Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Next.js incorrectly patches package-lock.json version 3

See original GitHub issue

Verify canary release

I verified that the issue exists in Next.js canary release

Provide environment information

Operating System:
  Platform: linux
  Arch: x64
  Version: #202204271406~1651504840~22.04~63e51bd SMP PREEMPT Mon May 2 15:
Binaries:
  Node: 16.15.0
  npm: 8.9.0
  Yarn: 1.22.18
  pnpm: N/A
Relevant packages:
  next: 12.1.6
  react: 18.1.0
  react-dom: 18.1.0

What browser are you using? (if relevant)

No response

How are you deploying your application? (if relevant)

No response

Describe the Bug

There are 3 package-lock.json versions. Version 1 uses the dependencies field. Version 3 uses the packages field. Version 2 combines both for backwards compatibility.

Next.js assumes the dependencies field as the source of truth with a fallback to an empty object, but this is absent in package-lock.json version 3. It will then make unnecessary requests to the npm registry and wrongfully strip the dev field for each dependency

The logic for this is in packages/next/lib/patch-incorrect-lockfile.ts.

Expected Behavior

Next.js patches the lockfile packages field only if the packages field is incomplete and not make unnecessary requests.

To Reproduce

recma-nextjs-static-props is a minimal Next.js project. and can be used as a project. Clone it, regenerate the lockfile, git add it

git clone git@github.com:remcohaszing/recma-nextjs-static-props.git
cd recma-nextjs-static-props
rm package-lock.json
npm install
git add .

Now run npm run dev to see the lockfile is being changed by Next.js.

npm run dev
git diff

Issue Analytics

State:
Created a year ago
Comments:7 (4 by maintainers)

Top GitHub Comments

1reaction

ijjkcommented, May 17, 2022

Hi, this has been updated in v12.1.7-canary.7 of Next.js, please update and give it a try!

1reaction

ijjkcommented, May 16, 2022

I opened a PR here https://github.com/vercel/next.js/pull/36959 to ensure the different lockfile versions are handled, thanks @remcohaszing for describing the differences there and also added an env variable NEXT_IGNORE_INCORRECT_LOCKFILE to allow skipping this check altogether.

Top Results From Across the Web

How do I fix a vulnerable npm package in my package-lock ...

json file is vulnerable and outdated. The problem is that if I do npm install or npm update , neither of them update...

But what the hell is package-lock.json?

So yeah I am going to write about probably the most ignored file from our directories package-lock.js... Tagged with node, javascript, npm.

The Complete Guide to package-lock.json - Medium

json is a lockfile that contains information about the dependencies/packages with their exact version numbers (*important) that were installed for a node.js ......

Common NPM Mistakes Every Developer Should Avoid

1. Manually adding dependencies to package.json · 2. Locking your peer dependencies to a specific patch version · 3. Publishing multiple modules ...

Difference between package.json and package-lock.json files

In Node.js, package.json is a versioning file used to install multiple packages in your project. As you initialize your node application, you ...