[BUG] Confusing warning message with "npm install" without "package-lock.json"

[ext]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

After removing package-lock.json and running npm install the following warning pops up:

$ npm install
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile

Expected Behavior

I find the warning a bit confusing in this case as there is no old file.

Removing node_modules as well as package-lock.json produces no warning.

Steps To Reproduce

1. npm init
2. npm install --save-dev eslint (any package really)
3. rm package-lock.json
4. npm install

Environment

• OS: debian 10, gentoo, windows 10
• Node: 12, 14, 16
• npm: at least v7.21.1 to v7.23.0 but it has been present a while

[ext]

Noticed this happens when package-lock.json is in a merge conflict as well.

$ git rebase origin/master
[..]
CONFLICT (content): Merge conflict in package-lock.json
[..]
$ npm install
npm WARN old lockfile
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile

[lukekarrys]

I agree that this message could be improved in the cases you've laid out. I believe the line about supplemental metadata must be fetched from the registry. is true for these cases, but the reason package-lock.json file was created with an old version of npm should be something mmore like no package-lock.json could be found.

[ext]

[..] should be something mmore like no package-lock.json could be found.

Possibly but a clean repository without node_modules or package-lock.json produces no message at all.

If I remove node_modules as well as package-lock.json there is also no message.

[SekiBetu]

It is possible that package-lock.json in the node_modules folder triggered this warning

[ext]

It is possible that package-lock.json in the node_modules folder triggered this warning

I'm a bit confused here, is there also a node_modules/package-lock.json that I don't know about?

[lukekarrys]

I was incorrect in my first comment about the message being necessary in these cases. I just checked and both of these cases (no package-lock and package-lock with conflicts) about both successfully install without a warning in 8.1.0 and later.

[lll000111]

I read as much as I could find for this message "The package-lock.json file was created with an old version of npm" but not even this issue description here is a complete it.

I get this message EVERY TIME on "npm update". I get it when node_modules and package-lock.json exist.

I get it when I remove (rm -rf) node_modules and package-lock.json and even ~/.npm/ and do a fresh "npm install", then "npm update".

I don't have a merge conflict either.

I get it after following advice I found e.g. on StackOverflow for people asking about this exact message "The package-lock.json file was created with an old version of npm", their advice did not help.

it only happens for npm update. When I npm install foobar (or remove) a package there is no warning.

I'm posting this comment just FYI, I hope this is taken care of with the patch associated with this issue(?).

PS: Oh and it says "This is a one-time fix-up, please be patient..." but it repeats every. single. time. (for npm update)

npm version is 8.1.1

My package.json has

"publishConfig": {
        "registry": "https://npm.pkg.github.com/"
    },

Instead of the npm registry, could that have something to do with it? EDIT: Just removed all lines with references to Github in package.json and no change.

"lockfileVersion": 2 (package-lock.json)

*EDIT: npm update --loglevel verbose

Log shown up to the point after the message is displayed. Nothing unusual from there.

$ npm update --loglevel verbose
npm verb cli [ '/usr/bin/node', '/usr/bin/npm', 'update', '--loglevel', 'verbose' ]
npm info using npm@8.1.1
npm info using node@v16.12.0
npm timing npm:load:whichnode Completed in 0ms
npm timing config:load:defaults Completed in 1ms
npm timing config:load:file:/usr/lib/node_modules/npm/npmrc Completed in 1ms
npm timing config:load:builtin Completed in 1ms
npm timing config:load:cli Completed in 2ms
npm timing config:load:env Completed in 1ms
npm timing config:load:file:/home/mha/Projects/core/.npmrc Completed in 3ms
npm timing config:load:project Completed in 3ms
npm timing config:load:file:/home/mha/.npmrc Completed in 0ms
npm timing config:load:user Completed in 0ms
npm timing config:load:file:/usr/etc/npmrc Completed in 0ms
npm timing config:load:global Completed in 1ms
npm timing config:load:validate Completed in 0ms
npm timing config:load:credentials Completed in 1ms
npm timing config:load:setEnvs Completed in 1ms
npm timing config:load Completed in 11ms
npm timing npm:load:configload Completed in 12ms
npm timing npm:load:setTitle Completed in 0ms
npm timing npm:load:setupLog Completed in 1ms
npm timing config:load:flatten Completed in 3ms
npm timing npm:load:cleanupLog Completed in 2ms
npm timing npm:load:configScope Completed in 0ms
npm timing npm:load:projectScope Completed in 1ms
npm timing npm:load Completed in 30ms
npm timing arborist:ctor Completed in 1ms
npm timing idealTree:init Completed in 10ms
npm WARN old lockfile 
npm WARN old lockfile The package-lock.json file was created with an old version of npm,
npm WARN old lockfile so supplemental metadata must be fetched from the registry.
npm WARN old lockfile 
npm WARN old lockfile This is a one-time fix-up, please be patient...
npm WARN old lockfile 
npm timing idealTree:inflate Completed in 3ms
npm timing idealTree:userRequests Completed in 0ms
npm timing arborist:ctor Completed in 0ms
npm http fetch GET 200 https://registry.npmjs.org/base64-js 532ms (cache revalidated)
...

My project-local .npmrc only has "//npm.pkg.github.com/:_authToken=..." in it. /home/mha/.npmrc or /usr/etc/npmrc don't exist.