npm install-ing Wagtail creates undesired changes in package-lock.json

Initially reported by @gasman in https://github.com/wagtail/wagtail/pull/3773#issuecomment-325625388.

Issue Summary

On a fresh npm install, npm updates the package-lock.json file depending on the context the command is ran in. Those changes to the lockfile reflect which packages were installed, which can differ because of:

1. A difference in package versions available, if the package.json uses ranges (https://github.com/npm/npm/issues/16866, https://github.com/npm/npm/issues/17979, https://github.com/npm/npm/issues/18103).
2. A difference in the install environment (eg. installing on a different OS than the one the lockfile was created in). This is https://github.com/npm/npm/issues/17722, https://github.com/npm/npm/issues/18135.

In practice, this is problematic because it creates unnecessary file changes to deal with.

Steps to Reproduce

1. Run npm install on an Linux machine, with the current OSX-generated package lock.

Technical details

• npm >= 5.1.0

The first problem can be resolved once and for all by dropping all range specifiers from the package.json (^, ~), I don’t know of any “once and for all” solution for the environment difference.

The environment difference shouldn’t be more than an annoyance, however the dependency version problem can cause real issues if a new version of one of the dependencies breaks the code/tooling (using a lockfile is supposed to prevent this), so we may want to pin all of the dependencies to exact versions until it is resolved.

Until we find a more proper fix, it is safe to either:

# Discard the changes to the file:
git checkout -- package-lock.json

# Use the following flag to prevent the changes to the file:
npm install --no-shrinkwrap

I’ve been tracking all of the npm issues highlighted above, hoping for a fix in npm, if that doesn’t come I guess we can go for a plan B solution like “switch to yarn”, or “move back to npm-shrinkwrap.json and gitignore the package-lock.json”.