I am very eager to learn what others think about this issue. I typically always use the second approach you describe (first npm i, then npm i [new-package]). That the package-lock.json contents turn out to be different depending on installation order is not really improving my trust in this package versioning/tracking mechanism.
What versions of Node.js and NPM are you currently using?
And what would happen if you:
execute npm i aurelia-direct-router
remove (or rename) the node_modules directory and the package-lock.json file
execute npm i
Would the newly generated package-lock.json file resemble the one from your first or your second scenario?
My understanding of this after thinking and reading about it is that it is because the “aurelia” package and “aurelia-direct-router” actually defined different requirements for the versions of depending packages. If I do
npm i aurelia-direct-router
remove package-lock.json and node-modules
npm i
i I will get the same as
npm i
npm i aurelia-direct-router
Probobly because it will then first resolve the requirements of the aurelia package before aurelia-direct-route. Although the result is weird. So the ‘aurelia’ package defines its dependencies as
“@aurelia/metadata”: “2.0.0-alpha.2”
So it requries the exact version of aurelia/metadata to be 2.0.0-alpha.2.
aurelia-direct-route requires
“@aurelia/metadata”: “^2.0.0-alpha.2”,
so a version that is compatible with 2.0.0-alpha.2.
So I do not understand why npm then feels like it needs to make it explicit that it uses version 2.0.0-alpha.2 only when that has already been decided by the aurelia package. Feels like a unintended consequence of npm version handling.