Since this thread is pretty old, can you confirm a bit more about your use case, @p-ob ? My understanding (which is not expert!) of the current situation is that:
- if you have a
package.jsonwith exact versions we should always follow it, regardless of package-lock.json - whether you do or don’t have a package-lock.json,
npm cishould never update dependencies vs what’s in the build cache (?), vsnpm installwill always try to install the latest spec that matches what is in package.json (e.g. version “5” will go to latest x, and latest y within x, for 5.x.y).
I am curious though - if you have a package.json with the exact right versions specified, I would think npm install does the right thing, regardless of any other situation. Is that not what you experience in our CI? If not, could you elaborate a bit more on what happens? If so, could you explain a bit more about your use case that requires older versions that you aren’t willing to “lock” in package.json directly, which should remove any difference in behavior?