Update package-lock.json for Mac, Linux, and Windows cross-platform compatibility

[azaozz]

Doing a "clean" npm install after #45064 on Windows 10 changed the package-lock.json a bit, adding a few "optional": true.

[azaozz]

This seems "nice to have", happens every time after npm install on Win10. Adding here just in case, feel free to "wontfix" :)

[netweb]

tl;dr: If 45088.diff​ is committed the next Mac or Linux user will then generate a different package-lock.json

The issue is documented in:

Issue: ​https://github.com/npm/npm/issues/17722 package-lock.json and optional packages

Discussion: ​https://npm.community/t/package-lock-json-keeps-changing-between-platforms-and-runs/1129

Assume you have a 2 developers, one on mac, and one on linux. You use npm@5.1 (or v6.x) and your project depends on chokidar package. That package has optional dependency of fsevents, which is useful only for mac. So, you are on linux, and do npm i chokidar. npm generates package-lock.json without fsevents, because it is useless on linux. You commit that generated file.

Your teammate pulls your changes, and does npm i, to get node_modules in sync with package-lock.json. Npm installs fsevents, and writes it to package-lock.json. What should mac user to do? commit that file?

Assume that mac user commits file. Linux user pulls it, and make npm install. Npm does not install fsevents, and removes it from package-lock.json. And this become annoying very quickly.

---

To confirm the above theory using the latest release Node.js v8.12.0 and npm 6.4.1 I applied 45088.diff​ on my Mac here locally and deleted the node_modules folder, then running npm install results in the package-lock.json file being restored to the original state before 45088.diff​ was applied.

I'd love to have this fixed as we've had this ongoing issue for quite some time, see [39368], though until there's an upstream fix there's nothing much that can be done, as such I'm bumping this to future release

[swissspidy]

When running npm install on my Mac, I see lots of changes of http URLs to https in package-lock.json. Is that happening for anyone else?

[netweb]

Replying to swissspidy:

When running npm install on my Mac, I see lots of changes of http URLs to https in package-lock.json. Is that happening for anyone else?

I've not seen this issue personally, taking a quick look inside the 5.0 branch package-lock.json file;

    "browserify-rsa": {
      "version": "4.0.1",
      "resolved": "http://registry.npmjs.org/browserify-rsa/-/browserify-rsa-4.0.1.tgz",
      "integrity": "sha1-IeCr+vbyApzy+vsTNWenAdQTVSQ=",
      "dev": true,
      "requires": {
        "bn.js": "^4.1.0",
        "randombytes": "^2.0.1"
      }
    },
    "browserify-sign": {
      "version": "4.0.4",
      "resolved": "https://registry.npmjs.org/browserify-sign/-/browserify-sign-4.0.4.tgz",
      "integrity": "sha1-qk62jl17ZYuqa/alfmMMvXqT0pg=",
      "dev": true,
      "requires": {

I'm going to reopen #43075 for backporting to the 5.0 branch so that package.json and packge-lock.json files for both Core and Gutenberg use the same indentation, tabs, not spaces.

Whilst creating that patch I'll also update any http:// instances to https://

[ocean90]

The lock file was changed in [43801] to include the optional part.

[azaozz]

In win10-package-lock.json-after-43840.diff: just FYI, changes after doing npm install on Win10 after [43840], see #45145.