-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm ci
succeeds when package-lock.json
doesn't match package.json
#2701
Comments
I've ran into this as well, is there any workarounds until this issue is resolved? Perhaps a flag or a new command could be added to verify the two files are in sync. A consequence of this is that CI builds (which uses |
This is also affecting workspaces. We are trying to switch from Yarn workspaces to NPM workspaces, and we were confused why This is more or less a blocker for switching back to NPM. The NPM CLI tools for managing workspace dependencies are still rough enough that I expect some mistakes; but without this bugfix, I don't know any other way to protect our main branch against a lockfile mismatch. 😕 |
I see this happen quite often when the |
This bug contradicts description from documentation on how
|
@darcyclarke |
We just hit this too @darcyclarke, as we're moving more repos to npm@7. I can confirm that there are no errors in the CI. |
I just came across this and I'm shocked. In my tests,
|
Yeesh, this bug. Haven't tested it, but this might help for CI in the meantime: https://github.com/RocketChat/package-lock-check |
It is sort of ridiculous that a |
Make sure to validate any lock file (either package-lock.json or npm-shrinkwrap.json) against the current install. This will properly throw an error in case any of the dependencies being installed don't match the dependencies that are currently listed in the lock file. Fixes: npm#2701
Make sure to validate any lock file (either package-lock.json or npm-shrinkwrap.json) against the current install. This will properly throw an error in case any of the dependencies being installed don't match the dependencies that are currently listed in the lock file. Fixes: npm#2701
Make sure to validate any lock file (either package-lock.json or npm-shrinkwrap.json) against the current install. This will properly throw an error in case any of the dependencies being installed don't match the dependencies that are currently listed in the lock file. Fixes: npm#2701 Fixes: npm#3947
Can anyone provide more context on what just happened here? The
If |
@ricardobeat the lockfile is only reliable if it satisfies the package.json; it's a bug that that validation was ever omitted imo. |
The docs have always been clear too:
|
Oh OK I apologize my bad
…On Fri, Apr 8, 2022 at 4:56 AM Aaron Adams ***@***.***> wrote:
The docs have always been clear too:
If dependencies in the package lock do not match those in package.json,
npm ci will exit with an error, instead of updating the package lock.
—
Reply to this email directly, view it on GitHub
<#2701 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/AYQ6CPSOXPCA2C4TJP33RL3VEANGVANCNFSM4XT6MXKA>
.
You are receiving this because you are subscribed to this thread.Message
ID: ***@***.***>
|
This was meant to be fixed in 8.4.1, if I'm following the tags correctly, but I can still I'm also wondering about the correct behavior with deep dependencies - should there be a failure if the shrinkwrap overrides what's in their parent's |
Maybe of interest to others here, re: |
Current Behavior:
npm ci
does not fail whenpackage.json
doesn't matchpackage-lock.json
Expected Behavior:
npm ci
refuses to install when the lock file is invalid.Steps To Reproduce:
package.json
npm ci
npm@7
npm@6
Environment:
The text was updated successfully, but these errors were encountered: