What is causing npm package install differences

Question

I'm having an issue where some differences in my npm packages between two machines used for building the application is causing portions of my website to behave differently. I'm trying to figure out what is causing the difference between the packages that npm is installing, I've verified that I'm running the same versions of nvm, nodejs, and npm (and that the same version is active with nvm using npm list -g --depth=0). I've verified that both have the same globally installed packages, at the same versions. I have set the version numbers in the package.json to be fixed at what I specify (no '^' or '~' in the version numbers). When I do npm i in the project (even after force clearing npm cache), I get differences between the two machines for what npm installs:

added 1061 packages from 1024 contributors and audited 26052 packages in 121.826s
found 5 vulnerabilities (2 low, 3 moderate)


added 1110 packages from 1033 contributors and audited 17105 packages in 196.763s
found 6 vulnerabilities (2 low, 3 moderate, 1 high)

How do I go about finding:

1. What these differences are (besides trying to compare the node_modules folder)
2. What is causing the differences in the first place. My understanding was that using npm and fixing the versions shouldn't have issues like this.

Answer 1

If npm is causing different installs, make sure that you are a really committing the file package-lock.json, and that all computers are on the same major npm version.

This becomes an issue, as the lock file actually contains the exact versions installed, and different versions potentially have differences in their dependencies.

When this lock file was introduced, developers got into the habit of putting this file into their gitignore, since it was an unexpected file npm produced, and that multiple npm versions use different hashes I the lock file.