Reputation: 12204
npm - How to actually use package-lock.json for installing based on locked versions?
Just updated from npm 3 to 5, to use this feature.
Sorry, I must be missing something totally obvious, but how do make npm respect the pinned versions in package-lock.json file when installing?
Let's say I have a package.json with a fair bit of outdated packages. Doing an npm install will pull in new stuff and breaks my app.
For example, the main package I want to stabilize is bootstrap - I want to block its version at bootstrap@4.0.0-alpha.6 for now, but npm install finds 4.0.0-beta.28.
If I npm update any package, package-lock.json gets updated.
Let's go to my development directory.
This is my package.json entry for bootstrap:
"bootstrap": "^4.0.0-alpha.6"
And this is what I see for my installed packages and meta data:
$ npm list 2>/dev/null | grep bootstrap
├─┬ bootstrap@4.0.0-alpha.6
├─┬ bootstrap-vue@0.16.1
│ ├── bootstrap@4.0.0-alpha.6 deduped
(env) jluc@py$ grep bootstrap package.json package-lock.json
package.json: "bootstrap": "^4.0.0-alpha.6",
package.json: "bootstrap-vue": "^0.16.1",
package-lock.json: "bootstrap": {
package-lock.json: "version": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz",
package-lock.json: "bootstrap-vue": {
package-lock.json: "version": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz",
package-lock.json: "bootstrap": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-alpha.6.tgz",
Looks good. Lock is bootstrap-4.0.0-alpha.6.
But how I use actually use that package-lock.json?
Here's what I did:
- created a brand new directory
- copied in package.json and package-lock.json
- ran
npm install.
No good. npm again found bootstrap beta and package-lock.json had no effect, in fact it was rewritten from what npm install did. Which is consistent with the behavior you want in dev, but doesn't tell me how I would use the lockfile to stabilize my packages.
(env) jluc@trynpmlock$ npm list 2>/dev/null | grep bootstrap
├── bootstrap@4.0.0-beta.2
├─┬ bootstrap-vue@0.16.1
│ ├── bootstrap@4.0.0-beta.2 deduped
(env) jluc@trynpmlock$ grep bootstrap package.json package-lock.json
package.json: "bootstrap": "^4.0.0-alpha.6",
package.json: "bootstrap-vue": "^0.16.1",
package-lock.json: "bootstrap": {
package-lock.json: "resolved": "https://registry.npmjs.org/bootstrap/-/bootstrap-4.0.0-beta.2.tgz",
package-lock.json: "bootstrap-vue": {
package-lock.json: "resolved": "https://registry.npmjs.org/bootstrap-vue/-/bootstrap-vue-0.16.1.tgz",
package-lock.json: "bootstrap": "4.0.0-beta.2",
If I delete the package.json and only have a directory with package-lock.json, then
npm installinstalls very little and leaves me with a truncated package-lock.jsonnpm install has a
--no-package-lockoption, but that prevents updating the package-lock.json.
Basically how do I tell npm install everything from package.json, but respect locks in package-lock.json? Do I use a different command than npm install? Is it because npm install's doc refers to locks in the context of a package installation, but locks don't apply when you install the package.json in its entirety?
Yes, I know I can specify "bootstrap": "4.0.0-alpha.6", minus the ^, to pin the version manually.
My environment:
(env) jluc@py$ npm -v
5.5.1
Upvotes: 67
Views: 52251
Answers (3)
Reputation: 51
This also seems to work
npm i --save-exact
~ https://docs.npmjs.com/cli/v7/commands/npm-install
Upvotes: 0
Reputation: 2960
Update: As Dave pointed out, the command for this situation is now npm ci. It will install from package-lock.json and will not update it. See the documentation for more information.
According to this comment by a member of the npm CLI team, what you are describing is a "high priority bug".
If you have a package.json and you run
npm iwe generate a package-lock.json from it.If you run
npm iagainst that package.json and package-lock.json, the latter will never be updated, even if the package.json would be happy with newer versions.If you manually edit your package.json to have different ranges and run
npm iand those ranges aren't compatible with your package-lock.json then the latter will be updated with version that are compatible with your package.json. Further runs ofnpm iwill be as with 2 above.If you do run into a case where npm@^5.4.2 mutates a package-lock.json that was otherwise compatible with the paired package.json please open a new issue. This sort of thing would constitute a high priority bug.
Upvotes: 29
Reputation: 1643
You need to use the npm ci command to install from package-lock.json.
See: https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
Upvotes: 72
Related Questions
- why not specify a specific package version in package.json file? Then we don't need the package-lock.json
- How To Align package.json and package-lock.json When Dependency Versions Are Out of Sync?
- npm force package-lock to update a sub-dependency package
- How to update version of a package in package-lock.json and/or package.json using npm to latest version?
- NPM v7+ - How to install packages with "lockfileVersion": 1
- package-lock.json contains non-exact versions
- npm lock-file lock down the package version
- npm install doesn't apply what is in package-lock.json?
- NPM detect pre-release dependency in package.json/package-lock.json?
- How do I npm update dependency versions in the package-lock.json?