[BUG] The package-lock.json file depends on node_modules, which will cause the lock generated by npm i to be inconsistent after the lock file is deleted when some packages that depend on the system architecture (such as node-unix-socket) are installed again.

[JsweetA]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

I used a node-unix-socket package, which needs to load different .node files under different system architectures. I accidentally deleted the lock file when operating on my local Mac computer. When I used npm i to install it again, the lock file only had packages under the Mac architecture. This would cause the package to be lost when I released the deployment because the container used the Linux architecture.

Expected Behavior

Yarn and pnpm do not have this problem. They do not rely on node_modules to generate lock files, so the generation of lock files is idempotent. However, when there are packages that depend on the system architecture, the generation of lock files by npm i is not idempotent.

Steps To Reproduce

1. Prepare a package.json file

{
    "name": "my-project",
    "version": "1.0.0",
    "dependencies": {
      "node-unix-socket": "0.2.5"
    }
}

2. Run npm i and you will get a normal package-lock file.
3. Delete package-lock at this time, and then execute npm i to get the error version

• normal
  
• error
  

[milaninfy]

@JsweetA Could you please try with--os flag to see if it fits this case. https://docs.npmjs.com/cli/v10/commands/npm-install#os

[JsweetA]

@JsweetA Could you please try with--os flag to see if it fits this case. https://docs.npmjs.com/cli/v10/commands/npm-install#os

Does it mean to use npm i --os=linux? If so, it doesn't solve my problem.

[milaninfy]

@JsweetA I think what's happening here is that first time it's constructing the lock file based on package.json information. then once you delete the lock file it's reconstructing lock file base on what is in the node_modules. As far as I know we have smiler issue where integrity field is missing after deleting and recreating lock file iirc that is also the same cause. but if you check in both the cases it's installing same packages. you can verify that using npm ls --depth=2 before and after your steps.

[jogerj]

Likely duplicate of #4828

[sahin52]

Deleting package-lock.json causes so many differences after npm installing again, even though if you use specific versions instead of versions like "^2.1.0", or you may be using latest version of all packages but still it generates very different package-lock

[milaninfy]

This is fixed on #8184