package-lock.json differs from master branch after running 'npm install'

[freshgrapes]

I cloned the pwa-starter-kit last week, ran 'npm install' as instructed and made some modifications on it (without touching the package.json file at all), and today I pulled from the latest master branch and the merged version on my machine ended up having exactly the same package.json and package-lock.json file as the one on GitHub.

However, after running 'npm install', the package-lock.json changed and is now different from the one on the master branch.

Is the version on the master branch pushed after modifying the package.json file but before running 'npm install' to update the package-lock.json file?

Are we supposed to run 'npm install' or 'npm update' at all after cloning the pwa-starter-kit, running the initial 'npm install', doing some modifications (without touching package.json), and later on merging new version from the master branch that affects the deps (for example, cloning pwa-starter-kit last week, and pulled the latest 'Update deps' commit from master branch today)?

[keanulee]

I bumped two deps in package.json and re-installed everything (rm -rf node_modules/ package-lock.json; npm i) to get a package-lock.json with the latest matching dependencies in https://github.com/Polymer/pwa-starter-kit/commit/d43cba41a39419cc0b2258347525038ceb96da04. If you're pulling in master, you can just run npm i (even if there are merge conflicts in package-lock.json - npm handles this) and commit the result.

[freshgrapes]

@keanulee I used rm -rf node_modules/ package-lock.json; npm I and it got better, but there are still 7 differences (was like 100 differences with npm install) (see screenshots below).

Why would there be any difference in package-lock.json when we have exactly the same package.json? Does it have to do with different npm and node's versions between my machine and yours (I am using the latest npm v.6.4.1 and node v.10.13.0)?

How do I make sure that I always end up having the same package-lock.json as the one on the master branch? I pulled from master so I had the same package-lock.json but after running any sort of npm ... I end up having different package-lock.json (npm I and rm -rf node_modules/ package-lock.json; npm I end up producing different package-lock.json, and none of them matches the one on the master branch.)

[freshgrapes]

@keanulee Solved! Thanks for your help!

The final solution was found after reading your reply and did more googling accordingly here, and I believe it will be very helpful if these steps below are included somewhere in the PWA Starter Kit's "Get Started" website for anyone who use the kit to build their app while continuing to pull in new changes from the kit.

Essentially, here are the steps to npm install locally --- without ending up with a different package-lock.json --- anytime pwa-starter-kit's master branch has its deps updated:

1. Pull in the new version from pwa-starter-kit's master branch, including package-lock.json.
2. Run rm -rf node_modules/ to remove the entire node_modules folder, reason quoted from the link above.

Deleting the existing node_modules before continuing is an essential step because the package-lock.json does parse existing metadata from the node_modules folder. This means that if your node_modules folder has leftovers, they may get added to the package-lock's dependencies, even if they're not an actual dependency (anymore).

3. Do NOT delete the pulled in package-lock.json file.
4. Run npm install
5. Done!

[keanulee]

We had been debating internally about whether or not to commit package-lock.json. We decided to include it because we wanted to make sure that users/Travis CI are guaranteed a working set of dependencies with a fresh install/npm i. With that said, we expect users' package/-lock.json to diverge from master eventually when they add other NPM dependencies for their apps (which could require updating the dependencies we've included).

TL;DR: Don't worry if your package/-lock.json diverges from ours, that's working as intended.