feat: use v3 lockfiles by default (#5605)

Author: fritzy

docs/content/using-npm/config.md

@@ -1026,8 +1026,8 @@ instead of the current working directory. See
 
 #### `lockfile-version`
 
-* Default: Version 2 if no lockfile or current lockfile version less than or
-  equal to 2, otherwise maintain current lockfile version
+* Default: Version 3 if no lockfile, auto-converting v1 lockfiles to v3,
+  otherwise maintain current lockfile version.
 * Type: null, 1, 2, 3, "1", "2", or "3"
 
 Set the lockfile format version to be used in package-lock.json and
@@ -1038,9 +1038,9 @@ is used during the install, resulting in slower and possibly less
 deterministic installs. Prevents lockfile churn when interoperating with
 older npm versions.
 
-2: The default lockfile version used by npm version 7. Includes both the
-version 1 lockfile data and version 3 lockfile data, for maximum determinism
-and interoperability, at the expense of more bytes on disk.
+2: The default lockfile version used by npm version 7 and 8. Includes both
+the version 1 lockfile data and version 3 lockfile data, for maximum
+determinism and interoperability, at the expense of more bytes on disk.
 
 3: Only the new lockfile information introduced in npm version 7. Smaller on
 disk than lockfile version 2, but not interoperable with older npm versions.

lib/utils/config/definitions.js

@@ -1198,9 +1198,8 @@ define('lockfile-version', {
   default: null,
   type: [null, 1, 2, 3, '1', '2', '3'],
   defaultDescription: `
-    Version 2 if no lockfile or current lockfile version less than or equal to
-    2, otherwise maintain current lockfile version
-  `,
+    Version 3 if no lockfile, auto-converting v1 lockfiles to v3, otherwise
+    maintain current lockfile version.`,
   description: `
     Set the lockfile format version to be used in package-lock.json and
     npm-shrinkwrap-json files.  Possible options are:
@@ -1210,8 +1209,8 @@ define('lockfile-version', {
     deterministic installs.  Prevents lockfile churn when interoperating with
     older npm versions.
 
-    2: The default lockfile version used by npm version 7.  Includes both the
-    version 1 lockfile data and version 3 lockfile data, for maximum
+    2: The default lockfile version used by npm version 7 and 8.  Includes both
+    the version 1 lockfile data and version 3 lockfile data, for maximum
     determinism and interoperability, at the expense of more bytes on disk.
 
     3: Only the new lockfile information introduced in npm version 7.  Smaller

smoke-tests/tap-snapshots/test/index.js.test.cjs

@@ -366,7 +366,7 @@ exports[`test/index.js TAP npm install dev dep > should have expected dev dep ad
 {
   "name": "project",
   "version": "1.0.0",
-  "lockfileVersion": 2,
+  "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
@@ -394,19 +394,6 @@ exports[`test/index.js TAP npm install dev dep > should have expected dev dep ad
         "url": "https://github.com/sponsors/isaacs"
       }
     }
-  },
-  "dependencies": {
-    "abbrev": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.4.tgz",
-      "integrity": "sha1-vVWuXkE7oXIu5Mq6H26hBBSlns0="
-    },
-    "promise-all-reject-late": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/promise-all-reject-late/-/promise-all-reject-late-1.0.1.tgz",
-      "integrity": "sha512-vuf0Lf0lOxyQREH7GDIOUMLS7kz+gs8i6B+Yi8dC68a2sychGrHTJYghMBD6k7eUcH0H5P73EckCA48xijWqXw==",
-      "dev": true
-    }
   }
 }
 
@@ -453,7 +440,7 @@ exports[`test/index.js TAP npm install prodDep@version > should have expected lo
 {
   "name": "project",
   "version": "1.0.0",
-  "lockfileVersion": 2,
+  "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
@@ -469,13 +456,6 @@ exports[`test/index.js TAP npm install prodDep@version > should have expected lo
       "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.4.tgz",
       "integrity": "sha1-vVWuXkE7oXIu5Mq6H26hBBSlns0="
     }
-  },
-  "dependencies": {
-    "abbrev": {
-      "version": "1.0.4",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.4.tgz",
-      "integrity": "sha1-vVWuXkE7oXIu5Mq6H26hBBSlns0="
-    }
   }
 }
 
@@ -642,7 +622,7 @@ exports[`test/index.js TAP npm uninstall > should have expected uninstall lockfi
 {
   "name": "project",
   "version": "1.0.0",
-  "lockfileVersion": 2,
+  "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
@@ -658,13 +638,6 @@ exports[`test/index.js TAP npm uninstall > should have expected uninstall lockfi
       "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
       "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
     }
-  },
-  "dependencies": {
-    "abbrev": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
-      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
-    }
   }
 }
 
@@ -700,7 +673,7 @@ exports[`test/index.js TAP npm update dep > should have expected update lockfile
 {
   "name": "project",
   "version": "1.0.0",
-  "lockfileVersion": 2,
+  "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
@@ -728,19 +701,6 @@ exports[`test/index.js TAP npm update dep > should have expected update lockfile
         "url": "https://github.com/sponsors/isaacs"
       }
     }
-  },
-  "dependencies": {
-    "abbrev": {
-      "version": "1.1.1",
-      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
-      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
-    },
-    "promise-all-reject-late": {
-      "version": "1.0.1",
-      "resolved": "https://registry.npmjs.org/promise-all-reject-late/-/promise-all-reject-late-1.0.1.tgz",
-      "integrity": "sha512-vuf0Lf0lOxyQREH7GDIOUMLS7kz+gs8i6B+Yi8dC68a2sychGrHTJYghMBD6k7eUcH0H5P73EckCA48xijWqXw==",
-      "dev": true
-    }
   }
 }
 

tap-snapshots/test/lib/commands/init.js.test.cjs

@@ -31,7 +31,7 @@ Array [
 exports[`test/lib/commands/init.js TAP workspaces post workspace-init reify > should reify tree on init ws complete 1`] = `
 {
   "name": "top-level",
-  "lockfileVersion": 2,
+  "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
@@ -49,11 +49,6 @@ exports[`test/lib/commands/init.js TAP workspaces post workspace-init reify > sh
       "resolved": "a",
       "link": true
     }
-  },
-  "dependencies": {
-    "a": {
-      "version": "file:a"
-    }
   }
 }
 

tap-snapshots/test/lib/commands/shrinkwrap.js.test.cjs

@@ -125,12 +125,12 @@ exports[`test/lib/commands/shrinkwrap.js TAP with nothing ancient > must match s
   "config": {},
   "shrinkwrap": {
     "name": "prefix",
-    "lockfileVersion": 2,
+    "lockfileVersion": 3,
     "requires": true,
     "packages": {}
   },
   "logs": [
-    "created a lockfile as npm-shrinkwrap.json with version 2"
+    "created a lockfile as npm-shrinkwrap.json with version 3"
   ]
 }
 `
@@ -163,7 +163,7 @@ exports[`test/lib/commands/shrinkwrap.js TAP with npm-shrinkwrap.json ancient >
   "config": {},
   "shrinkwrap": {
     "name": "prefix",
-    "lockfileVersion": 2,
+    "lockfileVersion": 3,
     "requires": true,
     "packages": {
       "": {
@@ -172,7 +172,7 @@ exports[`test/lib/commands/shrinkwrap.js TAP with npm-shrinkwrap.json ancient >
     }
   },
   "logs": [
-    "npm-shrinkwrap.json updated to version 2"
+    "npm-shrinkwrap.json updated to version 3"
   ]
 }
 `
@@ -284,7 +284,7 @@ exports[`test/lib/commands/shrinkwrap.js TAP with package-lock.json ancient > mu
   "config": {},
   "shrinkwrap": {
     "name": "prefix",
-    "lockfileVersion": 2,
+    "lockfileVersion": 3,
     "requires": true,
     "packages": {
       "": {
@@ -293,7 +293,7 @@ exports[`test/lib/commands/shrinkwrap.js TAP with package-lock.json ancient > mu
     }
   },
   "logs": [
-    "package-lock.json has been renamed to npm-shrinkwrap.json and updated to version 2"
+    "package-lock.json has been renamed to npm-shrinkwrap.json and updated to version 3"
   ]
 }
 `

tap-snapshots/test/lib/commands/version.js.test.cjs

@@ -9,7 +9,7 @@ exports[`test/lib/commands/version.js TAP empty versions workspaces with one arg
 {
   "name": "workspaces-test",
   "version": "1.0.0",
-  "lockfileVersion": 2,
+  "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
@@ -34,14 +34,6 @@ exports[`test/lib/commands/version.js TAP empty versions workspaces with one arg
     "workspace-b": {
       "version": "2.0.0"
     }
-  },
-  "dependencies": {
-    "workspace-a": {
-      "version": "file:workspace-a"
-    },
-    "workspace-b": {
-      "version": "file:workspace-b"
-    }
   }
 }
 
@@ -51,7 +43,7 @@ exports[`test/lib/commands/version.js TAP empty versions workspaces with one arg
 {
   "name": "workspaces-test",
   "version": "1.0.0",
-  "lockfileVersion": 2,
+  "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
@@ -80,14 +72,6 @@ exports[`test/lib/commands/version.js TAP empty versions workspaces with one arg
     "workspace-b": {
       "version": "2.0.0"
     }
-  },
-  "dependencies": {
-    "workspace-a": {
-      "version": "file:workspace-a"
-    },
-    "workspace-b": {
-      "version": "file:workspace-b"
-    }
   }
 }
 

tap-snapshots/test/lib/utils/config/definitions.js.test.cjs

@@ -1089,8 +1089,8 @@ instead of the current working directory. See
 exports[`test/lib/utils/config/definitions.js TAP > config description for lockfile-version 1`] = `
 #### \`lockfile-version\`
 
-* Default: Version 2 if no lockfile or current lockfile version less than or
-  equal to 2, otherwise maintain current lockfile version
+* Default: Version 3 if no lockfile, auto-converting v1 lockfiles to v3,
+  otherwise maintain current lockfile version.
 * Type: null, 1, 2, 3, "1", "2", or "3"
 
 Set the lockfile format version to be used in package-lock.json and
@@ -1101,9 +1101,9 @@ is used during the install, resulting in slower and possibly less
 deterministic installs. Prevents lockfile churn when interoperating with
 older npm versions.
 
-2: The default lockfile version used by npm version 7. Includes both the
-version 1 lockfile data and version 3 lockfile data, for maximum determinism
-and interoperability, at the expense of more bytes on disk.
+2: The default lockfile version used by npm version 7 and 8. Includes both
+the version 1 lockfile data and version 3 lockfile data, for maximum
+determinism and interoperability, at the expense of more bytes on disk.
 
 3: Only the new lockfile information introduced in npm version 7. Smaller on
 disk than lockfile version 2, but not interoperable with older npm versions.

tap-snapshots/test/lib/utils/config/describe-all.js.test.cjs

@@ -899,8 +899,8 @@ instead of the current working directory. See
 
 #### \`lockfile-version\`
 
-* Default: Version 2 if no lockfile or current lockfile version less than or
-  equal to 2, otherwise maintain current lockfile version
+* Default: Version 3 if no lockfile, auto-converting v1 lockfiles to v3,
+  otherwise maintain current lockfile version.
 * Type: null, 1, 2, 3, "1", "2", or "3"
 
 Set the lockfile format version to be used in package-lock.json and
@@ -911,9 +911,9 @@ is used during the install, resulting in slower and possibly less
 deterministic installs. Prevents lockfile churn when interoperating with
 older npm versions.
 
-2: The default lockfile version used by npm version 7. Includes both the
-version 1 lockfile data and version 3 lockfile data, for maximum determinism
-and interoperability, at the expense of more bytes on disk.
+2: The default lockfile version used by npm version 7 and 8. Includes both
+the version 1 lockfile data and version 3 lockfile data, for maximum
+determinism and interoperability, at the expense of more bytes on disk.
 
 3: Only the new lockfile information introduced in npm version 7. Smaller on
 disk than lockfile version 2, but not interoperable with older npm versions.

test/lib/commands/shrinkwrap.js

@@ -112,8 +112,8 @@ const NOTICES = {
 t.test('with nothing', t =>
   shrinkwrapMatrix(t, null, {
     ancient: {
-      shrinkwrap: { lockfileVersion: 2 },
-      logs: NOTICES.CREATED(2),
+      shrinkwrap: { lockfileVersion: 3 },
+      logs: NOTICES.CREATED(3),
     },
     ancientUpgrade: {
       shrinkwrap: { lockfileVersion: 3 },
@@ -125,8 +125,8 @@ t.test('with nothing', t =>
 t.test('with package-lock.json', t =>
   shrinkwrapMatrix(t, 'package-lock', {
     ancient: {
-      shrinkwrap: { lockfileVersion: 2 },
-      logs: NOTICES.RENAMED(2),
+      shrinkwrap: { lockfileVersion: 3 },
+      logs: NOTICES.RENAMED(3),
     },
     ancientUpgrade: {
       shrinkwrap: { lockfileVersion: 3 },
@@ -150,8 +150,8 @@ t.test('with package-lock.json', t =>
 t.test('with npm-shrinkwrap.json', t =>
   shrinkwrapMatrix(t, 'npm-shrinkwrap', {
     ancient: {
-      shrinkwrap: { lockfileVersion: 2 },
-      logs: NOTICES.UPDATED(2),
+      shrinkwrap: { lockfileVersion: 3 },
+      logs: NOTICES.UPDATED(3),
     },
     ancientUpgrade: {
       shrinkwrap: { lockfileVersion: 3 },

workspaces/arborist/lib/arborist/build-ideal-tree.js

@@ -330,8 +330,7 @@ Try using the package name instead, e.g:
           if (tree.children.size) {
             root.meta.loadedFromDisk = true
             // set these so that we don't try to ancient lockfile reload it
-            root.meta.originalLockfileVersion = defaultLockfileVersion
-            root.meta.lockfileVersion = defaultLockfileVersion
+            root.meta.originalLockfileVersion = root.meta.lockfileVersion = this.options.lockfileVersion || defaultLockfileVersion
           }
         }
         root.meta.inferFormattingOptions(root.package)
@@ -758,7 +757,9 @@ This is a one-time fix-up, please be patient...
     // yes, yes, this isn't the "original" version, but now that it's been
     // upgraded, we need to make sure we don't do the work to upgrade it
     // again, since it's now as new as can be.
-    meta.originalLockfileVersion = defaultLockfileVersion
+    if (!this.options.lockfileVersion && !meta.hiddenLockfile) {
+      meta.originalLockfileVersion = defaultLockfileVersion
+    }
     this.finishTracker('idealTree:inflate')
     process.emit('timeEnd', 'idealTree:inflate')
   }

workspaces/arborist/lib/arborist/reify.js

@@ -35,6 +35,9 @@ const optionalSet = require('../optional-set.js')
 const calcDepFlags = require('../calc-dep-flags.js')
 const { saveTypeMap, hasSubKey } = require('../add-rm-pkg-deps.js')
 
+const Shrinkwrap = require('../shrinkwrap.js')
+const { defaultLockfileVersion } = Shrinkwrap
+
 const _retiredPaths = Symbol('retiredPaths')
 const _retiredUnchanged = Symbol('retiredUnchanged')
 const _sparseTreeDirs = Symbol('sparseTreeDirs')
@@ -1514,11 +1517,16 @@ module.exports = cls => class Reifier extends cls {
     this.idealTree.meta.filename =
       this.idealTree.realpath + '/node_modules/.package-lock.json'
     this.idealTree.meta.hiddenLockfile = true
+    const resetMeta = this.idealTree.meta && this.idealTree.meta.lockfileVersion !== defaultLockfileVersion
+    this.idealTree.meta.lockfileVersion = defaultLockfileVersion
 
     this.actualTree = this.idealTree
     this.idealTree = null
 
     if (!this[_global]) {
+      if (resetMeta) {
+        await this.actualTree.meta.reset()
+      }
       await this.actualTree.meta.save()
       const ignoreScripts = !!this.options.ignoreScripts
       // if we aren't doing a dry run or ignoring scripts and we actually made changes to the dep