[BUG] Incorrect (previous) version number persists in package-lock.json after removal from package.json #8831
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
If there is a pre-existing package-lock.json that has a defined package version number, and package.json is updated to remove the version number, then running npm install does not result in the version number being removed from package-lock.json. package-lock.json incorrectly retains the old package version number.
Expected Behavior
- If the version number is removed from
package.json, then after runningnpm install, the version number should be removed from the package inpackage-lock.json. - Considering the case of a package with no dependencies and no version number, the
package-lock.jsongenerated from the starting point of nopackage-lock.jsonshould be the same as thepackage-lock.jsongenerated when a package with version number and no dependencies has its version number removed.
Steps To Reproduce
Create a package.json with no version and no dependencies
{
"name": "test-package",
"private": true,
"description": "A test package",
"license": "UNLICENSED",
"author": "test author"
}Install it.
npm install --package-lock-onlyThis produces a package-lock.json with no version number, as expected:
{
"name": "test-package",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "test-package",
"license": "UNLICENSED"
}
}
}Update package.json to include a version number:
{
"name": "test-package",
"version": "1.0.0",
"private": true,
"description": "A test package",
"license": "UNLICENSED",
"author": "test author"
}Install it.
npm install --package-lock-onlyThis produces a package-lock.json with version number, as expected:
{
"name": "test-package",
"version": "1.0.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "test-package",
"version": "1.0.0",
"license": "UNLICENSED"
}
}
}Now update the package version number in package.json. The new package.json is:
{
"name": "test-package",
"version": "1.0.1",
"private": true,
"description": "A test package",
"license": "UNLICENSED",
"author": "test author"
}Update package-lock.json to reflect the change:
npm install --package-lock-onlyThe package-lock.json file is updated to have the new version number, as expected:
{
"name": "test-package",
"version": "1.0.1",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "test-package",
"version": "1.0.1",
"license": "UNLICENSED"
}
}
}Now decide to go back to a versionless package, removing the version from package.json. Update (Revert) package.json to:
{
"name": "test-package",
"private": true,
"description": "A test package",
"license": "UNLICENSED",
"author": "test author"
}Update package-lock.json to reflect the change:
npm install --package-lock-onlyAt this point, package-lock.json should be updated to have the version number removed, and so look like this (just like it did when it was first installed with no version number specified and no package-lock.json present):
{
"name": "test-package",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "test-package",
"license": "UNLICENSED"
}
}
}However, the actual contents of package-lock.json are:
{
"name": "test-package",
"version": "1.0.1",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "test-package",
"license": "UNLICENSED"
}
}
}The version number is still present, despite having been removed from package.json.
Environment
- npm: 11.6.4
- Node.js: 11.6.4
- OS Name: Ubuntu 24.04.3 LTS
- System Model Name: Irrelevant I think (VM)
- npm config:
; node bin location = /usr/local/bin/node
; node version = v24.11.1
; npm local prefix = /home/some-user
; npm version = 11.6.4
; cwd = /home/some-user
; HOME = /home/some-user
; Run `npm config ls -l` to show all defaults.