npm install doesn't apply what is in package-lock.json? - npm

I have Node v10.22.0, npm 6.14.6, on MacOS Catalina.
I start from a git repo that contains a package-lock.json that specifies #truffle dependencies and no node_modules folder, no package.json. After I cloned the repo, I run npm install to install dependencies. The npm doc says
If the package has a package-lock ..., the installation of
dependencies will be driven by that
Surprisingly it actually installs 8 packages that have nothing to do with my project: d, es5-ext, es6-iterator, es6-symbol, ext, next-tick, type AND it overwrites package-lock.json with a new one containing dependencies on these 8 packages.
If I overwrite package-lock.json and launch npm install, it redoes the same trick.
Questions:
what is happening?
how can I make npm install populate node_modules correctly?

Use npm ci to install dependencies based on your lock file. Check this answer for more details about this command, it has the answer to your questions.

Related

Can I re-create node_modules from package-lock.json?

I cloned a repository from github which has a package-lock.json (but no package.json). Then in a git bash terminal I go to the directory and run npm install but I just get a message saying there is no package.json and then everything in package-lock.json gets deleted so it's basically empty except for the project name and version.
I thought running npm install with a package-lock.json in the directory was enough to re-create node_modules, but am I seriously misunderstanding how this works? By the way I have node 8.12.0 and npm 6.4.1 and am running on Windows 10. Also, I think the package-lock.json was created on a unix system so could there be problems when using package-lock.json on a different OS?
I already tried running npm init just to get a package.json file and then running npm install but that still didn't get me a node_modules folder.
Starting from Mar 5, 2018, you can run npm ci to install packages from package-lock.json.
npm ci bypasses a package’s package.json to install modules from a
package’s lockfile.
https://blog.npmjs.org/post/171556855892/introducing-npm-ci-for-faster-more-reliable
package-lock.json records the exact version and url of packages need to install, thus you can use npm to install them accordingly:
npm can install from urls that point to tarballs
--no-package-lock option to tell npm to not touch package-lock.json file
For example, to install all packages in package-lock.json:
cat package-lock.json | jq '.dependencies[].resolved' | xargs npm i --no-package-lock
jq is a command line tool to pares jq, you can write a simple JavaScript script to parse it instead (if you do not want to install jq or learn jq's query syntax).
AFAIK, the package-lock.json file relies on the presence of a package.json file, so you'll not be able to recreate your node_modules folder from the package-lock.json file alone (happy to be proved wrong here).
Therefore, your best bet is to (mis)use a module like auto-install that is capable of generating the package.json file based on a project's dependencies, as they appear in the files.
Install it globally (npm install -g auto-install), then you'll need to generate an empty package.json file for it to run (use npm init -y in your project root). Kick things off with the command auto-install and it should add the dependencies to the package.json file.
HTH

npm5 equivalent to yarn's --pure-lockfile flag?

I'm looking for an equivalent for yarn's --pure-lockfile flag.
This flag is useful when installing dependencies in CI, when you want it to read your lockfile but not modify it.
Does npm v5 have an equivalent?
npm 5.7 introduced the npm ci subcommand:
the main differences between using npm install and npm ci are:
The project must have an existing package-lock.json or npm-shrinkwrap.json.
If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock.
npm ci can only install entire projects at a time: individual dependencies cannot be added with this command.
If a node_modules is already present, it will be automatically removed before npm ci begins its install.
It will never write to package.json or any of the package-locks: installs are essentially frozen.
this is how I did in my dockerfile
RUN npm install --pure-lockfile
it should work perfect.

npm 5 install folder without using symlink

Before publishing my node library, I could use the advice the npm documentation wrote about:
To test a local install, go into some other folder, and then do:
cd ../some-other-folder
npm install ../my-package
Prior to version 5 of npm, I had no problem as it produce what I expected, ie a folder with the output of what I will publish.
However, using npm 5, it now creates a symlink to my local project as described in the npm documentation:
npm install :
Install the package in the directory as a symlink in the current
project. Its dependencies will be installed before it's linked. If
sits inside the root of your project, its dependencies may be
hoisted to the toplevel node_modules as they would for other types of
dependencies.
How can I use the "old" way to install local project? Or is there a new way to check if my library is correct?
Thank you.
Use npm pack + npm install (as suggested by install-local package)
npm pack <path-to-local-package>
npm install <package-version.tgz>
This will effectively copy your local package to node_modules.
Note that this will package only production relevant files (those listed in the files section of your package.json). So, you can install it in a test app under the package own directory. Something like this:
my-package
package.json
test
test-app
package.json
node_modules
my-package
Assuming that test dir is not included in the files in my-package/package.json.
This works the same way with npm 5 and older versions.
I wrote npm-install-offline which allows you to install npm packages from a local repository or folder. By default it copies the folder on install but you can also choose to symlink.
https://www.npmjs.com/package/npm-install-offline
npx npm-install-offline ../some-package
Or
npx npm-install-offline my-npm-package --repo ./my-offline-npm
It also will install the package dependencies which npm does not do with local packages.

Why does npm update do more, after running npm install first?

I just discovered that npm install is not enough to correctly get a new project into shape based on the package.json of an existing one.
I copied the package.json and did npm install and was suprised to find that the cloned project did not work.
I diffed the node_modules directory and to my suprise there were packages in the source that were not in the clone.
Then I ran npm update and lo and behold more packages were added and the cloned project ran.
Why is that?

How to update package.json dependencies when linking from globally installed packages?

I organize my development projects installing globally all the npm packages I need with:
npm -g install [package]
Then I simlink individually the dependencies I need for each project with:
npm link [package]
This way, I have to update manually each package.json file to add the dependency, and when I upgrade the global node_modules I have to go and update all the package.json projects.
For this first issue I tried npm link [package] --save but it doesn't add the dependency to package.json and if I use npm install [package] --save it installs the package locally, thing I don't want.
Is there any way to be able to not have to configure package.json manually and be able to have an updated configuration of package.json from many different projects in a easier way?
Yes you can install npm-check-updates, you can find the install and guide here:
https://www.npmjs.com/package/npm-check-updates
when running 'ncu' on the command-line in your root-folder where your package.json is, it will list the packages that can be updated and by running 'ncu -u' on the command-line it updates all the packages for you.