[BUG] The package-lock.json file depends on node_modules, which will cause the lock generated by npm i to be inconsistent after the lock file is deleted when some packages that depend on the system architecture (such as node-unix-socket) are installed again.

[JsweetA]

Is there an existing issue for this?

• [x] I have searched the existing issues

This issue exists in the latest npm version

• [X] I am using the latest npm

Current Behavior

I used a node-unix-socket package, which needs to load different .node files under different system architectures. I accidentally deleted the lock file when operating on my local Mac computer. When I used npm i to install it again, the lock file only had packages under the Mac architecture. This would cause the package to be lost when I released the deployment because the container used the Linux architecture.

Expected Behavior

Yarn and pnpm do not have this problem. They do not rely on node_modules to generate lock files, so the generation of lock files is idempotent. However, when there are packages that depend on the system architecture, the generation of lock files by npm i is not idempotent.

Steps To Reproduce

1. Prepare a package.json file

{
    "name": "my-project",
    "version": "1.0.0",
    "dependencies": {
      "node-unix-socket": "0.2.5"
    }
}

2. Run npm i and you will get a normal package-lock file.
3. Delete package-lock at this time, and then execute npm i to get the error version

• normal
• error