Skip to content
This repository has been archived by the owner. It is now read-only.

`npm install` modifies `package-lock`! (changes resolved url protocol!) #20106

ggarek opened this issue Mar 20, 2018 · 3 comments


None yet
5 participants
Copy link

commented Mar 20, 2018

I'm opening this issue because:

  • npm is crashing.
  • npm is producing an incorrect install.
  • npm is doing something I don't understand.
  • Other (see below for feature requests):

What's going wrong?

npm install modifies package-lock.js, a package url protocol is being changes https -> http! 😱

➜ npm i
up to date in 9.829s
diff --git a/package-lock.json b/package-lock.json
index 48b5fca..14aaf49 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -660,7 +660,7 @@
         "cacache": {
           "version": "10.0.4",
-          "resolved": "",
+          "resolved": "",
           "integrity": "sha512-Dph0MzuH+rTQzGPNT9fAnrPmMmjKfST6trxJeK7NQuHRaVw24VzPRWTmg9MpcwOVQZO0E1FBICUlFeNaKPIfHA==",
           "dev": true,
           "requires": {

How can the CLI team reproduce the problem?

supporting information:

  • npm -v prints: 5.7.1
  • node -v prints: v8.9.3
  • npm config get registry prints:
  • Windows, OS X/macOS, or Linux?: macOS
  • Network issues:
    • Geographic location where npm was run:
    • I use a proxy to connect to the npm registry.
    • I use a proxy to connect to the web.
    • I use a proxy when downloading Git repos.
    • I access the npm registry via a VPN
    • I don't use a proxy, but have limited or unreliable internet access.
  • Container:
    • I develop using Vagrant on Windows.
    • I develop using Vagrant on OS X or Linux.
    • I develop / deploy using Docker.
    • I deploy to a PaaS (Triton, Heroku).

@KenanY KenanY added the npm5 label Mar 20, 2018


This comment has been minimized.

Copy link

commented Mar 23, 2018

I noticed the same problem with npm 5.7.1 and node 9.8.0 but haven't been able to reproduce it after upgrading npm to 5.8.0


This comment has been minimized.

Copy link

commented Apr 5, 2018

I'm hitting this with npm 5.6.0 that ships with node.js 8 LTS.

If this is a fixed issue, the fix should be backported or update npm for the LTS releases too.


This comment has been minimized.

Copy link

commented Apr 24, 2018

I experienced this issue for npm 5.8.0, node v8.9.4. (I've just upgraded npm to resolve the integrity issue, but then the resolved url's began changing randomly).

The problem has been solved after performing the steps from #16938 (comment) :

$ rm -rf node_modules/
$ npm cache clean --force
(Revert the changes in your package-lock.json file)
$ npm i

I hope this may help to someone.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.