We Keep Coding

Why are some npm packages listed in lock-file but not the package.json file?

I ran npm audit and it's warning me to update some of the packages. However the packages its warning me about, such as chokidar, is not listed in my package.json. So what does this mean? How do I perform an update if the package is not listed in the file.

It's not listed in your package.json because it is a nested dependency.
You can update it either by trying npm audit --fix or you use the package npm-force-resolutions.
How to use npm-force-resolutions:
First add a field resolutions with the dependency version you want to fix to your package.json, for example:
"resolutions": {
"hoek": "4.2.1"
}
Then add npm-force-resolutions to the preinstall script so that it patches the package-lock file before every npm install you run:
"scripts": {
"preinstall": "npx npm-force-resolutions"
}
Now just run npm install as you would normally do:
npm install
To confirm that the right version was installed, use:
npm ls hoek
If your package-lock changes, you may need to run the steps above again.

You can check which dependency is requiring the package that appears in the lock with npm ls command.
For instance for sqlite3 you can run:
npm ls sqlite3 --json

npm install doesn't apply what is in package-lock.json?

I have Node v10.22.0, npm 6.14.6, on MacOS Catalina.
I start from a git repo that contains a package-lock.json that specifies #truffle dependencies and no node_modules folder, no package.json. After I cloned the repo, I run npm install to install dependencies. The npm doc says
If the package has a package-lock ..., the installation of
dependencies will be driven by that
Surprisingly it actually installs 8 packages that have nothing to do with my project: d, es5-ext, es6-iterator, es6-symbol, ext, next-tick, type AND it overwrites package-lock.json with a new one containing dependencies on these 8 packages.
If I overwrite package-lock.json and launch npm install, it redoes the same trick.
Questions:
what is happening?
how can I make npm install populate node_modules correctly?

Use npm ci to install dependencies based on your lock file. Check this answer for more details about this command, it has the answer to your questions.

Package.json pasting a package name in bad?

What happens differently when you go into your package.json and paste a package name in and do npm i vs. doing it the real npm i package-name?
package.json:
"dep": 1.0.0
vs
npm i dep --save
We have a build error and learned can bypass it by pasting. I know it isn't kosher but I really want to know why and what consequences that causes?

npm install dep doesn't add the dependency to the package.json file.
You have to add --save or --save-dev to add it to the package.json file.
Besides that, npm install will always serve you the latest build (in most cases the version tagged as latest (see npm docs)), unless you specify a specific version.
If you want your lock file to update, you have to delete the file before running npm install to generate a lock file with the dependency included (for more info check out this GitHub issue)
In conclussion it shouldn't make much of a difference if you manually add the dependency to package.json file and install it with npm install, unless the latest version of your dependency is broken.

How to update package.json dependencies when linking from globally installed packages?

I organize my development projects installing globally all the npm packages I need with:
npm -g install [package]
Then I simlink individually the dependencies I need for each project with:
npm link [package]
This way, I have to update manually each package.json file to add the dependency, and when I upgrade the global node_modules I have to go and update all the package.json projects.
For this first issue I tried npm link [package] --save but it doesn't add the dependency to package.json and if I use npm install [package] --save it installs the package locally, thing I don't want.
Is there any way to be able to not have to configure package.json manually and be able to have an updated configuration of package.json from many different projects in a easier way?

Yes you can install npm-check-updates, you can find the install and guide here:
https://www.npmjs.com/package/npm-check-updates
when running 'ncu' on the command-line in your root-folder where your package.json is, it will list the packages that can be updated and by running 'ncu -u' on the command-line it updates all the packages for you.

What do the --save flags do with npm install

I see instructions to install a package with either
npm install <package_name>
or
npm install <package_name> --save
or
npm install <package_name> --save-dev
What is the difference between these options?

Updated, 2019:
Since this question was asked there was a change to npm, such that --save has become the default option, so you do not need to use --save to update the dependencies.
Original Answer:
npm install <package_name> --save installs the package and updates the dependencies in your package.json.
npm install <package_name> --no-save installs the package but does not update the dependencies as listed in your package.json.
npm install <package_name> ---save-dev updates the devDependencies in your package. These are only used for local testing and development.
You can read more at https://docs.npmjs.com/getting-started/using-a-package.json.

npm install takes 3 exclusive, optional flags which save or update the package version in your main package.json:
-S, --save: Package will appear in your dependencies.
-D, --save-dev: Package will appear in your devDependencies.
-O, --save-optional: Package will appear in your optionalDependencies.
When using any of the above options to save dependencies to your package.json, there is an additional, optional flag:
-E, --save-exact: Saved dependencies will be configured with an exact version rather than using npm's default semver range operator.
Further, if you have an npm-shrinkwrap.json then it will be updated as well.
<scope> is optional. The package will be downloaded from the registry associated with the specified scope. If no registry is associated with the given scope the default registry is assumed. See npm-scope.
Note: if you do not include the #-symbol on your scope name, npm will interpret this as a GitHub repository instead, see below. Scopes names must also be followed by a slash.
Examples:
npm install sax --save
npm install githubname/reponame
npm install #myorg/privatepackage
npm install node-tap --save-dev
npm install dtrace-provider --save-optional
npm install readable-stream --save --save-exact
Note: If there is a file or folder named <name> in the current working directory, then it will try to install that, and only try to fetch the package by name if it is not valid.
(from official docs) https://docs.npmjs.com/cli/install

The --save flag no longer serves a purpose.
Previously, as the other answers noted, the --save flag would update the dependencies in the project's package.json file, but npm install now includes this functionality by default.
At this point if you want to prevent npm install from saving dependencies, you have to use the --no-save flag.
Thanks to Coruscate5 for mentioning this in their comment.
More info in the npm-install documentation:
npm install saves any specified packages into dependencies by default. Additionally, you can control where and how they get saved with some additional flags:
-P, --save-prod: Package will appear in your dependencies. This is the default unless -D or -O are present.
-D, --save-dev: Package will appear in your devDependencies.
-O, --save-optional: Package will appear in your optionalDependencies.
--no-save: Prevents saving to dependencies.
When using any of the above options to save dependencies to your package.json, there are two additional, optional flags:
-E, --save-exact: Saved dependencies will be configured with an exact version rather than using npm’s default semver range operator.
-B, --save-bundle: Saved dependencies will also be added to your bundleDependencies list.