to the package-lock.json:
"...
8
votes
1
answer
2k
views
How can I determine which of my dependencies depends on a particular package in my node_modules?
Github recently introduced a feature that notifies you about security vulnerabilities in your package-lock.json. I would like to resolve these issues, but the majority of packages listed here are ...
8
votes
2
answers
3k
views
Caret range and package-lock.json: how to get latest non-breaking versions with them?
I got what package-lock.json is standing for, but I don't understand how is caret range work after adding this file?
Say I have a package (my-module) that I want to have all new non-breaking versions ...