[BUG] package-lock.json not updated with new dependencies of a workspace package

[sheepsteak]

Current Behavior:

When using workspaces, it seems npm install only detects the dependencies of a workspace package the very first time. Any subsequent changes to the dependencies or devDependencies of workspace package are ignored.

Expected Behavior:

If a dependency or devDependency is added/changed/removed from the package.json of workspace package then running npm install should update the package-lock.json file.

Steps To Reproduce:

I made a repository here with instructions - https://github.com/sheepsteak/npm-workspaces-bug.

Environment:

• OS: macOS Catalina 10.15.7 (19H2)
• Node: 12.18.2
• npm: 7.0.2

[protyposis]

As a workaround to (un)install a package I currently delete all node_modules folders, delete the root package-lock.json, run npm install, and merge the new lockfile with the previous one. This of course kills the whole idea of a lockfile.

I experimented a lot with npm@7.0 over the last few days and this is the only issue I couldn't really find an acceptable workaround or fix for.

[sheepsteak]

@ruyadorno / @isaacs I've just tried out npm 7.0.9 with the repo above and adding a new package is working now 👍. However, there are still issues:

• removing a package is still ignored
  • try removing once from both a and b packages and running npm i
• changing a version keeps the old version and installs the new version in node_modules of the package
  • try changing once to 1.1.1 in both a and b packages and running npm i

I'm not sure if you want a new issue made or just want to reopen this one. I'm happy to make a new one if required.

[ruyadorno]

@sheepsteak fyi @isaacs is currently working on a refactor of how @npmcli/arborist handle symlinks and we expect that to fix the remaining issues. Thanks for highlighting these new issues you found, we'll be circling back to make sure all these are working once that code refactor is complete. 😊

[thernstig]

@ruyadorno was this supposed to solve this issue as well?

When I update my package.json in a workspace, and issue an npm install in the root, it only updates the top-level package-lock.json and not the workspace-a/package-lock.json. I want workspace-a/package-lock.json to also be updated with the latest status, reason being that in e.g. a Dockerfile we later just want to install workspace-a with an npm ci.

[ruyadorno]

Hi @thernstig that sounds like a unsupported usage of npm workspaces, you're not supposed to have a package-lock.json file anywhere else other than the root folder, may I suggest you browse the docs again for more examples: https://docs.npmjs.com/cli/v8/using-npm/workspaces

From the looks of it, I believe you have been changing directories and running install from the workspace dir, e.g: cd workspace-a && npm install which is not a supported usage, we have detected over time that users are really confused by that behavior and it is something we're going to be changing very soon (ref: npm/rfcs#343).

That said, may I suggest for now that you just make sure to delete any package-lock.json file that is located inside a child workspace folder and when using versions <=npm@8.3.2 ensure that you're issuing workspaces commands always from the root folder using the -w syntax, e.g:

Adding dep foo to workspace-a

npm install -w ./workspace-a foo

Running build script in workspace-b

npm run -w ./workspace-b build

Listing dependencies of workspace-a

npm ls -w ./workspace-a

[leppaott]

Yeah upvote the RFC/feature. The docs say It's possible to directly add/remove/update dependencies of your workspaces using the [workspace config](https://docs.npmjs.com/cli/v8/using-npm/config#workspace).

Nowhere it says DO NOT USE THE NORMAL WAY OF INSTALLING PACKAGES BUT USE THIS.