The issue is that when working in a team, with multiple different machines, and potentially different setups such as different Node and NPM versions, the generated package-lock.json can differ from machine to machine, triggering the source control system to mark the file as having been modified, even if the developer merely installed NPM packages via the npm install command.
What happened on two of the machines I work with was that one machine was using SHA-1, while the other was using SHA-512, despite the fact both machines were running the same versions of Node and NPM.
As you can imagine, this is an annoying problem to have. So here’s the solution.
- Ensure all team members use the same Node and NPM versions.
node -vandnpm -v(and install matching versions if different) - Revert any changes made to the
package-lock.jsonfile (only this file). - Delete the
node_modulesfolder. - Run
npm cache clean --forcein terminal. - Run
npm install.
If all went as expected, you should not see any change made to the package-lock.json file after package installation completes.