NPM: How to verify that your package-lock.json fulfills dependencies of package.json

Updated . Posted . Visible to the public.

Your package-lock.json should always match and resolve all packages from your package.json.
Coming from Yarn, I was looking for an option like Yarn's --frozen-lockfile which validates that. Here is what seems to be the way to do it.

Using npm clean-install

Running npm clean-install instead of npm install will actually validate that your package-lock.json matches your package.json.
If your package-lock.json cannot be fulfilled, npm install would install other versions while npm clean-install will complain.

You can use npm ci as a shortcut for npm clean-install.

Combine with a cache

The idea of a "clean install" is that it always installs from scratch and thus ignores any existing cache or the --cache flag.

If you want to use a cache (e.g. on CI), but also validate the lock file (because you wouldn't notice if CI installs packages not included in your package-lock.json), you can do that by combining both clean-install and install, and ask clean-install to not actually install anything:

npm clean-install --dry-run && npm install --cache=path/to/cache

Note that npm clean-install could be considered the only command necessary to install packages in CI. However that always downloads all packages on each CI run, and that really should not be necessary. Using a cache is perfectly fine.

Arne Hartherz
Last edit
Arne Hartherz
Source code in this card is licensed under the MIT License.
Posted by Arne Hartherz to makandra dev (2024-12-13 15:06)