Why does npm install packages other than those specified in package-lock.json?

G

GF2021-12-01 16:59:54

Node.js

GF, 2021-12-01 16:59:54

node -v
v17.2.0

npm -v
8.1.4

package.json

{
  "name": "untitled2",
  "version": "0.0.0",
  "private": true,
  "devDependencies": {
    "stylelint": "^14.1.0"
  }
}

npm i
npm list postcss

└─┬ [email protected]
├─┬ [email protected]
│ └── [email protected] deduped
└── [email protected] (why is version 8.4.4 here) ???)

generated package-lock.json

"node_modules/stylelint/node_modules/postcss": {
      "version": "8.4.4"
}

At the same time, in the stylelint repository itself (main branch release 14.1.0)
in package-lock.json, the postcss version is 8.3.11.
https://github.com/stylelint/stylelint/blob/fcd5ac...

Here is a link to package.json so that the lock does not load for a long time
https://github.com/stylelint/stylelint/blob/fcd5ac...

Where does npm come from takes 8.4.4?

Reply

Answer the question

In order to leave comments, you need to log in

1 answer(s)

V

Vitaly, 2021-12-01
@vshvydky

so that npm does not try to update versions, but builds by local file, you must use the npm ci command