Menu
The reason package-lock. json may change automatically when you run npm install is because NPM is updating the package-lock. json file to accurately reflect all the dependencies it has downloaded since it may have gotten more up-to-date versions of some of them. Once NPM updates the package-lock.
package-lock. json is automatically generated for any operations where npm modifies either the node_modules tree, or package. json . It describes the exact tree that was generated, such that subsequent installs are able to generate identical trees, regardless of intermediate dependency updates.
The goal of package-lock. json file is to keep track of the exact version of every package that is installed so that a product is 100% reproducible in the same way even if packages are updated by their maintainers.
From what I can see, npm changed the integrity checksum from sha1 to sha512.
If your git changes are going from sha1 to sha512, you should do that update once and it will be good after that.
If someone else working with the codebase and sees a git change from sha512 down to sha1 (which is the issue I was having) you can fix it by running the following:
Discard the changes in git for package-lock.json
npm i -g npm
rm -rf node_modules/
npm i
This will update npm and reinstall all of your packages so that the new checksum (sha512) is present.
Building on what Dave answered. The fix i found was to do the following:
npm i -g npm
cd {working directory}
rm -rf node_modules/
rm package-lock.json
npm cache clear --force
npm i
We did this for all our developers at the same time and this stopped the sha-512 vs sha-1 issue which was causing frustrating merge conflicts.
See also https://github.com/npm/npm/issues/17749 which although claims the issue is 'fixed', it isn't. Removing node_modules is a workaround.
There may be a relationship with operating systems. We're hitting this right now with developers on Linux and Windows platforms.
As @Daniel Cumings I also had to remove the package-lock.json to get rid of the sha1 hashes. Here's the Windows CLI commands for reference, which does the same as Daniel's script:
npm i -g npm
rd /s /q "node_modules"
del package-lock.json
npm cache clear --force
npm i
I'm working in big team. Forcing every developer to force clean npm cache is difficult and not reliable. Also, this doesn't help every time. So, for anyone who still facing this npm issue (same as me) and nothing else helps – try this git based tool I've built recently: https://github.com/kopach/lockfix. It reverts sha512 -> sha1 integrity changes of npm's lock files. If you add this to your postshrinkwrap script of package.json - you should eventually get all integrity properties set to sha512 and have lock file consistent.
npm install --save-dev lockfix
"scripts": {
"postshrinkwrap": "lockfix",
},
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With