Skip to:

Opened 10 months ago

Closed 7 weeks ago

#7535 closed task (fixed)

Add npm `package-lock.json` for npm v5.x

Reported by: Stephen Edgar Owned by: Stephen Edgar
Milestone: 3.0 Priority: normal
Severity: normal Version:
Component: Build/Test Tools Keywords: needs-codex


npm v5 now by default generates a package-lock.json file

Some paraphrased notes from the announcement post:

  • package-lock.json and npm-shrinkwrap.json are aware of each other and happy to coexist
  • package locks no longer exclude optionalDependencies that failed to build. This means package-lock.json and npm-shrinkwrap.json should now be cross-platform.
    • This will hopefully mitigate the optionalDependencies issue with our build server in #38657 / r39368, when the build server is bumped to use the upcoming Node.js v8.x LTS release this can be tested and confirmed.
  • Running npm while offline will no longer insist on retrying network requests. npm will now immediately fall back to cache if possible, or fail, npm's caching is vastly improved in npm 5
  • On performance, NodeJS 6.9.1 and NPM 3.10.8 running npm install in tests took ~63.94 seconds on average, with NodeJS v7.10.0 and npm v5.0.0 this is halved to ~26.26 seconds on average, once npm modules are cached reinstalling node_modules averages 16.163 seconds, just shy of a 4x speed boost
    • Detailed bbPress, BuddyPress, and WordPress performance tests can be seen in this spreedsheet
    • The performance boost is comparable to that of Yarn, initial install 21.40 seconds, and subsequent installs 18.82 seconds, see #38603

Related: #7378 Investigate using yarn instead of npm
Related: #WP40938 Add npm package-lock.json for npm v5.x

Attachments (1)

7535.patch (246.7 KB) - added by Stephen Edgar 10 months ago.

Download all attachments as: .zip

Change History (10)

#1 @Stephen Edgar
10 months ago

  • Milestone changed from Awaiting Review to 2.9
  • Status changed from new to accepted

#2 @Stephen Edgar
10 months ago

  • Milestone changed from 2.9 to Future Release


One key detail about package-lock.json is that it cannot be published, and it will be ignored if found in any place other than the toplevel package. It shares a format with npm-shrinkwrap.json, which is essentially the same file, but allows publication.

This is not recommended unless deploying a CLI tool or otherwise using the publication process for producing production packages.

If both package-lock.json and npm-shrinkwrap.json are present in the root of a package, package-lock.json will be completely ignored.

It's one or the other, not both files, that gives us a few options to consider, whilst I think about those and the best path forward I'll tuck this ticket into the future release milestone.

p.s. My initial thoughts are we switch from having a npm-shrinkwrap.json file to having the package-lock.json file

This ticket was mentioned in Slack in #buddypress by netweb. View the logs.

9 months ago

#4 @Stephen Edgar
8 months ago

I've nearly grok'd all there is know about npm 5...

To that end some recent knowledge ingestion a package-lock.json and npm-shrinkwrap.json are interchangeable, in essence one could be renamed to other and it will work as intended.

Another is that npm has no LTS releases, everyone should be running the latest version of npm, at the time of writing that is npm 5.2.0 see also

The plan I have now to move forward with this is to rename npm-shrinkwrap.json to package-lock.json, then using npm 5.2.0 to update the file package-lock.json with the updated file format added as part of npm 5.1.0 release.

This will also help to avoid scenarios where unexpected changes to npm-shrinkwrap.json occurs such as this.

I'm pretty keen on this change as it both benefits contributors and the repo, for contributors things become a little simpler in that npm install is for the most part the only command you'll ever need to run ever again, for the repo, this changes ensures a consistent set of build tool versions across all platforms that install faster than ever before.

#5 @Stephen Edgar
7 months ago

  • Keywords needs-codex added

Also the codex page needs updating once this change is made

#6 @Paul Gibbs
4 months ago

@netweb Would be great to conclude this ticket one way or another, please.

#7 @Paul Gibbs
8 weeks ago

@netweb Next week I plan to commit the updated version of npm-shrinkwrap.json caused by running npm install.
I don't know the approach for package-lock.json but if that's something we should do, please try to get this done in the next couple of weeks. Thank you.

#8 @Paul Gibbs
7 weeks ago

  • Milestone changed from Awaiting Contributions to 3.0

#9 @djpaul
7 weeks ago

  • Resolution set to fixed
  • Status changed from accepted to closed

In 11843:

Update npm-shrinkwrap.json

Fixes #7535

Note: See TracTickets for help on using tickets.