I am running the npm install in a public GitHub repo and it has locked the express at 4.17.0 in package-lock.json file which is the correct behavior of package-lock.json file.

However, when I execute npm install git+https://github.com/nabeel-nazir confiz/package.lock.master.git in an empty folder then a package-lock.json file created with the new version of express locked at 4.17.1. I know there is a caret ^ sign in the source package.json but why the source package-lock.json is ignored this time?

My problem here is that when I execute npm install git+https://github.com/nabeel-nazir confiz/package.lock.master.git on the server it should create a package-lock.json file with express locked at 4.17.0 not with the 4.17.1 because the source package-lock.json file on the repo has locked the express on 4.17.0.

Is there any way I can achieve this i.e npm install git+https://github.com/nabeel-nazir confiz/package.lock.master.git will consider the source package-lock.json file and should not ignore it?

I am using the following versions:

npm version: 5.4.1

node version: 8.9.3

npm config get registry prints: https://registry.npmjs.org/

OS: Ubuntu 18.04

Side note: I have tried npm install git+https://github.com/nabeel-nazir confiz/package.lock.master.git with followings as well but the issue was same i.e. it locked the express at 4.17.1

npm version: 6.14.4

node version: 13.12.0

npm config get registry prints: https://registry.npmjs.org/

OS: Ubuntu 18.04

Please comment If there is a need to provide more information on this question.

Thank you.