is also curious about this question, to sum up:
reason: package-lock.json will save the version of all the dependencies (including dependent dependencies), download address, etc. Because of the different requirements of the dependent version in the project package.json, there will be different ways to write it, such as limiting the minimum version, limiting the scope of the version, and so on. So running npm I at different times may result in new versions of some dependencies, resulting in changes in package-lock.json. This can happen even if your project directly depends on a fixed version number, but your dependency cannot be fixed.
workaround: nmp 5.8 or 5.9 added a new command, npm ci to quickly install dependencies completely from package-lock.json, without causing this problem.
take a look at this article, Portal
because you want to update and download the package
npm installation principle:
if there is no conflict between your package.json and your package-lock.json, the package-lock.json file will not be updated, otherwise it will be updated.
Test npm version: 6.13.1
Why does it conflict? For example, you manually changed the version number, such as relying on core-js 3.4.5, as shown in figure
.
-sharp-sharp package.json
"dependencies": {
"core-js": "~3.4.5"
}
-sharp-sharp package-lock.json
"dependencies": {
"core-js": {
"version": "3.4.7",
"resolved": "https://registry.npm.taobao.org/core-js/download/core-js-3.4.7.tgz",
"integrity": "sha1-PdplYR2VaZtet3QupFHqBS03qmU="
}
}
depends on core-js ~ 3.4.5
and locks on 3.4.7
.
you change the dependency of core-js
in package.json
to ~ 3.4.6
, ~ 3.4.7
, reinstallation will not change package-lock.json
, because the version saved in lock file is larger than that in package file.
but if you change the version in the package.json file directly to "core-js": "~ 3.4.8"
, this is higher than the version in the lock file. If you need to download the latest version again, you will download the latest version that conforms to 3.5.x
. Update the lock file at the same time.