[BUG] package-lock.json not updated with new dependencies of a workspace package

[sheepsteak]

Current Behavior:

When using workspaces, it seems npm install only detects the dependencies of a workspace package the very first time. Any subsequent changes to the dependencies or devDependencies of workspace package are ignored.

Expected Behavior:

If a dependency or devDependency is added/changed/removed from the package.json of workspace package then running npm install should update the package-lock.json file.

Steps To Reproduce:

I made a repository here with instructions - https://github.com/sheepsteak/npm-workspaces-bug.

Environment:

• OS: macOS Catalina 10.15.7 (19H2)
• Node: 12.18.2
• npm: 7.0.2

[protyposis]

As a workaround to (un)install a package I currently delete all node_modules folders, delete the root package-lock.json, run npm install, and merge the new lockfile with the previous one. This of course kills the whole idea of a lockfile.

I experimented a lot with npm@7.0 over the last few days and this is the only issue I couldn't really find an acceptable workaround or fix for.