So I created a project named 'project' and did npm install --save vue-extra@1.0.0 and cloned it three times so there's 'projectclone1', 'projectclone2' and 'projectclone3'
projectclone1
In projectclone1 I have same package.json and package-lock.json as the original project (which means I did not change anything manually) and I run npm install so it installed the same version as original that is v1.0.0 of vue-extra
projectclone2
In projectclone2 also I had the same package.json and package-lock.json but here instead of doing npm install I did npm install --save vue-extra which updated the package changing the package.json and package-lock.json so it installed the latest version that is v1.1.4 of vue-extra
projectclone3
In projectclone3 I opened package.json and manually changed vue-extra:"^1.0.0" to "^1.1.4" and did npm install, Here since I updated package.json npm considered package.json as a matter of truth and installed v1.1.4 of vue-extra and it also updated package-lock.json to v1.1.4
So if your package.json is somehow changed or updated and the version in package.json does not match with the version in package-lock.json then it will install the version from package.json and will update the package-lock.json accordingly.
Interesting, thanks for taking the time to run those tests!
Out of curiosity, what version of NPM are you using? I think some of the confusion is behavior changed at some point. So, depending on what version various team members are on, they see different actions.
I am using v6.11.2 and yes you are right the behavior had some issues and some changes during v5.x.x but now I guess almost all of them are fixed so v6 has been pretty stable about the behavior of package-lock.json
So I created a project named 'project' and did
npm install --save vue-extra@1.0.0and cloned it three times so there's 'projectclone1', 'projectclone2' and 'projectclone3'projectclone1
In projectclone1 I have same package.json and package-lock.json as the original project (which means I did not change anything manually) and I run
npm installso it installed the same version as original that is v1.0.0 of vue-extraprojectclone2
In projectclone2 also I had the same package.json and package-lock.json but here instead of doing
npm installI didnpm install --save vue-extrawhich updated the package changing the package.json and package-lock.json so it installed the latest version that is v1.1.4 of vue-extraprojectclone3
In projectclone3 I opened package.json and manually changed vue-extra:"^1.0.0" to "^1.1.4" and did
npm install, Here since I updated package.json npm considered package.json as a matter of truth and installed v1.1.4 of vue-extra and it also updated package-lock.json to v1.1.4So if your package.json is somehow changed or updated and the version in package.json does not match with the version in package-lock.json then it will install the version from package.json and will update the package-lock.json accordingly.
I hope this clears up everything
Thanks for reading and asking this question.
Interesting, thanks for taking the time to run those tests!
Out of curiosity, what version of NPM are you using? I think some of the confusion is behavior changed at some point. So, depending on what version various team members are on, they see different actions.
See this S.O. post for an example of the confusion - stackoverflow.com/questions/450220...
I am using v6.11.2 and yes you are right the behavior had some issues and some changes during v5.x.x but now I guess almost all of them are fixed so v6 has been pretty stable about the behavior of package-lock.json
In the same stackoverflow answer I found this link of the issue github.com/npm/npm/issues/17979#is... which I found pretty useful.