Is there any way to fix package-lock.json lockfileVersion so npm uses a specific format?
Is there any way to specify to newer versions of
npm
to only use"lockfileVersion": 1
? Or do we just have to get all devs on the same version ofnpm
?
I will advise you to pin the Node/NPM version and align it across your environments (development, staging, and production).
you can leverage nvm
for managing the node version by adding to your project .nvmrc
file (don't forget to store it in your source control).
for instance, .nvmrc
will look like:
$ cat .nvmrc
14.15.0
then, you can use nvm install && nvm use
to use the pined version of Node.
NPM also supports engines
:
You can specify the version of node that your stuff works on:
{ "engines" : { "node" : ">=0.10.3 <0.12" } }
And, like with dependencies, if you don't specify the version (or if you specify "*" as the version), then any version of Node will do.
If you specify an "engines" field, then npm will require that "node" be somewhere on that list. If "engines" is omitted, then npm will just assume that it works on Node.
You can also use the "engines" field to specify which versions of npm are capable of properly installing your program. For example:
{ "engines" : { "npm" : "~1.0.20" } }
Unless the user has set the engine-strict config flag, this field is advisory only and will only produce warnings when your package is installed as a dependency.
Another approach is to use a Docker container as a runtime environment for development and execution, which implies that you neither need to install Node, nor NPM. e.g.
$ mkdir my-project
$ cd my-project
$ docker run --rm -it -v $PWD:/app --entrypoint /bin/bash --workdir /app node:14.15.0
root@4da6ee3c2ac0:/app# npm init -y
Wrote to /app/package.json:
{
"name": "app",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "",
"license": "ISC"
}
root@4da6ee3c2ac0:/app# npm install
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN [email protected] No description
npm WARN [email protected] No repository field.
up to date in 1.694s
found 0 vulnerabilities
root@4da6ee3c2ac0:/app# exit
exit
$ ls -x1
package-lock.json
package.json
As you can see, with neither Node, nor NPM:
- Created a new directory for a fresh project
- Spun up a Node Docker container, which comes with Node and NPM
- Created a new project (
npm init -y
) - Exited the Docker container
- Listed the files within the working directory, where the container was spun
Since the docker run
command above is long, you might wish to leverage docker-compose for a more streamlined workflow.
npm WARN read-shrinkwrap This version of npm is compatible with lockfileVersion@1, but package-lock.json was generated for lockfileVersion@2. I'll try to do my best with it!
to overcome this issue, running the command
npm i -g npm@latest
globally and running the command
npm i npm@latest
in the project file helped me resolve the issue.