Questions tagged [package-lock.json]

The tag has no usage guidance.

Filter by
Sorted by
Tagged with
946 votes
12 answers
454k views

Why does "npm install" rewrite package-lock.json?

I just recently upgraded to npm@5. I now have a package-lock.json file with everything from package.json. I would expect that, when I run npm install that the dependency versions would be pulled ...
Viper Bailey's user avatar
  • 11.8k
417 votes
7 answers
411k views

Is there a way to force npm to generate package-lock.json?

I deleted it by accident and have made many changes to package.json since. An npm install or npm update do not generate package-lock.json anymore. I tried clearing my npm cache and my nvm cache, but ...
Big Money's user avatar
  • 9,658
285 votes
9 answers
417k views

Is there any way to fix package-lock.json lockfileVersion so npm uses a specific format?

If two different developers are using different versions of node (12/15) & npm (6/7) in a project that was originally created using a package-lock.json "lockfileVersion": 1, when the ...
Ben's user avatar
  • 5,349
284 votes
3 answers
169k views

Do I need both package-lock.json and package.json?

After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file. I can tell package-lock.json gives me an ...
Omri Luzon's user avatar
  • 4,105
225 votes
6 answers
299k views

Deleting `package-lock.json` to Resolve Conflicts quickly

In a team set up, usually, I have faced merge conflicts in package-lock.json and my quick fix has always been to delete the file and regenerate it with npm install. I have not seriously thought about ...
John Mutuma's user avatar
  • 3,370
208 votes
4 answers
82k views

What is the difference between npm-shrinkwrap.json and package-lock.json?

With the release of npm@5, it will now write a package-lock.json unless a npm-shrinkwrap.json already exists. I installed npm@5 globally via: npm install npm@5 -g And now, if a npm-shrinkwrap.json ...
k0pernikus's user avatar
  • 63.9k
198 votes
23 answers
295k views

Error: Local workspace file ('angular.json') could not be found

I have travis-ci integrated with my GitHub account (https://github.com/pradeep0601/Angular5-Router-App). When I updated @angular/cli version from 1.7.4 to 6.0.0-rc.3, the build started failing with ...
Pradeep's user avatar
  • 12.6k
188 votes
11 answers
106k views

Why did package-lock.json change the integrity hash from sha1 to sha512?

I just generated a new npm lockfile, package-lock.json, as part of my typical workflow. But I noticed that this time all of the integrity hashes have been changed from sha1 to sha512. What is ...
Matt's user avatar
  • 34.3k
104 votes
9 answers
60k views

Proper way to fix potential security vulnerability in a dependency defined in package-lock.json

Github has given me this error on one of my repositories. We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security ...
Kaito's user avatar
  • 1,285
85 votes
6 answers
119k views

npm install not creating a new package-lock.json

I accidentally deleted my package-lock.json file. npm install is not generating a new one. How do I get npm to recreate this file.
Dblock247's user avatar
  • 6,485
52 votes
2 answers
17k views

Package-lock.json - requires vs dependencies

In package-lock.json in dependency object, I have both requires and dependencies fields, e.g "requires": { "@angular-devkit/core": "0.8.5", "rxjs": "6.2.2", "tree-kill": "1.2.0", "...
Krzysztof Grzybek's user avatar
50 votes
5 answers
47k views

Create package.json from package-lock.json

I downloaded a theme and it has a package-lock.json file but no package.json file. Is there a way I can generate the package.json from the package-lock.json file. How do I install the node modules ...
Sandeep kurien's user avatar
46 votes
1 answer
34k views

What is the NPM equivalent of "yarn install --frozen-lockfile"?

I'm using npm as part of me building the production docker image. I want to make sure the package-lock.json doesn't change and matches.
user972014's user avatar
  • 3,606
46 votes
2 answers
26k views

What is the point of having resolved URL in package-lock.json?

whenever I generate a package-lock file, there is also "resolved" block that looks like this: "resolved": "http://devel.npm.registry:4873/lodash/-/lodash-4.17.5.tgz" What is the point of this URL? ...
Lukáš Havrlant's user avatar
45 votes
1 answer
10k views

Should package-lock.json also be published?

npm 5 introduced package-lock.json, of which the documentation is here. It states that the file is intended to be included with version control, so anyone cloning your package and installing it will ...
wybe's user avatar
  • 625
36 votes
10 answers
68k views

How to solve `package-json found. ... To clear this warning, remove package-lock.json`, I think it was overlapped by npm when yarn install

I used the command yarn install in Visual Studio Code, but it ocurred error. following error message. package-lock.json found. Your project contains lock files generated by tools other than Yarn. It ...
Quack's user avatar
  • 700
33 votes
4 answers
13k views

What is the point of putting npm's "package-lock.json" under version control?

What is the point of putting npm's package-lock.json under version control? In my experience having this file source controlled has caused more trouble and confusion than efficiency gains. Having ...
Cumulo Nimbus's user avatar
30 votes
2 answers
25k views

NPM - How to install a new package without update or add packages described on package.json

This is a hard question and I'll try to explain. How to add new packages without install dependencies or new packages (defined in package/-lock.json)? For example: Currently, we have our package....
Dan's user avatar
  • 1,555
30 votes
3 answers
7k views

npm "resolved"-fields in package-lock.json change constantly with JFrog artifactory

We have a private JFrog artifactory (name anonymised below) that npm is configured in a project root .npmrc -file: registry=https://artifactory.jfrog.private.com:443/api/npm/npm-registry-virtual/ ...
Ville Heikkilä's user avatar
25 votes
2 answers
7k views

npm install removes "dev": true from several packages in package-lock.json?

Today I pulled latest from a shared Git repository and noticed that another developer on my team added an NPM package. So I ran npm install, and then saw that my package-lock.json file had changed. ...
AJ.'s user avatar
  • 16.6k
24 votes
1 answer
11k views

Can I delete package-lock.json when switching to pnpm?

I'm in the process of switching from npm to pnpm, which has a different set of features that I prefer. The former uses package-lock.json to lock exact packages versions, the latter pnpm-lock.yaml. ...
Sekhemty's user avatar
  • 1,412
23 votes
2 answers
6k views

npm5 equivalent to yarn's --pure-lockfile flag?

I'm looking for an equivalent for yarn's --pure-lockfile flag. This flag is useful when installing dependencies in CI, when you want it to read your lockfile but not modify it. Does npm v5 have an ...
callum's user avatar
  • 36.1k
21 votes
3 answers
24k views

How to update a dependency in package-lock.json

I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message: url-parse ...
Bruno Mazza's user avatar
20 votes
3 answers
8k views

dependabot only updates lock file

We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was. On the ...
Johnny's user avatar
  • 1,183
19 votes
8 answers
9k views

Github potential security vulnerability error for hoek node module

Today github is showing following error on my github repository: We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known ...
Yuvraj Patil's user avatar
  • 8,360
17 votes
6 answers
32k views

SassError: Undefined variable. Failing dependencies

I have a CI/CD pipeline for an Angular project which yesterday worked fine, but today the same code is returning several errors on the build: ./src/styles.scss.webpack[javascript/auto]!=!./...
SirGaspAlot's user avatar
17 votes
2 answers
20k views

Why does `package-lock.json` causes a failure in a docker container build when `npm install`?

There are a lot of people online asking this same question in different ways but there is no clear answer. Can anybody understand enough to explain why a docker build fails when package-lock.json file ...
dugong's user avatar
  • 4,073
16 votes
1 answer
4k views

Why do I get vastly different `package-lock.json` files when I run `npm install` on different systems

With the same git repository, if I delete node_modules and package-lock.json, my expectation is that running npm install should generate the same package-lock.json file each time (give or take a few ...
Dancrumb's user avatar
  • 27.1k
14 votes
1 answer
5k views

"resolved" and "integrity" go missing in package-lock.json

Ocassionally, when installing an (unrelated) dependency, I lose the resolved values from each of my private nexus repository dependencies, meaning that when my build server runs npm ci it falls back ...
tallpaul's user avatar
  • 1,393
13 votes
2 answers
25k views

What would cause lockfileVersion in package-lock.json to decrease by one?

Bumped the patch version in a package.json (manually, edited file). Noted that the lock file had the old version, so I did an npm install to update it. When I did that the lockfileVersion field went ...
jcollum's user avatar
  • 45.1k
12 votes
1 answer
1k views

After Upgrading my npm from version 6 to version 7 (node version was 10) I cant install dependencies for some projects

I had node version 10 installed in my system, after upgrading my npm from version 6 to version 7 I couldn't install the dependencies, and I'm getting error so I had to downgrade my node to 6, (both ...
Mohammad Ranjbar Z's user avatar
12 votes
0 answers
6k views

NPM - How do I override one of my dependencies dependency? [duplicate]

Recently, npm released the npm audit command. It runs automatically when you npm i letting you know of any vulnerabilities. I have a simple dependency tree, something like this: package A package B ...
The Qodesmith's user avatar
11 votes
2 answers
4k views

No effect when doing git diff -- ':(exclude)package-lock.json'

I want to a do a diff but without package-lock.json which is huge and is a generated file so nothing interesting for me there. I tried both : git diff -- ':(exclude)package-lock.json' git diff -- ':!...
Olivvv's user avatar
  • 1,180
11 votes
3 answers
5k views

Running `npm ci` returns `pkg-dir not accessible from find-cache-dir`

I'm trying to run this command: npm ci And it returns this error: npm ERR! pkg-dir not accessible from find-cache-dir What am I missing here?
craftsman's user avatar
  • 15.4k
11 votes
1 answer
6k views

What does "requires: true" do in package-lock.json

Our team just updated to npm@5. The package-lock.json was unified between Windows and Mac (certain dependencies are optional so they don't get installed on Windows, but they do on Mac) so that no ...
atdrago's user avatar
  • 305
11 votes
1 answer
3k views

Why does "npm install" modify package-lock.json? Why commit it to git then?

When I run "npm install" in a project it often modifies package-lock.json, for example if I work on the same project from another computer (with different node or npm version). But at the same time ...
szx's user avatar
  • 6,720
10 votes
2 answers
3k views

Why does "npm install" prefix my packages with "node_modules" in my "package-lock.json" file?

I've never had this happen before, but now, when I npm install in the root directory of my app, my package-lock.json updates all the packages with node_modules/. What is causing this? Here's what I ...
Sefton419's user avatar
  • 197
10 votes
1 answer
23k views

Difference between `npm update` and `remove package-lock.json` plus `npm install`?

What is essential difference between these commands, except that npm update modify package.json? rm package-lock.json npm install npm update --dev
yakunins's user avatar
  • 725
10 votes
4 answers
7k views

Okay to Paste-in Package-Lock.json from 19 Hours Ago to Fix "ValidationError: Progress Plugin Invalid Options" (Vue 3)?

I'm using Vue 3 and I pushed a version of my project that was working well to GitHub 19 hours ago. About 5 hours later, the problem below occurred when I entered npm run serve which resulted in these ...
Mark Gavagan's user avatar
10 votes
1 answer
6k views

Why does `npm install` generate different `package-lock.json` files for the same `package.json` file?

Here is the relevant part of my package.json file: "devDependencies": { "ajv": "^6.0.0", "webpack": "^4.0.0", "websocket": "^1.0.0", "bignumber.js": "^7.0.0", "decimal.js": "^10....
goodvibration's user avatar
10 votes
0 answers
3k views

How to generate per-package package-lock.json for existing Lerna mono-repo

We have an existing Lerna mono-repo that has a structure like: / /packages /package1 /package2 /package3 ... We currently use Yarn for our project, and actually only have a top-...
Matthew Herbst's user avatar
10 votes
1 answer
1k views

Updating transitive dependencies of a NPM package

Our company has a few web applications which in turn depend on a very long chain of internally created and hosted npm packages (we use JFrog Artifactory) each with their own dependencies (and so on). ...
PremiumTier's user avatar
9 votes
1 answer
6k views

How to manually confirm integrity field in package-lock.json file?

What commands could I run to manually generate (or confirm) the integrity field contained in a package-lock.json file? Here's an example with SHA1: "uglify-js": { "version": &...
TTT's user avatar
  • 25.6k
9 votes
1 answer
6k views

npm install changes resolved from a URL to false

The Problem When I pull my team's code and run npm install a number of items in package-lock.json have their resolved property change from a URL to false. E.g. "debug": { "version": "3.2.6", "...
Aaron's user avatar
  • 13.7k
9 votes
3 answers
6k views

How do you bump a transitive dependency in package-lock.json

My project depends on analytics-node which has a dependency on axios: "^0.16.2". We have been flagged with npm audit that axios has a vulnerability in it but its fixed in 0.18.1. However, analytics-...
Dave's user avatar
  • 131
9 votes
1 answer
9k views

Is there a tool to validate/check that package.json and package-lock.json are consistent?

Sometimes people change package.json and forget to run npm i which will update package-lock.json, or package.json and package-lock.json are otherwise out of sync. This is an assumption not to be ...
Lorenz Leutgeb's user avatar
9 votes
1 answer
8k views

Lerna not generating package-lock.json for every package

Below is the description of the issue:- Expected behaviour is to have a package-lock.json file generated for every package in packages folder. Current Behaviour My current project structure look ...
Vishesh's user avatar
  • 3,669
9 votes
0 answers
2k views

npm install not considering registry/resolved path in package-lock.json

It's pretty straight forward to install a package from a private registry: npm install my-package --registry https://<private-registry-url> This will add an entry to the package-lock.json: "...
ysfaran's user avatar
  • 6,002
8 votes
1 answer
2k views

How can I determine which of my dependencies depends on a particular package in my node_modules?

Github recently introduced a feature that notifies you about security vulnerabilities in your package-lock.json. I would like to resolve these issues, but the majority of packages listed here are ...
MaxPRafferty's user avatar
  • 4,879
8 votes
2 answers
3k views

Caret range and package-lock.json: how to get latest non-breaking versions with them?

I got what package-lock.json is standing for, but I don't understand how is caret range work after adding this file? Say I have a package (my-module) that I want to have all new non-breaking versions ...
atoth's user avatar
  • 848

1
2 3 4 5