package-lock file changing based on local repository name

[NickAJScott]

Current Behavior:

package-lock.json changes depending on name of local copy of git repo, e.g. if i have two copies of the same repo locally one which matches the name in package.json and one which doesn't i get two different package-lock files, one specifies the name of the package in the inner packages list and one doesn't.

Expected Behavior:

package-lock.json should be independent of top level directory name, when working in a team there shouldn't be unnecessary changes to package-lock file due to a team member having a different local name of their git repository.

Steps To Reproduce:

1. clone a repository twice one in the default named directory and one into a name that differs from the repo name.
2. run npm install
3. two different package-lock files will be generated.

Environment:

• OS: Ubuntu 20.04
• Node: 15.3.0
• npm: 7.0.14

[NickAJScott]

I think this is in some ways similar to this issue here: #1767 The difference is the package.json does contain a name field, and when the repo name matches that name field the field is not being generated inside the package-lock.json. This means if you change the directory name the field will get generated, it seems it should be generated at all times.

[nlf]

i'm not able to reproduce this. do you have an example repo where you see this behavior? i tried cloning the same repo twice, removing the package-lock.json from both, and running npm i in both and the generated package-lock.json files match.

[NickAJScott]

Hi thanks for looking into this, ill try and create a dummy repo to reproduce it.

[NickAJScott]

@nlf Here is a repo to reproduce it: /~https://github.com/NickScottKortical/testpackagelock

commands i ran to see the issue were:

git clone git@github.com:NickScottKortical/testpackagelock.git
cd testpackagelock
npm install
git clone git@github.com:NickScottKortical/testpackagelock.git testpackagelock2
cd testpackagelock2
npm install

/~https://github.com/NickScottKortical/testpackagelock/compare/package_lock_changed

Shows the change that happens if the directory name doesn't match the name of the package, when the directory does match that name key isn't added at all and is what you see in the main branch.

[nlf]

confirmed! that reproduced it for me, thank you for taking the time!

[NickAJScott]

No problem, glad i could help :)

[apostolos]

Can reproduce, name is added on the CI, does not happen locally (folder is named "lwjgl.org" on local filesystem):

[zen0wu]

This is still reproducible and super annoying. I don't really think I understand the full picture of doing this since it seems ok to just always set ["name"] to be the one in package.json and call it a day?

[jkxyz]

I've also run into this issue. I renamed the project directory to save myself two keystrokes: cd g<TAB> instead of cd n<TAB>g<TAB>. After noticing that my colleagues and I were committing different versions of package-lock.json in our PRs I first got us all to align on using the latest npm version thinking that was the cause of the problem. It was unexpected behavior to me that the CLI would care about the name of the package directory when generating what should be a reproducible lock file based on the project dependencies.

[jonkoops]

I can confirm this issue on NPM version 7.19.1. When the directory name the of the package is not the same as the name of the package the package lock will be modified to add the name of the package, otherwise the line is removed.

This is highly annoying as team members keep committing the package lock, even though nothing really changed.

[jonkoops]

@nlf Any chance this could be fixed anytime soon? This is the number 1 issue that my team members are running into because some have a directory that is named the same as the package and some do not. This results in constant changes on the lockfile when committing.

[nlf]

it will be fixed in the next release, which should be getting published later today

[jonkoops]

@nlf That is great, thanks a bunch!

[StefanosGiannakis]

@jonkoops any updates? thx

[jonkoops]

@StefanosGiannakis this has been fixed and released as mentioned before in this thread.

[shreevatsa]

I still see this with npm 8.5.0 which was released in Feb 2022 (the same repro from #2264 (comment) of Dec 4 2020 above still reproduces it) — is the version with a fix newer than that?

[chrisdicarlo]

Same here with 8.18.0

[ppshobi]

same here

[mervayar07]

• 2264

[fm-swe]

this is still a problem

[alxlion]

8.19.2 and issue still here. Is it possible to reopen it ?
Thanks

[fm-swe]

maybe a solution for others running into this, I changed my script from

npm install --include=dev && npm run dev

to

npm ci --include=dev && npm run dev

to avoid this behavior.

[ashermiddleton]

I'm running into this issue in a docker environment via ddev. package-lock.json keeps updating to the top-level folder name in the docker environment "html" instead of the actual package's name and top-level folder "project".

• Node 18.15.0
• npm 9.5.0

[sgrossberndt]

As proposed before: Add a name-property to package.json, this will be used in package-lock.json instead of the directory name.

[sc0ttj]

Can this be re-opened and fixed please?

• don't allow empty name properties:
  • take the value from the name property in package.json
  • or use the root directory name, where package.json resides
• make npm install and npm ci consistent in this regard

[dewbjorn]

Still happening.

[silverwind]

I suggest npm do the following:

• If package.json has name, copy it into package-lock.json
• If package.json has no name, do not write any name in package-lock.json

This will ensure matching lockfiles, regardless of the name of the parent directory.

[marcustyphoon]

Note that if, like me, you found yourself here due to an unexpected name field being committed, it may have been due to npm audit fix; see #4608.