How to update package-lock.json without doing npm install?

Question

Is it a way to update/generate package-lock.json without making real install of node_modules (like npm i)? I just need a valid package-lock.json based on my package.json, that's it.

You (or your colleagues) might use yarn locally, when CI server uses npm. It's probably not a best practice, but still might be for some reasons.

In a perfect world I'd like to have a command to update package-lock.json

Answer 1

npm

As of npm 6.x, you can use the following command:

npm i --package-lock-only

Documentation (https://docs.npmjs.com/cli/install.html) says:

The --package-lock-only argument will only update the package-lock.json, instead of checking node_modules and downloading dependencies.

yarn

As of yarn 3.0.0, you can use the following command:

yarn install --mode update-lockfile

Documentation (https://yarnpkg.com/cli/install#options-mode%20%230) says:

If the --mode=<mode> option is set, Yarn will change which artifacts are generated.

update-lockfile will skip the link step altogether, and only fetch packages that are missing from the lockfile (or that have no associated checksums). This mode is typically used by tools like Renovate or Dependabot to keep a lockfile up-to-date without incurring the full install cost.

As of Sep. 10, 2019: yarn doesn't seem to support generating a lock-file without installing the modules. Relevant GitHub issue: https://github.com/yarnpkg/yarn/issues/5738

Answer 2

I don't have enough reputation to comment, so just add an answer :)

In addition to Teh's answer, for Yarn now you can:

yarn install --mode update-lockfile

Documentation: https://yarnpkg.com/cli/install#options-mode%20%230

update-lockfile will skip the link step altogether, and only fetch packages that are missing from the lockfile (or that have no associated checksums). This mode is typically used by tools like Renovate or Dependabot to keep a lockfile up-to-date without incurring the full install cost.