I'm opening this issue because:

• npm is doing something I don't understand.

What's going wrong?

Npm accidently make changes to package-lock.json

How can the CLI team reproduce the problem?

Assume you have a 2 developers, one on mac, and one on linux. You use npm@5.1 and your project depends on chokidar package. That package has optional dependency of fsevents, which is useful only for mac. So, you are on linux, and do npm i chokidar. npm generates package-lock.json withous fsevents, because it is useless on linux. You commit that generated file.

Your teammate pulls your changes, and do npm i, to get node_modules in sync with package-lock.json. Npm installs fsevents, and write it to package-lock.json. What should mac user to do? commit that file?

Assume that mac user commits file. Linux user pulls it, and make npm install. Npm does not install fsevents, and remove it from package-lock.json. And this become annoying very quickly.

How lock files could be used in this case?

supporting information:

• npm -v prints: 5.1.0
• node -v prints: v6.10.0
• npm config get registry prints: undefined
• Windows, OS X/macOS, or Linux?: max + linux
• Network issues:
  • Geographic location where npm was run:
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container:
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).