If i manually add a package to package.json and then run npm install, my package-lock.json gets updated with that new package's dependencies.
However, if i then manually delete that package from package.json from npm install, that package's dependencies are not removed from package-lock.json.
So - package-lock.json only gets modified when adding/updating packages in package.json? Not when removing?
This is a known issue with npm.
See issue :package-lock.json file not updated after package.json file is changed
" For now I'm working around it by changing my npm install command to rm -f package-lock.json && npm install. Obviously, that's not an elegant solution, and somewhat defeats the purpose of having a lockfile in the first place."
rm -f package-lock.json && npm install
This is supposed to be fixed in : https://github.com/npm/npm/pull/17508
See article : https://medium.com/coinmonks/everything-you-wanted-to-know-about-package-lock-json-b81911aa8ab8 for a better understanding.
Removal of package-lock.json should be only done in case of corrupted lock file. To remove package you should just use npm cli (it will update lock file)
npm uninstall <package>
This is a good explanation. https://stackoverflow.com/a/54127283/5040275
From the NodeJs docs
The package-lock.json sets your currently installed version of each package in stone, and npm will use those exact versions when running npm install.
NPM by default will read the package-lock.json file.
Therefore, in the first scenario, npm is reading the package entry from package.json since that's the only file which has an entry of the particular package. Whereas in the second scenario, it is reading it from package-lock.json, as is its default behaviour
