About npm publish: Something you may not know.

The npm publish command is used to publish a JS package to a private or public registry. However, I previously ignored how the lock file is handled during publishing, such as the processing of the resolutions field. Here, I will organize the issues I have learned.

Package publish without package-lock.json

1. When developing a JS package, we need to include package-lock.json in VCS management, but the lock file will not be published when using npm publish.
2. When we execute the npm install command in a specific project, the lock file of the top-level package (i.e., the target project) zeds for a recognize-specific version installation. Still, the lock files included in the dependent packages will be directly ignored.

Including lock file in published package?

• With npm cli >=v6, package-lock.json will not be published regardless of whether it is configured in the package.json files whitelist. However, under the older CLI, it can be published through a whitelist configuration.
• Testing with v6 will show this issue. From the official version history, it can be seen that, for example, nodev8 default npm CLI is v6, and trying that version can reproduce this issue.

preinstall execution with resolutions not working

Sometimes, resolutions control the versions of indirect dependencies and are configured under the preinstall hook for execution. However, as mentioned above, the published package does not include the lock file, so this hook needs to be removed; otherwise, npm install the actual project will result in an error of not finding the lock file.

"scripts": {
  "preinstall": "npx npm-force-resolutions"
}

Extracting the packaged content with the npm pack

Sometimes, you can execute npm pack in the project directory to extract the published NPM package. If you want to use the development package directly for debugging in a specific project, use npm link.