"resolved" and "integrity" go missing in package-lock.json

Question

Ocassionally, when installing an (unrelated) dependency, I lose the resolved values from each of my private nexus repository dependencies, meaning that when my build server runs npm ci it falls back to attempting to install these from the npm repository, which obviously fails.

I am using npm 8.5.5/node 16.15

I am using NPM's workspaces feature to construct a monorepo, meaning that I have several project package.json files as well as a root package.json

My .npmrc (at root level) looks like this:

engine-strict=true
@foo:registry=http://prod-nexus.foo.com/repository/bar/
always-auth=true

After an (unrelated, random) install my package-lock.json will have this change:

    "@foo": {
        "version": "1.2.3",
-       "resolved": "http://prod-nexus.foo.com/repository/bar/@foo/-/lib-1.2.3.tgz,
-       "integrity": "sha...",
+       "license": "MIT",
        "dependencies": { ....

Note that the resolved and integrity fields have disappeared and the license has been added.

I have run into this problem several times, each time I have solved it by rolling back and some manual editing and eventually it goes away, but I really need to understand what is going on.

What is causing this, why is it random, what can I do to defend against it?

Answer 1

This could be related to the issue https://github.com/npm/cli/issues/4263

1. clean the npm cache npm cache clean -f
2. run npm install again

If that doesn't work, try it again while deleting more:

1. clean the npm cache npm cache clean -f
2. remove node_modules in project folder
3. remove package-lock.json file
4. run npm install again