问题
I am running the npm install in a public GitHub repo and it has locked the express at 4.17.0 in package-lock.json file which is the correct behavior of package-lock.json file.
However, when I execute npm install git+https://github.com/nabeel-nazir confiz/package.lock.master.git in an empty folder then a package-lock.json file created with the new version of express locked at 4.17.1. I know there is a caret ^ sign in the source package.json but why the source package-lock.json is ignored this time?
My problem here is that when I execute npm install git+https://github.com/nabeel-nazir confiz/package.lock.master.git on the server it should create a package-lock.json file with express locked at 4.17.0 not with the 4.17.1 because the source package-lock.json file on the repo has locked the express on 4.17.0.
Is there any way I can achieve this i.e npm install git+https://github.com/nabeel-nazir confiz/package.lock.master.git will consider the source package-lock.json file and should not ignore it?
I am using the following versions:
npm version: 5.4.1
node version: 8.9.3
npm config get registry prints: https://registry.npmjs.org/
OS: Ubuntu 18.04
Side note:
I have tried npm install git+https://github.com/nabeel-nazir confiz/package.lock.master.git with followings as well but the issue was same i.e. it locked the express at 4.17.1
npm version: 6.14.4
node version: 13.12.0
npm config get registry prints: https://registry.npmjs.org/
OS: Ubuntu 18.04
Please comment If there is a need to provide more information on this question.
Thank you.
回答1:
npm install xxx will every time generate a new lock file. (Actually it just ignores lock file and generate each time it execute)
npm ci on the other hand, is the command to install packages based on lock file instead of package.json
回答2:
Remove the carrot ^ sign. Then it'll stay locked at 4.17.0.
来源:https://stackoverflow.com/questions/61019398/why-does-npm-install-git-repo-url-rewrite-package-lock-json