Node.js NPM5忽略包锁

我正在尝试升级到NPM5并锁定文件

现在我有了这个package.json：

{
  "name": "typescript-test",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "build": "./node_modules/gulp/bin/gulp.js build",
    "apidoc": "./node_modules/gulp/bin/gulp.js apidoc",
    "watchApi": "BLUEBIRD_DEBUG=1 ./node_modules/gulp/bin/gulp.js watchApi",
    "watchMqtt": "./node_modules/gulp/bin/gulp.js watchMqtt",
    "test-debug": "NODE_ENV=test ./node_modules/mocha/bin/mocha --no-timeouts --debug-brk release/js/api/test/e2e/**/*.js",
    "test": "___BLUEBIRD_DEBUG=1 ./node_modules/gulp/bin/gulp.js test",
    "migrate": "./node_modules/sequelize-cli/bin/sequelize db:migrate",
    "migrate:undo": "./node_modules/sequelize-cli/bin/sequelize db:migrate:undo"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "@types/bcrypt": "0.0.30",
    "@types/bluebird": "^3.0.35",
    "@types/body-parser": "0.0.33",
    "@types/config": "0.0.30",
    "@types/dateformat": "^1.0.1",
    "@types/expect.js": "^0.3.29",
    "@types/express": "^4.0.33",
    "@types/lodash": "^4.14.37",
    "@types/minimist": "^1.1.29",
    "@types/mocha": "^2.2.32",
    "@types/mongoose": "^4.7.11",
    "@types/mqtt": "0.0.32",
    "@types/mysql": "0.0.31",
    "@types/node-schedule": "0.0.36",
    "@types/nodemailer": "^1.3.32",
    "@types/passport": "^0.2.32",
    "@types/passport-http-bearer": "^1.0.30",
    "@types/passport-local": "^1.0.29",
    "@types/sequelize": "^4.0.38",
    "@types/sequelize-fixtures": "^0.4.29",
    "@types/should": "^8.1.30",
    "@types/supertest": "^1.1.31",
    "@types/supertest-as-promised": "^2.0.32",
    "@types/winston": "0.0.28",
    "ansi_up": "^1.3.0",
    "bcrypt": "^0.8.7",
    "bluebird": "^3.4.6",
    "body-parser": "1.15.2",
    "config": "^1.21.0",
    "cron-parser": "^2.4.1",
    "dateformat": "^2.0.0",
    "expect.js": "^0.3.1",
    "express": "^4.14.0",
    "express-basic-auth": "^1.1.1",
    "express-winston": "^2.0.0",
    "gulp": "^3.9.1",
    "gulp-clean": "^0.3.2",
    "gulp-copy": "0.0.2",
    "gulp-nodemon": "^2.2.1",
    "gulp-relative-sourcemaps-source": "^0.1.4",
    "gulp-sourcemaps": "^2.0.0",
    "gulp-spawn-mocha": "^3.1.0",
    "gulp-tslint": "^6.1.2",
    "gulp-typescript": "^3.0.2",
    "json-2-csv": "^2.1.0",
    "lodash": "^4.16.4",
    "merge2": "^1.0.2",
    "minimist": "^1.2.0",
    "mocha": "^3.1.2",
    "mongoose": "^4.9.7",
    "mongoose-fixtures": "0.0.1",
    "mosca": "^2.0.2",
    "mqtt": "^2.2.1",
    "mysql": "^2.11.1",
    "node-cron": "^1.2.0",
    "node-schedule": "^1.2.0",
    "nodemailer": "^2.6.4",
    "passport": "^0.3.2",
    "passport-http-bearer": "^1.0.1",
    "passport-local": "^1.0.0",
    "path": "^0.12.7",
    "pm2": "^2.4.2",
    "read-last-lines": "^1.1.0",
    "regression": "^1.4.0",
    "sequelize": "3.24.3",
    "sequelize-cli": "2.4.0",
    "sequelize-fixtures": "^0.5.5",
    "should": "^11.1.1",
    "supertest": "^2.0.1",
    "supertest-as-promised": "^4.0.1",
    "tslint": "^3.15.1",
    "typescript": "2.3.4",
    "typings": "^1.4.0",
    "winston": "^2.2.0"
  },
  "devDependencies": {
    "gulp-apidoc": "^0.2.6",
    "gulp-debug": "^2.1.2"
  }
}

我的包lock.json（即对于express.js）的一部分是：

在package-lock.json中，express应安装在4.15.2

然而，如果我这样做

rm -rf node_modules
npm install

express安装在4.15.3版本，package-lock.json被覆盖

这是npm的正确行为吗？

---

我使用包锁的方式是否错误？

npm对

节点模块

文件夹所做的每一项更改，包括

npm安装

，都会反映在

package lock.json

中。它记录当前实际安装的依赖项

如果您现在想安装在

包lock.json

中锁定的依赖项，例如在服务器上构建。您可以使用

npmci

命令来安装依赖项

---

从文档中：，。

我也有这个问题。。。它看起来就像每次我创建npm安装它的更新锁文件。。。。我的解决方案是安装带有标志的包--save-exact“it-write-this-withthe-hat^ sign-into-package.json，这样就不会再对包进行意外更新了

rm -rf node_modules
npm install