Auto maintainance of package-lock.json

[greysteil]

From @ybiquitous on March 29, 2018 7:49

Hi.

Running the npm install command after merging several pull requests may cause package-lock.json to be updated.

For example , this is a diff in pull request to bump @types/react package.

package-lock.json:

       }
     },
     "@types/history": {
       "version": "3.2.2",
       "resolved": "https://registry.npmjs.org/@types/history/-/history-3.2.2.tgz",
       "integrity": "sha512-DMvBzeA2dp1uZZftXkoqPC4TrdHlyuuTabCOxHY6EAKOJRMaPVu8b6lvX0QxEGKZq3cK/h3JCSxgfKmbDOYmRw=="
     },
     "@types/jest": {
       "version": "22.2.2",
       "resolved": "https://registry.npmjs.org/@types/jest/-/jest-22.2.2.tgz",
       "integrity": "sha512-Dt7aifQmvMPTLVimzvfQ99qUn4zeSDCQarFNV4otfDLYu0RFdSRBnqSLgksoAnsRL88xJ/UBKbd66iP2XIab0w=="
     },
     "@types/jquery": {
       "version": "2.0.49",
       "resolved": "https://registry.npmjs.org/@types/jquery/-/jquery-2.0.49.tgz",
       "integrity": "sha512-/9xLnYmohN/vD2gDnLS4cym8TUmrJu7DvZa/LELKzZjdPsvWVJiedsdu2SXNtb/DA7FGimqL2g0IoyhbNKLl8g=="
     },
     "@types/node": {
       "version": "9.4.0",
       "resolved": "https://registry.npmjs.org/@types/node/-/node-9.4.0.tgz",
       "integrity": "sha512-zkYho6/4wZyX6o9UQ8rd0ReEaiEYNNCqYFIAACe2Tf9DrYlgzWW27OigYHnnztnnZQwVRpwWmZKegFmDpinIsA=="
     },
     "@types/react": {
-      "version": "15.6.14",
-      "resolved": "https://registry.npmjs.org/@types/react/-/react-15.6.14.tgz",
-      "integrity": "sha512-k6YJBmHfzkCtk3iT6aN2hclkPYL2fxlSc3dW//G2kENlmMJ/V+pKhqsHdJJeVluIi1bA296cCLLGATLm7WXToQ=="
+      "version": "15.6.15",
+      "resolved": "https://registry.npmjs.org/@types/react/-/react-15.6.15.tgz",
+      "integrity": "sha512-LOHbyeKRNYLEotniN3DlRGrpXorXupvFSbKrNzc9dZ87uL+IJDbGYVerxKaG1jbnhuc7RhEWxlNmUVtYm3mtNg=="
     },
     "@types/react-addons-css-transition-group": {
       "version": "15.0.4",
       "resolved": "https://registry.npmjs.org/@types/react-addons-css-transition-group/-/react-addons-css-transition-group-15.0.4.tgz",
       "integrity": "sha512-EuXs9guHCwGZ13LJrh4i+mXjFINhgw9c8zDS4GLOIUtSGl9YPnRSGW2Po7p0M8X1SUvfwJMcihTgDLyztoJZvA==",
       "requires": {
         "@types/react": "15.6.14",
         "@types/react-addons-transition-group": "15.0.2"
       }
     },
     "@types/react-addons-transition-group": {
       "version": "15.0.2",
       "resolved": "https://registry.npmjs.org/@types/react-addons-transition-group/-/react-addons-transition-group-15.0.2.tgz",
       "integrity": "sha512-dMYJX0sVHKrzb279jUZF5Xb3Aaw4eyC19LdB30TPVc6KaFz3dxBkKMy6VHB3MfhqlgHiHO6GWcr2B3JezEkcrw==",
       "requires": {
         "@types/react": "15.6.14"
       }
     },
     "@types/react-dom": {
       "version": "15.5.7",
       "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-15.5.7.tgz",
       "integrity": "sha512-XGLjgNtPnBuO1cITYWZAk4KbH0UEDqMg2kuG3xx0UgnrcSd6ijO57Fp9rimmrDKcBnx3b2vFQuEYRXu2GihRYQ==",
"requires": {

Then, npm install run:

       "integrity": "sha512-spu+IYTIxDaaRBP12eYCpFJNQwtANX1ZxxXLk8SaCVjZnNUaIPtY7ek6ATdn5GykIf/E7L2lWnC3gQUl5b8kpQ==",
       "requires": {
         "@types/cheerio": "0.22.7",
-        "@types/react": "15.6.14"
+        "@types/react": "15.6.15"
       }
     },
     "@types/enzyme-adapter-react-15": {
@@ -123,7 +123,7 @@
       "resolved": "https://registry.npmjs.org/@types/react-addons-css-transition-group/-/react-addons-css-transition-group-15.0.4.tgz",
       "integrity": "sha512-EuXs9guHCwGZ13LJrh4i+mXjFINhgw9c8zDS4GLOIUtSGl9YPnRSGW2Po7p0M8X1SUvfwJMcihTgDLyztoJZvA==",
       "requires": {
-        "@types/react": "15.6.14",
+        "@types/react": "15.6.15",
         "@types/react-addons-transition-group": "15.0.2"
       }
     },
@@ -132,23 +132,23 @@
       "resolved": "https://registry.npmjs.org/@types/react-addons-transition-group/-/react-addons-transition-group-15.0.2.tgz",
       "integrity": "sha512-dMYJX0sVHKrzb279jUZF5Xb3Aaw4eyC19LdB30TPVc6KaFz3dxBkKMy6VHB3MfhqlgHiHO6GWcr2B3JezEkcrw==",
       "requires": {
-        "@types/react": "15.6.14"
+        "@types/react": "15.6.15"
       }
     },
     "@types/react-dom": {
       "version": "15.5.7",
       "resolved": "https://registry.npmjs.org/@types/react-dom/-/react-dom-15.5.7.tgz",
       "integrity": "sha512-XGLjgNtPnBuO1cITYWZAk4KbH0UEDqMg2kuG3xx0UgnrcSd6ijO57Fp9rimmrDKcBnx3b2vFQuEYRXu2GihRYQ==",
       "requires": {
-        "@types/react": "15.6.14"
+        "@types/react": "15.6.15"
       }
     },
     "@types/react-redux": {
       "version": "4.4.47",
       "resolved": "https://registry.npmjs.org/@types/react-redux/-/react-redux-4.4.47.tgz",
       "integrity": "sha512-wyFTmLtEymHCjOmVVvsbNqJaGM9Q0x6sZTQfz4XkDj06P8Xe+ys9wKSQHx2Jt9J5Mi7HZnGcJaMFktn60sXluw==",
       "requires": {
-        "@types/react": "15.6.14",
+        "@types/react": "15.6.15",
         "redux": "3.7.2"
       }
     },
@@ -158,7 +158,7 @@
       "integrity": "sha512-wEnsWwUL5fMWO3txfkh2Js3rIObaDdEcOu6hdVRYz7YXzIG9P89jG5R8PVTiH7lXSyo6+/OamNHWPHtgkB9mhg==",
       "requires": {
         "@types/history": "3.2.2",
-        "@types/react": "15.6.14"
+        "@types/react": "15.6.15"
       }
     },
     "@types/react-router-redux": {
@@ -8061,7 +8061,8 @@
     "nan": {
       "version": "2.8.0",
       "resolved": "https://registry.npmjs.org/nan/-/nan-2.8.0.tgz",
-      "integrity": "sha1-7XFfP+neArV6XmJS2QqWZ14fCFo="
+      "integrity": "sha1-7XFfP+neArV6XmJS2QqWZ14fCFo=",
+      "optional": true
     },
     "nanomatch": {
       "version": "1.2.7",

Can you such package-lock.json updates automatically by dependabot?

For example, run npm install after merging always, then open a pull request if updates.

Thanks.

Copied from original issue: dependabot/feedback#113

[greysteil]

Thanks for the heads up - I'll take a look. Which version of npm are you running?

[greysteil]

From @ybiquitous on March 29, 2018 7:52

Versions:

• npm: 5.8.0
• node: 9.10.0

Thanks a quick response!

[greysteil]

👍, and don't thank me until I've fixed it! 😉

[greysteil]

I think this should now be fixed 🎉. Please let me know if you see it again, though.

[greysteil]

From @ybiquitous on March 30, 2018 2:8

Thank you very much! 😄 👍

[michaelglass]

Howdy. I see that sometimes dependabot commits a lock file that changes when run locally or in CI. E.g. the addition of "optional" flags. Do you know where those come from / how we can keep our lock file moving less?

[greysteil]

@michaelglass - looks like this is the same issue as dependabot/feedback#197, so let's move the discussion there.

The tl;dr, however, is that I think this is an npm bug, and I'm not sure there's much we can do about it in Dependabot 😢

[nikolas]

Is there a way to disable the "Update package-lock.json with dependabot" feature? Pull requests that only update the package-lock, like this: https://github.com/ccnmtl/astro-simulations/pull/649/files aren't useful to me.

[Omzig]

Is there a way to disable the "Update package-lock.json with dependabot" feature? Pull requests that only update the package-lock, like this: https://github.com/ccnmtl/astro-simulations/pull/649/files aren't useful to me.

Did you ever figure this out? @nikolas

[deivid-rodriguez]

In the example above, it was because the user had the increase-if-necessary versioning strategy enabled, which avoids updating package.json unless necessary. So in that PR, only the lockfile was updated. If you never want PRs that only update the lockfile, you should use the increase strategy, so you also get the package.json file updated.