CODEWITHSUNDEEP
npmyarnpkg
S Panfilov
S Panfilov

Reputation: 17591

How to update package-lock.json without doing npm install?

Question

What is the way to update/generate package-lock.json without making a real installation of node_modules (what npm install does)?

I want just a valid package-lock.json based on my package.json, that's it.

Motivation

You might use yarn locally, when CI server uses npm. It's probably not the best practice, but still might ok as a temporary solution.

Bonus question: Same for yarn. Is it possible to generate yarn-lock.json without doing a real installation?

Upvotes: 156

Views: 198259

Answers (3)

Teh
Teh

Reputation: 3366

npm

As of npm 6.x, you can use the following command:

npm i --package-lock-only

Documentation (https://docs.npmjs.com/cli/install.html) says:

The --package-lock-only argument will only update the package-lock.json, instead of checking node_modules and downloading dependencies.

yarn

As of yarn 3.0.0, you can use the following command:

yarn install --mode update-lockfile

Documentation (https://yarnpkg.com/cli/install#options-mode%20%230) says:

If the --mode=<mode> option is set, Yarn will change which artifacts are generated.

update-lockfile will skip the link step altogether, and only fetch packages that are missing from the lockfile (or that have no associated checksums). This mode is typically used by tools like Renovate or Dependabot to keep a lockfile up-to-date without incurring the full install cost.

As of Sep. 10, 2019: yarn doesn't seem to support generating a lock-file without installing the modules. Relevant GitHub issue: https://github.com/yarnpkg/yarn/issues/5738

pnpm

As of pnpm 3.0.0, you can use the following command:

pnpm install --lockfile-only

Documentation (https://pnpm.io/cli/install#--lockfile-only) says:

When used, only updates pnpm-lock.yaml and package.json. Nothing gets written to the node_modules directory.

bun

As of bun v1.1.43, you can use the following command:

bun install --lockfile-only

Documentation (https://bun.sh/docs/install/lockfile#generate-a-lockfile-without-installing) says:

To generate a lockfile without installing to node_modules you can use the --lockfile-only flag. The lockfile will always be saved to disk, even if it is up-to-date with the package.json(s) for your project.

Upvotes: 272

Shao
Shao

Reputation: 140

In addition to Teh's answer, for Yarn now you can:

yarn install --mode update-lockfile

Documentation: https://yarnpkg.com/cli/install#options-mode%20%230

update-lockfile will skip the link step altogether, and only fetch packages that are missing from the lockfile (or that have no associated checksums). This mode is typically used by tools like Renovate or Dependabot to keep a lockfile up-to-date without incurring the full install cost.

Upvotes: 7

user1834095
user1834095

Reputation: 5723

While npm install --package-lock-only (as answered by @Teh) will create a package-lock.json file without downloading and installing all dependencies in a node_modules directory, it will not update dependency versions if a package-lock.json file already exists prior to running it.

However, npm update --package-lock-only will both generate a new package-lock.json file when none exists and update the existing file when it does through some underdocumented npm update behaviour (not documented in the current npm update docs, but mentioned in the npm config docs instead):

package-lock-only

  • Default: false
  • Type: Boolean

If set to true, the current operation will only use the package-lock.json, ignoring node_modules.

For update this means only the package-lock.json will be updated, instead of checking node_modules and downloading dependencies.

Upvotes: 6

Related Questions