| ▲ | simiones 4 hours ago | |||||||
No, this is just wrong. It might indeed use package-lock.json if it matches your node_modules (so that running `npm install` multiple times won't download new versions). But if you're cloning a repo off of GitHub and running npm install for the first time (which a CI setup might do), it will take the latest deps from package.json and update the package-lock.json - at least this is what I've found many responses online claim. The docs for `npm ci` also suggest that it behaves differently from `npm install` in this exact respect: > In short, the main differences between using npm install and npm ci are: > The project must have an existing package-lock.json or npm-shrinkwrap.json. > If dependencies in the package lock do not match those in package.json, npm ci will exit with an error, instead of updating the package lock. | ||||||||
| ▲ | Rockslide 3 hours ago | parent [-] | |||||||
Well but the docs you cited don't match what you stated. You can delete node_modules and reinstall, it will never update the package-lock.json, you will always end up with the exact same versions as before. The package-lock updating happens when you change version numbers in the package.json file, but that is very much expected! So no, running npm install will not pull in new versions randomly. | ||||||||
| ||||||||