1

I am playing with an new typescript react app. (created with CRA) I use npm@5.6.0 on on PC and @6.4.1 on the other. The newer Version installs dependencies with an older version than the newer one. The newer one also shows 63 low severity vulnerabilities after install.

installed with 5.6.0
        "@babel/code-frame": "7.0.0",
        "@babel/generator": "7.4.0",
        "@babel/helpers": "7.4.2",
        "@babel/parser": "7.4.2",
        "@babel/template": "7.4.0",
        "@babel/traverse": "7.4.0",
        "@babel/types": "7.4.0",
        "convert-source-map": "1.6.0",
        "debug": "4.1.1",
        "json5": "2.1.0",
        "lodash": "4.17.11",
        "resolve": "1.10.0",
        "semver": "5.6.0",
        "source-map": "0.5.7"

    installed with 6.4.1
        "@babel/code-frame": "^7.0.0",
        "@babel/generator": "^7.2.2",
        "@babel/helpers": "^7.2.0",
        "@babel/parser": "^7.2.2",
        "@babel/template": "^7.2.2",
        "@babel/traverse": "^7.2.2",
        "@babel/types": "^7.2.2",
        "convert-source-map": "^1.1.0",
        "debug": "^4.1.0",
        "json5": "^2.1.0",
        "lodash": "^4.17.10",
        "resolve": "^1.3.2",
        "semver": "^5.4.1",
        "source-map": "^0.5.0"
matrixPill
  • 59
  • 6

1 Answers1

0

From the npm doc : https://docs.npmjs.com/files/package-locks

different versions of npm (or other package managers) may have been used to install a package, each using slightly different installation algorithms.

If you install without package-lock, you may produce different outputs.

This is why you need to commit the package-lock.json file once you've made your first install, in order to make sure anyone in your team runs npm install after that gets the exact same dependency tree.

topheman
  • 7,422
  • 4
  • 24
  • 33
  • 1
    When i run ```npm install``` with the older version -> commit and than run it again on the newer version it changes the package-lock.json. – matrixPill Apr 03 '19 at 20:59