[BUG] Running `npm install` modifies `package-lock.json` when no changes were made

npm / cli

the package manager for JavaScript

https://docs.npmjs.com/cli/

Other

8.47k stars 3.16k forks source link

[BUG] Running `npm install` modifies `package-lock.json` when no changes were made #3225

Open tessro opened 3 years ago

tessro commented 3 years ago

Is there an existing issue for this?

[X] I have searched the existing issues

Current Behavior

Running npm install modifies package-lock.json even when no changes have been made to package.json, package-lock.json, or node_modules.

Expected Behavior

Running npm install is stable when there are no changes to package.json or package-lock.json.

Steps To Reproduce

From a clean directory:

# Initialize git repo
git init
echo node_modules > .gitignore

# Initialize npm package
npm init -y
npm i -D @doyensec/electronegativity

# Stage current state
git add --all

# Install again
npm i

# Observe working tree is dirty
git diff

Environment

OS: macOS 11.3
Node: v14.15.5
npm: v7.12.0

tessro commented 3 years ago

Across runs, npm appears to be changing its mind about whether certain dependencies of the library are extraneous or not.

This library ships with an npm-shrinkwrap.json, which I know is not recommended, and in our production repo, this library seems to be the only one exhibiting this behavior. I'm wondering if this is possibly related but I admit I don't know enough about the npm internals to debug further on my own.

DaneEveritt commented 3 years ago

Likely a duplicate of https://github.com/npm/cli/issues/2635?

tessro commented 3 years ago

It's possible that the issues are related, but the bug I am seeing happens without installing anything new. (And does not affect the listed order of dependencies.)

DaneEveritt commented 3 years ago

~You're seeing the package-lock.json being changed by just running a generic npm i on a project with no other changes correct (just double checking I'm not misreading this)? #2635 identifies that as the core issue, the installing something new was an example showing the two different orderings of the package-lock.json file was all (where installing a specific dependency puts the file back in the correct order).~

edit: just saw the not affecting the order of listed dependencies in the lock, my bad. It wasn't clear what the actual changes to the lock you were seeing were.

tessro commented 3 years ago

Yeah, we're seeing something where some dependencies are added or removed from the other sections of the lockfile, and some metadata is changed. It could be related but I think the pattern is different.

darcyclarke commented 3 years ago

@paulrosania can you try this on the latest version of npm & confirm it's still a problem? (ie. npm i -g npm)

This could be related to or a duplicate of: https://github.com/npm/cli/issues/2810