GitHub - agconti/how-package-lock-works: As of npm v5.1.0, dependencies versions in package.json *override* the values specified in package-lock.json

Your package-lock.json isn't respected when there are ^ and ~ in your package.json. Instead, npm will install the most recent version allowed by the ^ and ~. This means that your builds are not reproducable since your underlying dependencies can change when running the same build at different points in time.

To prove this to yourself, run the demo:

./demo.sh

Supporting information:

A detailed writeup on this issue: https://stackoverflow.com/a/45566871/2259303

Name		Name	Last commit message	Last commit date
Latest commit History 6 Commits
node_modules		node_modules
README.md		README.md
_config.yml		_config.yml
demo.sh		demo.sh
package-lock.gif		package-lock.gif
package-lock.json		package-lock.json
package.json		package.json

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

node_modules

node_modules

README.md

README.md

_config.yml

_config.yml

demo.sh

demo.sh

package-lock.gif

package-lock.gif

package-lock.json

package-lock.json

package.json

package.json

Repository files navigation

About

Releases

Packages

Languages

agconti/how-package-lock-works

Folders and files

Latest commit

History

Repository files navigation

About

Resources

Stars

Watchers

Forks

Languages