Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

npm will not upgrade transient dependencies if you have a lockfile. All the `forzen-lockfile` or `npm ci` commands does is prevent upgrades if you have incompatible versions specified inside of `package.json`, which should never happen unless you have manually edited the `package.json` dependencies by hand.

(It also removed all untracked dependencies in node_modules, which you should also never have unless you've done something weird.)



I'm not sure when that behaviour might have changed, but I have seen it do so. Same with yarn when not specifying a frozen lockfile.

I switched to pnpm as my preferred package manager a couple of years ago because of this, and even that still requires explicit specification.

It was an unpleasant surprise, to say the least.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: