Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] The package-lock.json file depends on node_modules, which will cause the lock generated by npm i to be inconsistent after the lock file is deleted when some packages that depend on the system architecture (such as node-unix-socket) are installed again. #7750

Open
2 tasks done
JsweetA opened this issue Aug 25, 2024 · 5 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps

Comments

@JsweetA
Copy link

JsweetA commented Aug 25, 2024

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

I used a node-unix-socket package, which needs to load different .node files under different system architectures. I accidentally deleted the lock file when operating on my local Mac computer. When I used npm i to install it again, the lock file only had packages under the Mac architecture. This would cause the package to be lost when I released the deployment because the container used the Linux architecture.

Expected Behavior

Yarn and pnpm do not have this problem. They do not rely on node_modules to generate lock files, so the generation of lock files is idempotent. However, when there are packages that depend on the system architecture, the generation of lock files by npm i is not idempotent.

Steps To Reproduce

  1. Prepare a package.json file
{
    "name": "my-project",
    "version": "1.0.0",
    "dependencies": {
      "node-unix-socket": "0.2.5"
    }
}
  1. Run npm i and you will get a normal package-lock file.
  2. Delete package-lock at this time, and then execute npm i to get the error version
  • normal
    111
  • error
    2222
@JsweetA JsweetA added Bug thing that needs fixing Needs Triage needs review for next steps labels Aug 25, 2024
@milaninfy
Copy link
Contributor

@JsweetA Could you please try with--os flag to see if it fits this case. https://docs.npmjs.com/cli/v10/commands/npm-install#os

@JsweetA
Copy link
Author

JsweetA commented Aug 27, 2024

@JsweetA Could you please try with--os flag to see if it fits this case. https://docs.npmjs.com/cli/v10/commands/npm-install#os

Does it mean to use npm i --os=linux? If so, it doesn't solve my problem.

@milaninfy
Copy link
Contributor

@JsweetA I think what's happening here is that first time it's constructing the lock file based on package.json information. then once you delete the lock file it's reconstructing lock file base on what is in the node_modules. As far as I know we have smiler issue where integrity field is missing after deleting and recreating lock file iirc that is also the same cause. but if you check in both the cases it's installing same packages. you can verify that using npm ls --depth=2 before and after your steps.

@jogerj
Copy link

jogerj commented Oct 1, 2024

Likely duplicate of #4828

@sahin52
Copy link

sahin52 commented Oct 4, 2024

Deleting package-lock.json causes so many differences after npm installing again, even though if you use specific versions instead of versions like "^2.1.0", or you may be using latest version of all packages but still it generates very different package-lock

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Needs Triage needs review for next steps
Projects
None yet
Development

No branches or pull requests

4 participants