From what I can see, npm changed the integrity checksum from sha1 to sha512. If your git changes are going from sha1 to sha512, you should do that update once and it will be good after that. If someone else working with the codebase and sees a git change from sha512 down to sha1 (which … Read more
Yes, it can and will affect all the project in really bad way. if your team does not run npm install after each git pull you all are using different dependencies’ versions. So it ends with “but it works for me!!” and “I don’t understand why my code does not work for you” even if … Read more
The files have exactly the same content, but there are a handful of differences in how npm handles them, most of which are noted on the docs pages for package-lock.json and npm-shrinkwrap.json: package-lock.json is never published to npm, whereas npm-shrinkwrap is by default package-lock.json files that are not in the top-level package are ignored, but … Read more
I just had the same problem. It’s related to release v6.0.0-rc.2, https://github.com/angular/angular-cli/releases: New configuration format. The new file can be found at angular.json (but .angular.json is also accepted). Running ng update on a CLI 1.7 project will move you to the new configuration. I needed to execute: ng update @angular/cli –migrate-only –from=1.7.4 This removed .angular-cli.json … Read more
Is there any way to specify to newer versions of npm to only use “lockfileVersion”: 1? Or do we just have to get all devs on the same version of npm? I will advise you to pin the Node/NPM version and align it across your environments (development, staging, and production). you can leverage nvm for … Read more
Do you need both package-lock.json and package.json? No. Do you need the package.json? Yes. Can you have a project with only the package-lock.json? No. The package.json is used for more than dependencies – like defining project properties, description, author & license information, scripts, etc. The package-lock.json is solely used to lock dependencies to a specific … Read more
In npm 6.x and 7.x you can use npm i –package-lock-only According to the docs of npm v6, npm v7 or latest version: The –package-lock-only argument will only update the package-lock.json, instead of checking node_modules and downloading dependencies.
Update 3: As other answers point out as well, the npm ci command got introduced in npm 5.7.0 as additional way to achieve fast and reproducible builds in the CI context. See the documentation and npm blog for further information. Update 2: The issue to update and clarify the documentation is GitHub issue #18103. Update … Read more