[BUG] npm install delivers different package-lock second time run with overrides

[miWatch10]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Recreating your package-lock.json (rm -rf node_modules package-lock.json; npm i) then follow it with an npm i on a package.json with npm overrides set (https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides) gives you different package-lock.json output (causing git churn for any one else in your repository)

Same thing happens with running npm update on a repository with npm overrides, followed by npm i

For examples, see the commits at https://github.com/miWatch10/renovate-overrides/pull/4/commits

There are 4 listed:

• rm -rf node_modules package-lock.json; npm i
• npm i
• npm update
• npm i

Each of which churn the package-lock.json back and forth. I would expect them to all have the same results (since there was no packages actually changed)

Expected Behavior

Running npm i after a rebuild of package-lock.json or after an npm update would not change/churn the package-lock.json --- instead would be consistent.

Steps To Reproduce

1. In a clean repository
2. Have a package.json using an overrides
3. run rm -rf node_modules package-lock.json; npm i
4. do a git add and commit
5. run npm i
6. do a git add and commit
7. Notice the package-lock.json has changed in step 5

Or

1. In a clean repository
2. Have a package.json using an overrides
3. run npm update
4. do a git add and commit
5. run npm i
6. do a git add and commit
7. Notice the package-lock.json has changed in step 5

Environment

• npm: 8.10.0
• Node.js: v16.15.0
• OS Name: Mac
• System Model Name: Macbook Pro

[miWatch10]

@nlf at one point someone thought this was related to #4889. Will your PR for that address this one?

Doesn't look like it per the PR (which is about shrinkwrapped), but wanted to confirm --- in this case, running npm i clean doesn't do overrides, but a second run does.

[nlf]

i don't think that will be related to your issue here. i'll be looking into this one soon, though

[KrayzeeKev]

I'm seeing the same thing:

  "overrides": {
    "[email protected]": "^3.0.0"
  }

npm install gives me [email protected]. npm update doesn't change anything. Subsequent npm install gives me [email protected], and it toggles each time you run npm install
(Node V16.14, npm 8.11)