package-lock.json and npm audit fix: Let's Finally Solve These Recurring Issues Once and for All

[tlecoz]

Hello everyone,

I am raising an issue that I believe has been an ongoing source of frustration for countless developers: the management of package-lock.json and the lack of automatic integration of npm audit fix during installation. These are not minor annoyances but recurring pain points that many of us have been dealing with year after year, without any meaningful resolution in sight.

package-lock.json: Why Are We Still Responsible for This File? The package-lock.json was introduced to ensure consistent dependency installations, and while I understand the value in theory, the reality for most projects is that it has become more of a burden than a benefit. Why are developers constantly dealing with the nuisance of maintaining this file—resolving conflicts, committing it, receiving security alerts—when in practice it mostly benefits npm itself, not the developer?

It’s not just me; there are numerous issues and discussions pointing out individual frustrations with package-lock.json. But I want to go further: we need to solve the underlying problem. Why is the developer saddled with this file, constantly managing it manually? Why not rethink its entire approach so that it is transparent and managed behind the scenes for projects that do not need this excessive level of control? It’s clearly a pain point that we should not have to bear indefinitely.

For large-scale projects, where dedicated DevOps teams exist to handle this sort of complexity, sure, keep package-lock.json visible and manageable. But for the overwhelming majority of projects, it’s nothing but unnecessary complexity. I would appreciate if npm could consider a solution where this file simply becomes npm's responsibility, not the developer’s.

Why Isn't npm audit fix Automatically Integrated with npm install? Another recurring frustration is the manual execution of npm audit fix after every installation. Every single time, npm identifies issues, and we have to type in an additional command to fix them, even though in the vast majority of cases, it’s straightforward and could easily be done automatically.

The fact that this is not integrated by default is baffling. We’re forced to deal with security alerts and manual steps that could be completely automated. And let's be honest: the projects that cannot afford automatic fixes—those that require careful auditing—are the exceptions, the large-scale projects with multiple dedicated DevOps. For the rest of us, who don’t have a DevOps team for every little project, we just need npm to do its job, automatically fix the problems it finds, and make our lives simpler.

The current state feels like we are dragging around the same problems year after year, with no one willing to step up and solve them properly. It’s time to acknowledge that these issues are a source of real frustration and deserve a solution that makes npm less of a burden and more of a tool that serves developers.

I sincerely hope that this can spark a discussion towards a real solution that acknowledges how widespread and irritating these issues are for everyday developers.

Thank you for your time.