Using package-lock and npm link

Question

Our company develops an addon, that is then a dependency of the implementation project.

Developers of the addon write their code, by first doing "npm link" to the addon in the implementation project, and then running "npm install".

General implementation users, will just run "npm install" which then installs the addon from our private npm registry. This is also the way our bitbucket builds run.

The problem occurs with the generated package-lock. We would like to use one because it avoids the problem of differing dependencies of dependencies, between different environments. However, the package-lock file is completely different when generated with an "npm link"ed addon, than with the addon pulled from the registry.

Subsequently, this means either addon developers can't get everything to install properly (because "npm install" overwrites their "npm link"). Or the general users/bitbucket pipelines receive errors because the dependency tree is such a mess.

Is there a way to get around this? Should we be using different tools, or following a different process? We've tried multiple node versions up to latest LTS.

Answer 1

You should run npm install first (or npm ci for a clean install see https://docs.npmjs.com/cli/ci.html). This should install the dependencies according to your package-lock.json file.

Then, only after getting the correct dependencies, you can npm link your private dependency.

If you run npm install (or npm ci) after npm link, the install will override the link (which is the exepected behavior).