Wasting Time with npm5 and its package-lock.json File

I love the new npm5. It brings about speed, a new succinct install format, new commands, a new deterministic install setup, and a bunch of other goodies.

However, as it usually goes with new software, we occasionally end up with bugs and unlearned concepts which end up costing us time. In my case, it was the mandatory introduction of package-lock.json. A file that indirectly impacts the command npm install.

In short, package-lock.json ensures that when the user runs npm install they will get a deterministic tree of dependencies. This tree is determined by the author who first runs npm install and commits the package-lock.json to whatever source repository is being used.

Now, the error for me occurred when I upgraded to npm5 and was simultaneously experimenting with gulp4. Running npm install github:gulpjs/gulp#4.0 didn't work, the gulp dependencies weren't being installed and for that reason I was getting errors about missing dependencies. After some time I came to the realization that package-lock.json was causing the issue since it had been generated while I had gulp3.

So, the solution became quite apparent, simply generate a new package-lock.json file by removing the existing package-lock.json file and running npm install, or in bash terms:

$ rm package-lock.json && npm install


dark/light theme