Netlify ignoring package.json versioning, forcibly installing @latest npm packages instead

I’m running a Gridsome (Vue based Gatsby) powered JAMstack site that uses Forestry as a CMS.

Gridsome updated their package from 0.6.7 to 0.6.8 over the weekend. At this point of time, I did not update Gridsome to 0.6.8 in my local environment.

On Monday a collaborator added a post via Forestry to the site. When Netlify caught the changes and rebuilt the site, it installed Gridsome 0.6.8 despite Gridsome in my package.json being set to use to 0.6.7.

I noticed this happening the last few times Gridsome updated, but it didn’t cause any problems until yesterday when the builds started to fail. The site would have updated without any issues if Netlify installed the same version of Gridsome specified in my package.json. I went in and updated my site to be compatible with 0.6.8, but I can’t take immediate action to every time a developer updates a package I use in my project.

Is this the way Netlify handles installing npm packages by default? Is there something I can do to ensure that the dependencies in my package.json are the same version that Netlify is installing on their end?

Could you share your package.json with us here (or if instead you use yarn, yarn.lock)? And if you have do not have yarn.lock but DO have a package-lock.json, would be good to see it too.

We intend to respect what you indicate, but if your package.json (or package-lock.json, or yarn.lock) checksum changes, we re-run yarn install or npm install for you and it sounds like you may have had version 0.6 or no version pinned…


Here is a link to the package.json on the connected Github Repository. Looking through the commit history, there are no changes to the file between Aug 9 and Aug 20.

Up until yesterday I had both a yarn.lock and package.lock file in my repository. The yarn.lock file was originally a remnant of the boilerplate that I used to begin this project, but I removed it yesterday while fixing my project. I felt it may have been contributing to the build issue, though there have been no commits to the yarn.lock file since it was originally committed in May. Here is a link to the deleted yarn.lock file.

Hi, @Rotisserie. To summarize, this was upgraded to gridsome 0.6.8 because the package.json file configuration says to do so.

I’m seeing the following in the August 9th version of package.json:

    "gridsome": "^0.6.7",

Because a “caret rule” is used (a rule starting with a ^) the semantic versioning rules apply. Those rules state that this setting allows updates up to (but not including) 0.7.0 for gridsome.

For example:

  • ^0.2.3 := >=0.2.3 <0.3.0


  • ^0.6.7 := >=0.6.7 <0.7.0

There is more complete documentation about this here:

If there are other questions, we are happy to answer.