cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] npm install command without specific dependency re-orders entire lockfile

Open DaneEveritt opened this issue 4 years ago • 7 comments

Current Behavior:

When running npm install with no specific dependency listed package-lock.json gets updated and the ordering of dependencies is changed. This causes us to constantly be accidentally committing changes to this file when there are in-fact, no changes.

It also makes it incredibly difficult to properly see how things have changed over time, and introduces another fun event, which is that running npm install @sentry/browser@latest (or any package) will then cause the lockfile to get re-ordered and it returns to alphabetical order in the dependency listing (and thus re-arranges all of the lockfile.

Expected Behavior:

I would expect that running npm install without a dependency would not modify the lockfile to be randomly ordered unless it was actually updating a dependency.

Steps To Reproduce:

  1. Run npm install and see that the lockfile changes order.
  2. Run npm install some-dependency and see that package-lock.json returns to it's initial ordering with the new dependency injected as expected.
  3. Run npm install again and see package-lock.json changes ordering again.

Environment:

OS: macOS Big Sur (11.1) node: 15.8.0 npm: ~7.5.1~ 7.5.6

DaneEveritt avatar Feb 05 '21 18:02 DaneEveritt

@DaneEveritt can you try updating to the latest npm & see if you can still reproduce this behavior? (ie. npm i -g npm@latest - 7.5.4)

darcyclarke avatar Feb 12 '21 19:02 darcyclarke

It unfortunately does not fix this issue @darcyclarke.

DaneEveritt avatar Feb 15 '21 21:02 DaneEveritt

@DaneEveritt the changes you're seeing to your lockfile, are those also updates to newer versions of your deps? It sounds like you may want to run npm install with the --no-save flag if you don't want to get the latest versions of your dependencies or see changes in package.json or package-lock.json.

darcyclarke avatar Feb 24 '21 07:02 darcyclarke

There is no change to the dependency versions @darcyclarke, it literally just reorders them. npm install without a dependency causes the lockfile to no longer be in alphabetical order at the top, npm install <dep> causes it to be generated in alphabetical order (when listing the deps at least, not sure how the rest of the file is structured after that).

There is no other change to the versions. The images attached might explain this better, the first one is running npm i react which did update the version, but as you can see nothing drastic changed. The second is immediately after, running npm i which completely changes the ordering in the lockfile, and makes it near impossible to understand what actually got changed (nothing). Running npm i react again then returns the lockfile state to the first image. I also tested with npm i --no-save and the same thing occurred.

npm i react

Screen Shot 2021-02-24 at 8 50 38 AM

npm i

Screen Shot 2021-02-24 at 8 51 00 AM

DaneEveritt avatar Feb 24 '21 16:02 DaneEveritt

Also, it looks like running npm i --no-save touches my package-lock.json?

DaneEveritt avatar Feb 24 '21 16:02 DaneEveritt

Noticing this on our team. We're all using the same versions (node v16.13.2 and npm 8.1.2). We're using strict engine enforced by .nvrmc, .npmrc and package.json all pinned to those versions. But no matter what I try we keep finding cases where the deps in package-lock.json get resorted sometimes by just running npm install. They appear to just get resorted like in the screenshot but have the same versions associated with the deps.

joshuaeilers avatar Sep 20 '22 17:09 joshuaeilers

Edit: appears to be related to this issue in another project https://github.com/rogeriochaves/npm-force-resolutions/issues/68

joshuaeilers avatar Sep 21 '22 21:09 joshuaeilers