Why all the changes in my Package-lock file?
So I’ve checked out a JS project. I’ve run npm install
, this should create no changes. Yet I’m now seeing my package-lock.json file appear in the version control changed files list.
So what’s changed? It’s mainly added loads of caret’s (^) to the versions of required software packages!
So what?
Well, you may have removed all the ^ from the package file so that your node modules remained the same, and you wish to guarantee each build will be the same. Adding a new package to your dependencies should not change large sections of the lock file. Having some semblance of oversight into the changes going on in the lock file may be useful when committing. But if 90% of it changes, and those changes are pretty much the addition of ^ caret’s or changes to the patch versions then it’s really hard to see what’s actually changed.
Bottom Line
Straight to the point, what’s going on? It’s your node/npm version! Specifically difference between version 5 and 6 (npm). This can happen if you are running with node 10 (most contain npm 6+), and others are running with node 8 (contains various npm 5 versions).
So if your project started with npm 5, then someone else does an install with npm 6, then you will see the large volume of changes.
Check out what version of npm is contained in each node version here
More depth
I had trouble finding this information online, hence this blog post to hopefully aid someone else. Here are some of the source links where I found information.
https://github.com/npm/npm/issues/20891 – Essentially the question I was looking for.
https://github.com/npm/npm/issues/20434#issuecomment-402988364 – Answer on why.
Should this information disappear I’ve grabbed a screenshot as well.