| ▲ | 0cf8612b2e1e 2 hours ago | |
The internet disagrees. NPM will gladly ignore and update lock files. There may exist a way to actually respect lock files, but the default mode of operation does not work as you would naively expect. - NPM Install without modifying the package-lock.json https://www.mikestreety.co.uk/blog/npm-install-without-modif... - Why does "npm install" rewrite package-lock.json? https://stackoverflow.com/questions/45022048/why-does-npm-in... - npm - How to actually use package-lock.json for installing based on locked versions? https://stackoverflow.com/questions/47480617/npm-how-to-actu... | ||
| ▲ | Rockslide 38 minutes ago | parent [-] | |
Those stackoverflow posts are ancient and many major npm releases old, so in other words: irrelevant. That blog post is somewhat up to date but also very vague about the circumstances which would update the lockfile. Which certainly isn't that npm install updates dependencies to newer versions within the semver range, because it absolutely does not. | ||