Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

installing @vue/cli-service flipflops the lockfile

See original GitHub issue

Version

4.5.7

Reproduction link

https://github.com/doppelreim/install-vue-cli-service

Environment info

vue is not involved - only package `@vue/cli-service`. I did this to zero in on the issue.

Steps to reproduce

I used a container for the dev-environment (node and npm) (see README).

Run npm install

Bonus steps:

Delete directory node_modules
Run npm install
Repeat
Observe that the lockfile flipflops between two states

What is expected?

File package-lock.json should not be changed.

What is actually happening?

File package-lock.json is changed.

I documented the whole investigation in the README of the repro-repo.

We ran into this bug at work, because different developers are constantly getting unexpected changes to file package-lock.json. This creates uncertainty and confusion and makes reviews harder.

Issue Analytics

State:
Created 3 years ago
Comments:6 (1 by maintainers)

Top GitHub Comments

1reaction

doppelreimcommented, Oct 16, 2020

I reported the issue to npm as well.

I could imagine that the behaviour might be caused by the optional dependency on a second/different version of package vue-loader (https://github.com/vuejs/vue-cli/blob/dev/packages/%40vue/cli-service/package.json#L83). Because the packages that get shifted around in the lockfile are dependencies of that one, if I remember correctly.

My understanding of npm ci was, that it is intended to be used on CI?

0reactions

mickspcommented, Jun 16, 2021

@doppelreim - i see your question on npm got closed. I’m facing the same issue. I don’t see any reason for npm install to ever change the lock file. That should never happen imho. I have a local build using npm 6.14.12 - no problems. Than on the production server, using the same version, it changes my package-lock - making the git checkout ‘changed’. It only changes the order of entries. Why? Why is there code in npm install that is even able to change the package-lock? I’m currently not upgrading to V7 on my prod server, that might have too many effects on other applications. So as a fix for now after build in production (end of my CI/CD chain) i do a quick git checkout . to revert. One difference: in prod i use vue-cli buildvue-cli build in development it’s vue-cli-service build --mode development could that explain this behavior maybe?