Stack Overflow
Stack Overflow

Questions tagged [package-lock.json]

224 questions
928
votes
12 answers

Why does "npm install" rewrite package-lock.json?

I just recently upgraded to npm@5. I now have a package-lock.json file with everything from package.json. I would expect that, when I run npm install that the dependency versions would be pulled from the lock file to determine what should be…
Viper Bailey
  • 11,518
  • 5
  • 22
  • 33
386
votes
7 answers

Is there a way to force npm to generate package-lock.json?

I deleted it by accident and have made many changes to package.json since. An npm install or npm update do not generate package-lock.json anymore. I tried clearing my npm cache and my nvm cache, but nothing seems to be working. I tried it on several…
Big Money
  • 9,139
  • 6
  • 26
  • 37
274
votes
3 answers

Do I need both package-lock.json and package.json?

After updating my NPM to the latest version (from 3.X to 5.2.0) and running npm install on an existing project, I get an auto-created package-lock.json file. I can tell package-lock.json gives me an exact dependency tree as opposed to…
Omri Luzon
  • 3,975
  • 6
  • 20
  • 29
264
votes
9 answers

Is there any way to fix package-lock.json lockfileVersion so npm uses a specific format?

If two different developers are using different versions of node (12/15) & npm (6/7) in a project that was originally created using a package-lock.json "lockfileVersion": 1, when the developer using npm 7x installs new packages it seems that the…
Ben
  • 5,079
  • 2
  • 20
  • 26
207
votes
4 answers

Deleting `package-lock.json` to Resolve Conflicts quickly

In a team set up, usually, I have faced merge conflicts in package-lock.json and my quick fix has always been to delete the file and regenerate it with npm install. I have not seriously thought about the implication of this fix because it has not…
John Mutuma
  • 3,150
  • 2
  • 18
  • 31
205
votes
4 answers

What is the difference between npm-shrinkwrap.json and package-lock.json?

With the release of npm@5, it will now write a package-lock.json unless a npm-shrinkwrap.json already exists. I installed npm@5 globally via: npm install npm@5 -g And now, if a npm-shrinkwrap.json is found during: npm install a warning will be…
k0pernikus
  • 60,309
  • 67
  • 216
  • 347
198
votes
23 answers

Error: Local workspace file ('angular.json') could not be found

I have travis-ci integrated with my GitHub account (https://github.com/pradeep0601/Angular5-Router-App). When I updated @angular/cli version from 1.7.4 to 6.0.0-rc.3, the build started failing with an error: Local workspace file ('angular.json')…
Pradeep
  • 12,309
  • 3
  • 20
  • 25
184
votes
10 answers

Why did package-lock.json change the integrity hash from sha1 to sha512?

I just generated a new npm lockfile, package-lock.json, as part of my typical workflow. But I noticed that this time all of the integrity hashes have been changed from sha1 to sha512. What is happening here? "chalk": { "version": "2.0.1", …
Matt
  • 33,328
  • 25
  • 83
  • 97
166
votes
10 answers

How do I fix a vulnerable npm package in my package-lock.json that isn't listed in the package.json?

Github is telling me that a dependency in my package-lock.json file is vulnerable and outdated. The problem is that if I do npm install or npm update, neither of them update the dependency in the package-lock.json file. I've done a lot of googling…
Raph117
  • 3,441
  • 7
  • 29
  • 50
103
votes
9 answers

Proper way to fix potential security vulnerability in a dependency defined in package-lock.json

Github has given me this error on one of my repositories. We found a potential security vulnerability in one of your dependencies. A dependency defined in ./package-lock.json has known security vulnerabilities and should be updated. The dependency…
Kaito
  • 1,265
  • 3
  • 10
  • 14
83
votes
6 answers

npm install not creating a new package-lock.json

I accidentally deleted my package-lock.json file. npm install is not generating a new one. How do I get npm to recreate this file.
Dblock247
  • 6,167
  • 10
  • 44
  • 66
51
votes
2 answers

Package-lock.json - requires vs dependencies

In package-lock.json in dependency object, I have both requires and dependencies fields, e.g "requires": { "@angular-devkit/core": "0.8.5", "rxjs": "6.2.2", "tree-kill": "1.2.0", "webpack-sources": "1.3.0" }, "dependencies": { …
Krzysztof Grzybek
  • 8,818
  • 2
  • 31
  • 35
50
votes
4 answers

Create package.json from package-lock.json

I downloaded a theme and it has a package-lock.json file but no package.json file. Is there a way I can generate the package.json from the package-lock.json file. How do I install the node modules with just the package-lock.json file. Is there a way…
Sandeep kurien
  • 603
  • 1
  • 5
  • 8
44
votes
1 answer

Should package-lock.json also be published?

npm 5 introduced package-lock.json, of which the documentation is here. It states that the file is intended to be included with version control, so anyone cloning your package and installing it will have the same dependency versions. In other words,…
wybe
  • 615
  • 5
  • 14
43
votes
2 answers

What is the point of having resolved URL in package-lock.json?

whenever I generate a package-lock file, there is also "resolved" block that looks like this: "resolved": "http://devel.npm.registry:4873/lodash/-/lodash-4.17.5.tgz" What is the point of this URL? Later, if I try to install dependencies based on…
Lukáš Havrlant
  • 4,134
  • 2
  • 13
  • 18
1
2 3
14 15