[BUG] The lock file ignores changes in package.json

[aleksey-hoffman]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

The npm install command does not synchronize package versions between package.json and lock files.

The lock file ignores changes in package.json which makes it impossible to safely upgrade / downgrade a package directly from package.json.

This issue is present in all NPM projects and it's been discussed since 2017: npm/npm#16866
The issue was closed but never resolved. As people mentioned there, the package.json file should be the source of truth and the lock file should sync on either npm install or npm update.

Expected Behavior

Be able to upgrade / downgrade packages by changing the version directly in package.json and then running either npm install

Steps To Reproduce

1. Change package version of any module in package.json: "vue": "^2.6.12" => "vue": "^2.6.13"
2. Run npm install
3. Try to downgrade back to 2.6.12 by changing the package.json again
4. Run npm install
5. The project is still using 2.6.13 since the lock file didn't sync

Environment

• OS: x64 Win 10 21H1
• Node: 15.14.0
• npm: 7.13.0

[ruyadorno]

Hi @aleksey-hoffman thank you for taking the time to write this report.

The expected behavior of a npm install is to respect lock files, with that in mind I don't see any unexpected behavior.

From what I understood of your reported "Expected Behavior" I would rather recommend using npm install <pkg>@<version>, from your example that should be: npm install vue@2.6.12 - this should successfully downgrade/upgrade any package in both node_modules, package.json and package-lock.json files.