Questions tagged [package-lock.json]
The package-lock.json tag has no usage guidance.
package-lock.json
222
questions
952
votes
12
answers
464k
views
Why does "npm install" rewrite package-lock.json?
I just recently upgraded to npm@5. I now have a package-lock.json file with everything from package.json. I would expect that, when I run npm install that the dependency versions would be pulled ...
- 11.8k
423
votes
7
answers
429k
views
Is there a way to force npm to generate package-lock.json?
I deleted it by accident and have made many changes to package.json since. An npm install or npm update do not generate package-lock.json anymore. I tried clearing my npm cache and my nvm cache, but ...
- 9,748
294
votes
9
answers
428k
views
Is there any way to fix package-lock.json lockfileVersion so npm uses a specific format?
If two different developers are using different versions of node (12/15) & npm (6/7) in a project that was originally created using a package-lock.json "lockfileVersion": 1, when the ...
- 5,469
287
votes
4
answers
173k
views
Do I need both package-lock.json and package.json?
After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file.
I can tell package-lock.json gives me an ...
- 4,155
232
votes
7
answers
312k
views
Deleting `package-lock.json` to Resolve Conflicts quickly
In a team set up, usually, I have faced merge conflicts in package-lock.json and my quick fix has always been to delete the file and regenerate it with npm install. I have not seriously thought about ...
- 3,480
208
votes
4
answers
83k
views
What is the difference between npm-shrinkwrap.json and package-lock.json?
With the release of npm@5, it will now write a package-lock.json unless a npm-shrinkwrap.json already exists.
I installed npm@5 globally via:
npm install npm@5 -g
And now, if a npm-shrinkwrap.json ...
- 64.7k
198
votes
23
answers
296k
views
Error: Local workspace file ('angular.json') could not be found
I have travis-ci integrated with my GitHub account (https://github.com/pradeep0601/Angular5-Router-App).
When I updated @angular/cli version from 1.7.4 to 6.0.0-rc.3, the build started failing with ...
- 12.6k
191
votes
12
answers
109k
views
Why did package-lock.json change the integrity hash from sha1 to sha512?
I just generated a new npm lockfile, package-lock.json, as part of my typical workflow. But I noticed that this time all of the integrity hashes have been changed from sha1 to sha512. What is ...
- 34.7k
104
votes
9
answers
62k
views
Proper way to fix potential security vulnerability in a dependency defined in package-lock.json
Github has given me this error on one of my repositories.
We found a potential security vulnerability in one of your dependencies.
A dependency defined in ./package-lock.json has known security ...
- 1,295
86
votes
6
answers
123k
views
npm install not creating a new package-lock.json
I accidentally deleted my package-lock.json file. npm install is not generating a new one. How do I get npm to recreate this file.
- 6,545
52
votes
2
answers
17k
views
Package-lock.json - requires vs dependencies
In package-lock.json in dependency object, I have both requires and dependencies fields, e.g
"requires": {
"@angular-devkit/core": "0.8.5",
"rxjs": "6.2.2",
"tree-kill": "1.2.0",
"...
- 9,216
50
votes
5
answers
49k
views
Create package.json from package-lock.json
I downloaded a theme and it has a package-lock.json file but no package.json file.
Is there a way I can generate the package.json from the package-lock.json file.
How do I install the node modules ...
- 603
49
votes
1
answer
36k
views
What is the NPM equivalent of "yarn install --frozen-lockfile"?
I'm using npm as part of me building the production docker image.
I want to make sure the package-lock.json doesn't change and matches.
- 3,736
47
votes
2
answers
27k
views
What is the point of having resolved URL in package-lock.json?
whenever I generate a package-lock file, there is also "resolved" block that looks like this:
"resolved": "http://devel.npm.registry:4873/lodash/-/lodash-4.17.5.tgz"
What is the point of this URL? ...
- 4,344
45
votes
1
answer
10k
views
Should package-lock.json also be published?
npm 5 introduced package-lock.json, of which the documentation is here.
It states that the file is intended to be included with version control, so anyone cloning your package and installing it will ...
- 625
38
votes
11
answers
72k
views
How to solve `package-json found. ... To clear this warning, remove package-lock.json`, I think it was overlapped by npm when yarn install
I used the command yarn install in Visual Studio Code, but it ocurred error. following error message.
package-lock.json found.
Your project contains lock files generated by tools other than Yarn.
It ...
- 730
33
votes
4
answers
13k
views
What is the point of putting npm's "package-lock.json" under version control?
What is the point of putting npm's package-lock.json under version control? In my experience having this file source controlled has caused more trouble and confusion than efficiency gains.
Having ...
- 9,355
31
votes
2
answers
26k
views
NPM - How to install a new package without update or add packages described on package.json
This is a hard question and I'll try to explain.
How to add new packages without install dependencies or new packages (defined in package/-lock.json)?
For example: Currently, we have our package....
- 1,565
30
votes
3
answers
7k
views
npm "resolved"-fields in package-lock.json change constantly with JFrog artifactory
We have a private JFrog artifactory (name anonymised below) that npm is configured in a project root .npmrc -file:
registry=https://artifactory.jfrog.private.com:443/api/npm/npm-registry-virtual/
...
- 301
26
votes
2
answers
7k
views
npm install removes "dev": true from several packages in package-lock.json?
Today I pulled latest from a shared Git repository and noticed that another developer on my team added an NPM package. So I ran npm install, and then saw that my package-lock.json file had changed. ...
- 16.6k
25
votes
1
answer
13k
views
Can I delete package-lock.json when switching to pnpm?
I'm in the process of switching from npm to pnpm, which has a different set of features that I prefer.
The former uses package-lock.json to lock exact packages versions, the latter pnpm-lock.yaml.
...
- 1,432
24
votes
3
answers
8k
views
dependabot only updates lock file
We've recently switched from greenkeeper to dependabot for our dependencies checks and we noticed that dependabot is opening PRs changing only package-lock.json leaving package.json as it was.
On the ...
- 1,263
23
votes
2
answers
6k
views
npm5 equivalent to yarn's --pure-lockfile flag?
I'm looking for an equivalent for yarn's --pure-lockfile flag.
This flag is useful when installing dependencies in CI, when you want it to read your lockfile but not modify it.
Does npm v5 have an ...
- 36.7k
21
votes
3
answers
26k
views
How to update a dependency in package-lock.json
I've received for the first time a notification from GitHub about a potential security issue (label: high-severity) with some of my project's dependencies. Here's the sample message:
url-parse ...
- 705
19
votes
8
answers
9k
views
Github potential security vulnerability error for hoek node module
Today github is showing following error on my github repository:
We found a potential security vulnerability in one of your
dependencies. A dependency defined in ./package-lock.json has known
...
- 8,468
18
votes
6
answers
34k
views
SassError: Undefined variable. Failing dependencies
I have a CI/CD pipeline for an Angular project which yesterday worked fine, but today the same code is returning several errors on the build:
./src/styles.scss.webpack[javascript/auto]!=!./...
- 213
17
votes
2
answers
21k
views
Why does `package-lock.json` causes a failure in a docker container build when `npm install`?
There are a lot of people online asking this same question in different ways but there is no clear answer. Can anybody understand enough to explain why a docker build fails when package-lock.json file ...
- 4,183
16
votes
1
answer
6k
views
"resolved" and "integrity" go missing in package-lock.json
Ocassionally, when installing an (unrelated) dependency, I lose the resolved values from each of my private nexus repository dependencies, meaning that when my build server runs npm ci it falls back ...
- 1,435
16
votes
1
answer
4k
views
Why do I get vastly different `package-lock.json` files when I run `npm install` on different systems
With the same git repository, if I delete node_modules and package-lock.json, my expectation is that running npm install should generate the same package-lock.json file each time (give or take a few ...
- 27.2k
14
votes
2
answers
26k
views
What would cause lockfileVersion in package-lock.json to decrease by one?
Bumped the patch version in a package.json (manually, edited file). Noted that the lock file had the old version, so I did an npm install to update it. When I did that the lockfileVersion field went ...
- 45.7k
12
votes
1
answer
2k
views
After Upgrading my npm from version 6 to version 7 (node version was 10) I cant install dependencies for some projects
I had node version 10 installed in my system, after upgrading my npm from version 6 to version 7 I couldn't install the dependencies, and I'm getting error so I had to downgrade my node to 6,
(both ...
- 1,537
12
votes
0
answers
6k
views
NPM - How do I override one of my dependencies dependency? [duplicate]
Recently, npm released the npm audit command. It runs automatically when you npm i letting you know of any vulnerabilities. I have a simple dependency tree, something like this:
package A
package B
...
- 3,335
11
votes
2
answers
5k
views
No effect when doing git diff -- ':(exclude)package-lock.json'
I want to a do a diff but without package-lock.json which is huge and is a generated file so nothing interesting for me there.
I tried both :
git diff -- ':(exclude)package-lock.json'
git diff -- ':!...
- 1,190
11
votes
2
answers
3k
views
Why does "npm install" prefix my packages with "node_modules" in my "package-lock.json" file?
I've never had this happen before, but now, when I npm install in the root directory of my app, my package-lock.json updates all the packages with node_modules/. What is causing this?
Here's what I ...
- 307
11
votes
3
answers
5k
views
Running `npm ci` returns `pkg-dir not accessible from find-cache-dir`
I'm trying to run this command:
npm ci
And it returns this error:
npm ERR! pkg-dir not accessible from find-cache-dir
What am I missing here?
- 15.4k
11
votes
1
answer
6k
views
What does "requires: true" do in package-lock.json
Our team just updated to npm@5. The package-lock.json was unified between Windows and Mac (certain dependencies are optional so they don't get installed on Windows, but they do on Mac) so that no ...
- 305
11
votes
0
answers
3k
views
How to generate per-package package-lock.json for existing Lerna mono-repo
We have an existing Lerna mono-repo that has a structure like:
/
/packages
/package1
/package2
/package3
...
We currently use Yarn for our project, and actually only have a top-...
- 31.3k
11
votes
1
answer
3k
views
Why does "npm install" modify package-lock.json? Why commit it to git then?
When I run "npm install" in a project it often modifies package-lock.json, for example if I work on the same project from another computer (with different node or npm version).
But at the same time ...
- 6,792
10
votes
1
answer
6k
views
How to manually confirm integrity field in package-lock.json file?
What commands could I run to manually generate (or confirm) the integrity field contained in a package-lock.json file?
Here's an example with SHA1:
"uglify-js": {
"version": &...
- 26.8k
10
votes
1
answer
23k
views
Difference between `npm update` and `remove package-lock.json` plus `npm install`?
What is essential difference between these commands, except that npm update modify package.json?
rm package-lock.json
npm install
npm update --dev
- 721
10
votes
4
answers
7k
views
Okay to Paste-in Package-Lock.json from 19 Hours Ago to Fix "ValidationError: Progress Plugin Invalid Options" (Vue 3)?
I'm using Vue 3 and I pushed a version of my project that was working well to GitHub 19 hours ago.
About 5 hours later, the problem below occurred when I entered npm run serve which resulted in these ...
- 1,048
10
votes
1
answer
7k
views
Why does `npm install` generate different `package-lock.json` files for the same `package.json` file?
Here is the relevant part of my package.json file:
"devDependencies": {
"ajv": "^6.0.0",
"webpack": "^4.0.0",
"websocket": "^1.0.0",
"bignumber.js": "^7.0.0",
"decimal.js": "^10....
- 6,168
10
votes
1
answer
9k
views
Is there a tool to validate/check that package.json and package-lock.json are consistent?
Sometimes people change package.json and forget to run npm i which will update package-lock.json, or package.json and package-lock.json are otherwise out of sync. This is an assumption not to be ...
- 494
10
votes
1
answer
1k
views
Updating transitive dependencies of a NPM package
Our company has a few web applications which in turn depend on a very long chain of internally created and hosted npm packages (we use JFrog Artifactory) each with their own dependencies (and so on). ...
- 173
9
votes
1
answer
3k
views
How can I determine which of my dependencies depends on a particular package in my node_modules?
Github recently introduced a feature that notifies you about security vulnerabilities in your package-lock.json. I would like to resolve these issues, but the majority of packages listed here are ...
- 4,939
9
votes
3
answers
6k
views
How do you bump a transitive dependency in package-lock.json
My project depends on analytics-node which has a dependency on axios: "^0.16.2".
We have been flagged with npm audit that axios has a vulnerability in it but its fixed in 0.18.1.
However, analytics-...
- 131
9
votes
1
answer
6k
views
npm install changes resolved from a URL to false
The Problem
When I pull my team's code and run npm install a number of items in package-lock.json have their resolved property change from a URL to false. E.g.
"debug": {
"version": "3.2.6",
"...
- 13.8k
9
votes
1
answer
8k
views
Lerna not generating package-lock.json for every package
Below is the description of the issue:-
Expected behaviour is to have a package-lock.json file generated for every package in packages folder.
Current Behaviour
My current project structure look ...
- 3,699
9
votes
0
answers
2k
views
npm install not considering registry/resolved path in package-lock.json
It's pretty straight forward to install a package from a private registry:
npm install my-package --registry https://<private-registry-url>
This will add an entry to the package-lock.json:
"...
- 6,282
8
votes
2
answers
3k
views
Caret range and package-lock.json: how to get latest non-breaking versions with them?
I got what package-lock.json is standing for, but I don't understand how is caret range work after adding this file?
Say I have a package (my-module) that I want to have all new non-breaking versions ...
- 858