package-lock.json

I'm looking for an equivalent for yarn's --pure-lockfile flag . This flag is useful when installing dependencies in CI, when you want it to read your lockfile but not modify it. Does npm v5 have an equivalent? npm 5.7 introduced the npm ci subcommand: the main differences between using npm install and npm ci are: The project must have an existing package-lock.json or npm-shrinkwrap.json . If dependencies in the package lock do not match those in package.json , npm ci will exit with an error, instead of updating the package lock. npm ci can only install entire projects at a time: individual

In a team set up, usually, I have faced merge conflicts in package-lock.json and my quick fix has always been to delete the file and regenerate it with npm install . I have not seriously thought about the implication of this fix because it has not caused any perceivable problem before. Is there a problem with deleting the file and having npm recreate it that way instead of resolving the conflicts manually? Yes, it can and will affect all the project in really bad way. if your team does not run npm install after each git pull you all are using different dependencies' versions. So it ends with

Github has given me this error on one of my repositories. We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated. The dependency is not defined in our package.json file. To my understanding it isn't good practice to delete the package-lock.json file and regenerate it. However, I cannot see any other way to fix this issue. If I dismiss this security vulnerability it will appear again a couple of days later. Any ideas? Thanks! Jo-Go New: now, with npm@6 you can directly run npm

npm 5 introduced package-lock.json , of which the documentation is here . It states that the file is intended to be included with version control, so anyone cloning your package and installing it will have the same dependency versions. In other words, you should not add it to your .gitignore file. What it does not state is wether or not the file is intended to be included with a published package. This question could be rephrased as; should package-lock.json be included in .npmignore? It cannot be published. From the npm documentation: One key detail about package-lock.json is that it cannot

After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file. I can tell package-lock.json gives me an exact dependency tree as opposed to package.json . From that info alone, it seems like package.json is redundant and not needed anymore. Are both of them necessary for NPM to work? Is it safe or possible to use only the package-lock.json file? The docs on package-lock.json ( doc1 , doc2 ) doesn't mention anything about that. Edit : After some more thinking about it, I came to the conclusion that if

With the release of npm@5 , it will now write a package-lock.json unless a npm-shrinkwrap.json already exists. I installed npm@5 globally via: npm install npm@5 -g And now, if a npm-shrinkwrap.json is found during: npm install a warning will be printed: npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but npm-shrinkwrap.json was generated for lockfileVersion@0. I'll try to do my best with it! So my take-away is that I should replace the shrinkwrap with the package-lock.json . Yet why is there a new format for it? What can the package-lock.json do that the npm