[rezonant]

> if the package.json is using relative version number

What do you mean by this? You can specify dependency versions using "^" which means "I accept new minor and patch versions" or "~" which says "I accept new patch versions", or a bare version to say I want an exact version; but none of those have anything to do with a bare "npm install" command. They are relevant when you install a new package, with "npm install <package>". That is a totally different operation, and it absolutely can update versions when needed.

However, when you just do "npm install" it does not update your package-lock.json to the latest version that matches your semver requirements in package.json. That will only happen if you install a new package that needs it or you use `npm update` or some other command.

This is easy to test but it's also intuitively correct- you don't expect to run `npm install` and have an uncommitted change to `package-lock.json` appear, and that does not happen in normal usage.

It is kind of unfortunate that "npm install" and "npm install <package>" use the same verb of "install" for two different things- other package managers don't make this mistake and it avoids the sort of misconception we're running into here.

[fendy3002]

Exactly what I said, I have experience with ~ but not with ^ and have never used it. Let's say that you have a package version ~1.2.11 and have 1.2.11 as installed version in package lock. Then if let's say 1.2.13 is out there, npm install will update package lock to that one. npm ci won't change that. package.json file will kept unchanged though.

[rezonant]

No, "npm install" doesn't actually do that. In the situation you are talking about, "npm install" and "npm ci" behave the same.

It makes sense that they behave the same here right? What is the point of a package lock if just installing packages on a new copy of a codebase updates the dependencies?

Package locks aren't just about deploying: As a developer, I need to be assured that the code I'm running is the same as my coworker.

[fendy3002]

Hmm weird, I remember it changed on the older version though, which is why npm ci is introduced.

[rezonant]

Yes I think you are right when NPM first introduced it, which was in NPM 5 [1]. At that time package locks were new.

Node 16 shipped with NPM 8, and by then this was not the behavior any more. I don't remember exactly when, but I believe it might've been in NPM 7 when this changed. Node 15 would have been the first release to ship with at least NPM 7 [2]

EDIT: Node 16.0.0 shipped with NPM 7.8.0

https://github.com/nodejs/node/blob/main/doc/changelogs/CHAN...

EDIT 2: A StackOverflow confirming NPM 5 behaved the way you remember: https://stackoverflow.com/questions/45022048/why-does-npm-in...

EDIT 3: And, as that SO documents, 5.4.2 changed the behavior to prevent this, here's the GitHub issue: https://github.com/npm/npm/issues/17979#issuecomment-3327012...

Honestly no guarantees it worked as intended right at that release, but the intention is clear.

EDIT 4: I realize that the following may present retort but it matches my mental model perfectly:

> If you manually edit your package.json to have different ranges and run npm i and those ranges aren't compatible with your package-lock.json then the latter will be updated with version that are compatible with your package.json. Further runs of npm i will be as with 2 above.

This is what I've mentioned elsewhere: You should not update package.json's versions and deploy it and expect that versions won't change when NPM install runs. In fact, npm ci will just fail in this situation, which is a Good Thing (TM), and is documented as such.

LAST EDIT SRSLY:

It is conceivable, especially given OPs other red flags, that perhaps they were on an older Node/NPM like Node 14.

That's another practice that I regularly do, pin NPM itself in deploy scripts. While I was using Node 14, I was using NPM 8, because you can just "npm i npm@8 -g" to upgrade your NPM regardless of Node version.

[1] https://blog.npmjs.org/post/171556855892/introducing-npm-ci-...

[2] https://nodejs.org/en/about/previous-releases

[fendy3002]

Woah thanks for very detailed answer! So yeah it's an old behavior then.