Good point. I was under the impression that when a new version of the package is released, the dependency tree would be regenerated for the newest version. But after running some tests, it looks like that's not the case; once a version is specified in the package-lock.json, it won't be updated if it fulfills the required version; E.g., 0.24.0 fulfills the requirement for 0.x, so even if 0.25.0 is released, npm will continue to install and use 0.24.0.
That hasn't always been the case, and if that is what you want that is why they recommend using npm ci instead of npm install so that package-lock.json will absolutely dictate which dependencies you install.
I mean,even if in theory npm install installs based on package-lock.json, it hasn't always been the case, and has varied from version to version of npm, and once you have a valid package-lock.json, npm ci is THE way to guarantee you are installing based on it.
No good, I know!
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Or just use the automatic package-lock.json like everyone else...
Good point. I was under the impression that when a new version of the package is released, the dependency tree would be regenerated for the newest version. But after running some tests, it looks like that's not the case; once a version is specified in the package-lock.json, it won't be updated if it fulfills the required version; E.g., 0.24.0 fulfills the requirement for 0.x, so even if 0.25.0 is released, npm will continue to install and use 0.24.0.
Yep, otherwise package-lock.json would be totally useless
That hasn't always been the case, and if that is what you want that is why they recommend using
npm ci
instead ofnpm install
so that package-lock.json will absolutely dictate which dependencies you install.I mean,even if in theory
npm install
installs based on package-lock.json, it hasn't always been the case, and has varied from version to version ofnpm
, and once you have a valid package-lock.json,npm ci
is THE way to guarantee you are installing based on it.No good, I know!