[Question / Help]: How can we make sure if version in package-lock satisfies the version mentioned in package.json ?

[sathishsoundharajan]

How can we make sure if version in package-lock satisfies the version mentioned in package.json ? Ideally i'm looking at validating this as part of the pre-commit hook.

We have kind of mixed dependencies some public npm packages and some provide packages hosted by github / gitlab / bitbucket, referencing them directly with tag in package.json

I was previously thinking about using the lock-verify, but still would the solve the problem, because it seems lock-verify won't validate anything which requires network connection & also that is being depreciated now.

Refs:
https://stackoverflow.com/questions/45287398/is-there-a-way-to-confirm-a-package-lock-json-actually-resolves-all-dependencies
https://www.npmjs.com/package/lock-verify

[ljharb]

npm ls

[sathishsoundharajan]

@ljharb Thank you, Correct me if i'm wrong, npm ls will only work if node_modules are installed right ?

Case 1:
If i have node_modules installed in local, i just update the package.json alone ( didn't run npm install ). Will npm ls will throw error ?

Case 2:
If i don't have node_modules installed in local, i just update package.json alone ( didn't run npm install ). Will npm ls will identify the issue ?

Case 3:
I know it is weird, if i somehow only updated version in package-lock.json alone not in package.json. Will npm ls will still identify that issues too ?

I can run all these use cases in local 👍 . Just calling it out here to get your opinion.

[ljharb]

In case 1, yes, it will error. In case 2, it will also error because it requires node_modules to be present. In case 3, yes, it will also identify it, because when a lockfile is present, it largely ignores package.json.

[sathishsoundharajan]

@ljharb Thank you once again. 👍 . Can we somehow validate what npm ls does without needing node_modules ? I'm asking this because let say if we are implementing CI / CD for nodejs application. Running npm ls after waiting for the all the node_modules to get installed and validate it kind of time consuming right ?

If there is no way to validate without node_modules. Can we have feature like that ? Is it worth for the community ?

[ljharb]

You always need node_modules. Since you need them installed for any meaningful CI also, i don’t see why it adds time.

[noahbrenner]

@sathishsoundharajan Assuming your CI/CD setup needs to install dependencies at some point in its workflow (would be weird if it didn't), you might want to run npm ci instead of npm install in your CI/CD scripts. That will install only the exact the versions defined in package-lock.json, it will give an error if they are incompatible with package.json, and it's faster than npm install because it doesn't have to calculate compatible versions of dependencies.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.