What is the point of having resolved URL in package-lock.json?

node.js npm package-lock.json
Lukáš Havrlant picture Lukáš Havrlant · Dec 17, 2018 · Viewed 11.2k times · Source

whenever I generate a package-lock file, there is also "resolved" block that looks like this:

"resolved": "http://devel.npm.registry:4873/lodash/-/lodash-4.17.5.tgz"

What is the point of this URL? Later, if I try to install dependencies based on this package-lock, do I need to use the same npm registry? Because we use a different npm registry for local development and for production builds. Thus when I develop, I use devel.npm.registry, but the CI tool uses production.npm.registry. According to my tests, the URL doesn't matter (I tried [email protected]). But it is current implementation that's gonna change soon or is the URL intentionally ignored? I have the feeling that some of the previous versions of npm actually checked the resolved URLs.

The documentation isn't much helpful in this case.

Answer

Lukáš Havrlant picture Lukáš Havrlant · Dec 18, 2018

I found some articles on the web regarding this question. Follow the links:

npm uses a JSON as a format for the lock file. The good news is since [email protected] ignores the resolved field on package-lock.json file and basically fallback to the one defined in the .npmrc or via --registry argument using the CLI in case is exist, otherwise, it will use the defined in the resolved field.

https://medium.com/verdaccio/verdaccio-and-deterministic-lock-files-5339d82d611e

Another day, another tweet about #npm5 goodies.

npm is now agnostic about which registry you used to generate the package-lock.json.

https://twitter.com/maybekatz/status/862834964932435969

The purpose of resolved in package-lock.json is to bypass the dependency resolution step (fetching metadata) when you are missing packages. integrity is to verify that you're getting the same thing. Without the resolved field, uncached installations can break due to metadata changes, and they'll also be significantly slower because we have to do a full metadata fetch before we can actually download anything.

Note that package-lock.json does not allow different packages to be fetched from different registries. Even if you have a package lock with different packages using different resolved fields, all of the packages will always be fetched from whatever your current registry= setting is, in npmrc. resolved fields that do not match the configured registry will go through the (slower) metadata fetching I mentioned above, but will still be fetched only from the current registry.

https://github.com/npm/npm/issues/16849#issuecomment-312442508

Related questions

Why does "npm install" rewrite package-lock.json?

I just recently upgraded to npm@5. I now have a package-lock.json file with everything from package.json. I would expect that, when I run npm install that the dependency versions would be pulled from the lock file to determine …

Read More
Is there a way to force npm to generate package-lock.json?

I deleted it by accident and have made many changes to package.json since. An npm install or npm update do not generate package-lock.json anymore. I tried clearing my npm cache and my nvm cache, but nothing seems to …

Read More
Deleting `package-lock.json` to Resolve Conflicts quickly

In a team set up, usually, I have faced merge conflicts in package-lock.json and my quick fix has always been to delete the file and regenerate it with npm install. I have not seriously thought about the implication of …

Read More