In my experience, it does not make sense to put package-lock.json under version control. It makes managing large merge/rebases a nightmare. However, there are instances where the package-lock can be very useful. Recently (2017/10/10) moment.js introduced breaking changes in a minor version update. Meaning if one was to ship with no package-lock.json, and had something … Read more
I found some articles on the web regarding this question. Follow the links: npm uses a JSON as a format for the lock file. The good news is since [email protected] ignores the resolved field on package-lock.json file and basically fallback to the one defined in the .npmrc or via –registry argument using the CLI in … Read more
I noticed a similar warning today . The issue went off after I deleted package.json file.I had used yarn and npm interchangeable until now in my side project. ‘npm install’ creates package-lock.json and ‘yarn install’ generates yarn.lock . Normally you stick to either one of the package managers in your project
You can use npm ci. npm ci bypasses a package’s package.json to install modules from a package’s lockfile. This ensures reproducible builds—you are getting exactly what you expect on every install. https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
It cannot be published. From the npm documentation: One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package See package-lock.json documentation on docs.npmjs.com. However, you should be commiting your package-lock.json to git as per the documentation. This file is … Read more
By default, npm installs all packages directly in node_modules. However, let’s say that package X is dependent on package Z in version 1.0 and package Y is dependent on the same package Z, but in version 2.0. In this case we have to install two versions of this package. One will be installed in root … Read more
Warning: Do not attempt before reading comments below & backup package-lock.json. Install the latest npm with npm install -g npm Run npm init and respond to the questions. The above command will generate a package.json and include the existing packages listed in package-lock.json
There might be a file called .npmrc which can contain package-lock=false which will cause the package lock file to not be generated. In theory you could also have turned on npm config set package-lock false globally (change to true to turn on again), but that’s less likely to happen unintentionally.
New: now, with npm@6 you can directly run npm audit fix Old answer: You should try to identify the problematic package’s name, and then run npm install package-name replacing package-name, obviously. This will install the latest version of the package, and very often, the latest version has fixed the security issue. If you have a … Read more
It sounds like Hoek is a dependency of one of your dependencies (so, a package you have in your package.json is requiring it from it’s own package.json). You’ve already tried deleting/reinstalling and updating your project dependencies without success, so it seems that the package dependency in question has an explicit or max version specified. Without … Read more