Skip to main content
Skip table of contents

Understanding NPM Legacy Behavior

Starting with the NPM 5.1.0 release, NPM changed how package.json and package-lock.json files are created and updated when running the command npm install.

When scanning an NPM project created on a version prior to 5.1.0, scanning in an environment with NPM 5.1.0+ installed may have different results or behaviors.

https://github.com/npm/npm/releases/tag/v5.1.0

  • f0075e7ca #17508 Take package.json changes into account when running installs -- if you remove or add a dependency to package.json manually, npm will now pick that up and update your tree and package-lock accordingly. (@iarna)

Current Behavior

At the time of writing, for modern Node/NPM applications with NPM versions >= 5.1.0 when the npm install command is executed a package-lock.json file will be created/updated based on the contents of the package.json file.

Legacy Behavior

Before node 5.1.0, NPM would honor the contents of the package-lock.json file when running npm install. This means that your package-lock.json and package.json became out of sync and had different versions. When npm install is executed, the package.json will be updated to reflect the package-lock.json file.

Example

We have a node and NPM project where the package-lock and package.json contain different versions of the same library.

In the example below we have package.json and package-lock.json files with a library “Axios” test on different versions.

Before NPM install

package.json

JSON 
{
  "name": "axios-test",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {}
}

package-lock.json - notice axios-test is on 2.0.0

CODE 
{
  "name": "axios-test",
  "version": "2.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {}
}

npm install when npm >= 5.1.0

package.json

CODE 
{
  "name": "axios-test",
  "version": "1.0.0",   <--- not changed
  "lockfileVersion": 2,
  "requires": true,
  "packages": {}
}

package-lock.json

CODE 
{
  "name": "axios-test",
  "version": "1.0.0",    <---- changed back to 1.0.0
  "lockfileVersion": 2,
  "requires": true,
  "packages": {}
}

npm install when npm < 5.1.0

package.json

CODE 
{
  "name": "axios-test",
  "version": "2.0.0",   <--- upgraded to 2.0.0
  "lockfileVersion": 2,
  "requires": true,
  "packages": {}
}

package-lock.json

CODE 
{
  "name": "axios-test",
  "version": "2.0.0",  <---- not changed
  "lockfileVersion": 2,
  "requires": true,
  "packages": {}
}
JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close