cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

npm install removes resolved and integrity properties from package-lock.json if installed from cache

Open SymbioticKilla opened this issue 3 years ago • 20 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

If you run npm install with existing package cache inside "node_modules" it creates packages-lock.json without "resolved" and "integrity" properties.

Expected Behavior

"resolved" and "integrity" properties should stay remain after npm install using cache from "node_modules" folder

Steps To Reproduce

1.) Run npm install 2.) package-lock.json is created 3.) node modules are cached inside the project folder under "node_modules" folder 4.) delete package-lock.json and delete one package form "node_modules" folder 5.) Run npm install 6.) package-lock.json is created, but "resolved" and "integrity" properties are removed from each package descriptions inside package-lock.json

Environment

  • npm: 8.1.2
  • Node.js: 16.3.2
  • OS Name: Windows 10
  • System Model Name:
  • npm config:
; copy and paste output from `npm config ls` here

SymbioticKilla avatar Jan 19 '22 17:01 SymbioticKilla

In my case, it removes the resolved entry for a company's remote repository, causing the CI pipeline to fail.

  • npm 8.1.3
  • node v16.3.0
  • Mac OS

giovannipds avatar Feb 24 '22 22:02 giovannipds

@giovannipds what about with npm v8.5.2?

ljharb avatar Feb 25 '22 00:02 ljharb

@ljharb thanks for interacting. In my case, the issue was in my repository config, it was misconfigured, that's why my resolveds were being removed. Probably not related to what this ticket is about. What fixed for me:

npm config set registry #YOUR_COMPANY_REGISTRY_URL

giovannipds avatar Feb 25 '22 22:02 giovannipds

I managed to get proper package-lock.json (with integrity and resolve fields) after:

  • cleaning the npm cache npm cache clean -f
  • removing node_modules in project folder
  • removing the package-lock.json file
  • running npm install in now "clean" project folder

vmasek avatar Jul 03 '22 13:07 vmasek

Just ran into this issue on npm 8.19.2 with node v18.12.1.

Cleared the cache and re-ran npm install (slow), then it was ok

aarowman avatar Jan 25 '23 16:01 aarowman

I encountered the same issue with nodejs 16.19.1 and npm 8.19.3

cdpark0530 avatar Mar 19 '23 09:03 cdpark0530

encountered the same issue with node 14.18.0 and npm 8.19.3

daksh-sagar avatar Apr 14 '23 12:04 daksh-sagar

Happened on npm v9.5.0 too. vmaseks workaround worked.

sorgloomer avatar Apr 26 '23 11:04 sorgloomer

We also get this. Repeatedly. And it breaks our CI. Started after we updated to new versions of node and npm recently I think, but I see others get it on older versions as well. I'm not 100% if that is what cased it, as we have refactored a lot of stuff lately. Current versions: Node: 18.16.0 npm: 9.6.7 old versions: Node: 16.5.1 npm: not sure unfortunately, but v8.x.x something

Only workaround is @vmasek workaround above. Would love to not have to delete package-lock.json the whole time, any idea whats causing this or if/when it will be fixed?

kfayelun avatar Jul 05 '23 10:07 kfayelun

For those who dislike the idea of unlocking and potentially version-bumping a ton of dependencies by deleting package-lock, here's a variant of the workaround above that seems to have worked for us:

  1. Delete node_modules folder
  2. Restore package-lock.json from a recent commit prior to the undesired property removal (but keep the existing package.json version)
  3. Run npm install

This should preserve the locked versions of any packages that were already installed prior to the corruption of package-lock, while ensuring anything newer based on package.json also gets installed/updated.

rbell-mfj avatar Aug 10 '23 20:08 rbell-mfj

I had this happened to me during npm solving merge conflicts with npm-merge-driver. Similarly to @rbell-mfj, I restored package-lock.json before merge conflict resolution, applied the updates manually, integrity and resolved were kept.

Rapol avatar Sep 07 '23 16:09 Rapol

I faced the same problem with node 18.12.1 and npm 8.19.2 Had to do actions proposed by vmasek to resolve the problem.

LendaVadym avatar Oct 12 '23 11:10 LendaVadym

While this problem persists, npm-lockfile-fix provides an easy way to fix lock files without having to delete & regenerate them. It's less problematic since it doesn't cause any dependency updates.

Also it seems that these are duplicates or related issues: #4460 #6301

felschr avatar Oct 16 '23 15:10 felschr

Seeing this with node 20.9.0 and NPM 10.2.1. Workaround from vmasek worked for me, too.

paulschreiber avatar Oct 24 '23 19:10 paulschreiber

Also seeing this in node 18.18.2 and npm 9.8.1

Laurensdc avatar Nov 07 '23 13:11 Laurensdc

I wonder if the npm team will ever pick this issue up? It's still happening.

CommanderOfCode avatar Feb 23 '24 19:02 CommanderOfCode

Has this issue today, solved it with running npm cache clear --force (not sure if this was useful) and npm update.

GMartigny avatar Mar 21 '24 10:03 GMartigny

.. solved it with ... npm update.

npm update, or deleting package-lock.json then npm install, IMHO defeats the purpose of package-lock.json and can cause issues downstream (different dependency versions, failing tests, failing deploys, bugs...). We have package-lock.json change 'randomly' after npm install from different developers. All on the same (at least major) version, causing CI delays (busted cache). Would love to see this solved.

klausbadelt avatar Mar 22 '24 12:03 klausbadelt

.. solved it with ... npm update.

npm update, or deleting package-lock.json then npm install, IMHO defeats the purpose of package-lock.json and can cause issues downstream (different dependency versions, failing tests, failing deploys, bugs...). We have package-lock.json change 'randomly' after npm install from different developers. All on the same (at least major) version, causing CI delays (busted cache). So, our problem is similar albeit not related to deleting package-lock.json (which we do not recommend every anyway): Subsequent npm installs on different machines change package-lock.json "resolved" and "integrity" entries. Would love to see this solved.

klausbadelt avatar Mar 22 '24 12:03 klausbadelt

.. solved it with ... npm update.

npm update, or deleting package-lock.json then npm install, IMHO defeats the purpose of package-lock.json and can cause issues downstream (different dependency versions, failing tests, failing deploys, bugs...). We have package-lock.json change 'randomly' after npm install from different developers. All on the same (at least major) version, causing CI delays (busted cache). So, our problem is similar albeit not related to deleting package-lock.json (which we do not recommend every anyway): Subsequent npm installs on different machines change package-lock.json "resolved" and "integrity" entries. Would love to see this solved.

This might be a dumb suggestion, but couldn't you just ask your developers not to change the package-lock? For example, tell them to use npm ci on their dev machines instead of npm install unless they are intentionally updating packages.

sorgloomer avatar Mar 22 '24 16:03 sorgloomer