Different runs generate different package-lock.json on npm 7.5.3

[palbrecht1]

Current Behavior:

I have a Node project with some packages, nothing fancy:

"dependencies": {
        "asana": "^0.18.5",
        "axios": "^0.21.1",
        "body-parser": "^1.19.0",
        "cors": "^2.8.5",
        "dogapi": "^2.8.3",
        "express": "^4.17.1",
        "faker": "^5.4.0",
        "git-last-commit": "^1.0.0",
        "google-spreadsheet": "^3.1.15",
        "googleapis": "^67.1.0",
        "mysql": "^2.18.1",
        "mysql2": "^2.2.5",
        "pg": "^8.5.1",
        "pg-hstore": "^2.3.3",
        "sequelize": "^6.5.0",
        "sequelize-cli": "^6.2.0",
        "statuscake": "^0.0.1",
        "statuscakejs": "^0.0.4"
      }

I delete the node_modules folder and the package-lock.json file and then run npm install to have a fresh install on my dev machine (Windows with WSL2)
I then push my code (including package-lock.json) to github and pull that code automatically from a staging server, running Ubuntu 20.04.2.0 LTS.
My deployment script is quite simple and looks like this:

git pull
npm install

At this stage, git pull fails because my previous npm install changed the package-lock.json file on the staging environment and I'm not forcing a pull.

When I do a `git diff`` to see what's going on in the staging environment, this is what I get:

diff --git a/package-lock.json b/package-lock.json
index 3d7eb87..760d33b 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -5,6 +5,7 @@
   "requires": true,
   "packages": {
     "": {
+      "name": "my_package_name",
       "version": "1.0.0",
       "license": "ISC",
       "dependencies": {

It seems the Ubuntu npm is adding "name":"my_package_name" in package-lock.json but not my windows npm. They're both on the same version though!

Expected Behavior:

I expect package-lock.json file not to be changed.

Steps To Reproduce:

Create a new project using Windows 10, npm 7.5.3, npm install the dependencies above, push to a git server, pull from a remote ubuntu 20.04.2.0 environment and npm install it. Do it twice to get the error.

Environment:

• OS: Ubuntu 20.04
• Node: 15.10.0
• npm: 7.5.3

[ljharb]

What happens with npm v7.6.0?

[gavinsharp]

Seems related to #2700?

[ruyadorno]

thanks for linking that issue @gavinsharp - it def looks to be related!

[sidonath]

FWIW, we see this (or a similar?) problem when running npm install for the same project in directories with different names (on same or different machines).

We can trigger this issue in the following way

1. A project "foo" has "name": "foo" specified in package.json and in package-lock.json
2. Clone the project into bar
3. Run npm install
4. package-lock.json is unchanged
5. Clone the project into foo
6. Run npm install
7. package-lock.json is now changed, the line with "name": "foo" is missing

[gavinsharp]

@sidonath I think that's likely a different issue (#2264)

[wraithgar]

This was fixed in 7.20.6 (always set name on the root node) https://github.com/npm/cli/releases/tag/v7.20.6

[sahin52]

Is this still the case for somebody else? When I delete package-lock and node_modules, I sometimes get completely different package-lock file. I use specific version in package.json, and also I use the latest version of packages. For example:

And this happened not just once