Comment 8 for bug 1792394

Most advice on the internet favours commiting the lockfiles [1][2][3]

Perhaps this is what is causing the problem?

https://stackoverflow.com/questions/45022048/why-does-npm-install-rewrite-package-lock-json

Maybe either ensuring all the packages are properly pinned in package.json, or using the "npm ci" command may be a better solution. It's also possible some other command in the install process is updating the package json files inadvertently.

NPM packages can be unstable, and are prone to security issues [4]. It's better to be deliberate about package updates and lock things rather than let the "npm install" gods decide which packages to use.

I can also say that in my experience, Yarn is a good option. It's quite simple to switch to, and is a little faster than NPM and maybe the yarn.lock is more reliable?

[1] https://docs.npmjs.com/files/package-lock.json
[2] https://medium.com/coinmonks/everything-you-wanted-to-know-about-package-lock-json-b81911aa8ab8
[3] https://stackoverflow.com/questions/44206782/do-i-commit-the-package-lock-json-file-created-by-npm-5
[4] https://www.theregister.co.uk/2018/11/26/npm_repo_bitcoin_stealer/

.