npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

package-lock-merge-driver

v0.0.1

Published

Git merge driver for package-lock.json

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

boneskullboneskull

Keywords

npmlockfilespackage-lock.jsonnpm-shrinkwrap.jsonshrinkwrappkglockgitmergedriverconflictmerge conflictresolve conflictautomergeautoresolve

Readme

🔐 package-lock-merge-driver

Git merge driver for package-lock.json v2+

This is a fork of the original (unmaintained) npm-merge-driver project.

What is this?

This package provides a CLI to install (and uninstall) a merge driver which attempts to automatically resolve merge conflicts in package-lock.json files.

Do I need it?

Do you get merge conflicts in your package-lock.json files? Like all the damn time? Then yeah.

Differences from npm-merge-driver

TL;DR: This is a whole-ass package.

  • Supports for npm workspaces (monorepos)
  • Sacrifices speed for reliability
  • Validates the result via npm ls to check for broken dependencies (if this fails, automatic resolution fails)
  • Default behavior is to install merge drivers globally (you can still install locally if you want)
  • Requires Node.js v20.0.0+
  • Requires npm v7.0.0+
  • Removed --no-legacy flag because what is even that
  • Supports Git includes when discovering and writing to Git configuration files
  • Will cleanup empty gitattributes files it created
  • Tested against an actual Git repository
  • Unrecognizable compared to original; don't bother

In addition, the following items are current differences, but they might instead become non-differences in a hypothetical future:

  • Use with Yarn or pnpm lockfiles is unsupported
  • No support for npm-shrinkwrap.json, but you probably don't care about that

I suppose if (big if) I do end up supporting Yarn or pnpm then I might need to rename the package. I'll think of a better name.

Motivation

I needed npm-merge-driver to work. But it doesn't, and there's no way forward to fix it. So against my better judgement, here we are.

Requirements

  • Node.js v20.11.0+
  • npm v7.0.0+

Automatic Setup (Recommended)

To start using it right away:

npx package-lock-merge-driver install

The next time any package-lock.json has a conflict, a merge driver will attempt to automatically fix it. Unless it fails, you don't need to do anything else. You will still need to resolve conflicts in package.json files yourself, though!

[!TIP]

Once you've tried it a couple times and felt its powerful magic, it's recommended to install package-lock-merge-driver globally to avoid some npx-related overhead:

npm install -g package-lock-merge-driver

BONUS! If you install globally and are on a POSIX OS, you should be able to run man package-lock-merge-driver to see the man page! Which is just this README.md; sorry.

Example Scenario

After installation, you create a feature branch and make some dependency changes. Now you want to rebase onto main:

git rebase main

Eek, there's a conflict! But don't panic! You should see something like thiss:

🔐 package-lock-merge-driver v2.3.6

Moved to trash: /my-repo/node_modules
package-lock-merge-driver: Successfully resolved conflicts in package-lock.json
Auto-merging package-lock.json

Did conflicts in package-lock.json remain?

git status
M   package-lock.json

No. No conflicts in package-lock.json remain.

Uninstallation

This only applies if you used the method detailed in Automatic Setup. If you didn't, then figure it out yourself.

To remove an installed merge driver, use package-lock-merge-driver uninstall:

npx package-lock-merge-driver uninstall [--global] [--name=package-lock-merge-driver]

This will remove the driver from whatever Git configuration it put it in originally, and then remove it from the gitattributes file it used. If it created the gitattributes file and it is empty after removing the entry, package-lock-merge-driver will delete the file because it's a sweetheart.

Advanced Automated Setup

The install command does the actual configuration ("installation") of the merge driver. It supports a couple of config options:

  • --command - This is the command used for the actual merge operation. You probably don't want to fiddle with this.

  • --name - String to use as the internal driver name in your configuration. I don't know why this option is even here, but it is.

  • --local - Install the driver in the local repository only. By default, the driver is installed globally.

For example, to install the driver locally in the current working directory using a custom name:

npx package-lock-merge-driver install --local --name=butts

Verbose Logging

Run any command with --verbose to get more output. For example:

npx package-lock-merge-driver install --verbose

Manual Setup

This is tedious.

package-lock-merge-driver's automated installation uses the following config:

  1. A merge driver in the main Git configuration, including
    • name (description [really]),
    • driver (the actual command)
    • gitAttributesPath (path to the gitattributes file we will write to; this is only necessary for clean uninstallation and you can ignore it if installing manually)
  2. A gitattributes(5) configuration referencing package-lock.json and the merge driver configured in 1.

If you do not want package-lock-merge-driver to install itself for you (I guess I wouldn't blame you), here's an example of a manual global installation:

Add the driver to ~/.gitconfig:

git config --global merge.package-lock-merge-driver.name \
    "Automatically merge npm lockfiles"
# this is the most important part!
git config --global merge.package-lock-merge-driver.driver \
    "npx package-lock-merge-driver merge %A %O %B %P"

Add the relevant attributes to ~/.gitattributes (creating if necessary):

package-lock.json merge=package-lock-merge-driver

The RHS of the merge attribute above must match <name> in merge.<name>.driver.

How it Works

  1. Barely.
  2. Trash (read: move to the OS' trash/recycle bin/shitcan) node_modules and any other node_modules folders found in workspaces, then re-run npm install.
  3. Validate result by running npm ls.

[!NOTE]

Workspaces (monorepo) support is best-effort, since package.json may be in conflict when we try to parse it. This will typically only affect the resulting lockfile if the actual workspaces field is in conflict.

And Why It Works That Way

  • npm install --package-lock-only will not avail you as of npm v7.0.0. So that's out.
  • Running a full npm install every time is slow enough without a rm -rf node_modules packages/*/node_modules first (though I could make this configurable, I suppose), we just move them away. Your OS will take care of it. Trust me. This has the advantage of mitigating churn in package-lock.json due to how npm modifies package-lock.json when a node_modules is present. If you ever see random extra fields being added and removed to package-lock.json, you know what I mean. I'm pretty sure this is just a bug in npm.
  • npm ci is not possible, of course, because it only works if the lockfile is valid and synced with all package.json manifests.
  • Just accepting "their" package-lock.json doesn't help, as it will always require a manual npm install thereafter.

A Final Plea

If you know of some way to sort out the conflicts without a full npm install, please file an issue. Please. 🥹

Authors

License

  • Copyright © 2025 Christopher Hiller
  • Copyright © 2017 Microsoft Corporation (a.k.a. npm, Inc. a.k.a. GitHub)

This work is released under the terms of the ISC license. See LICENSE.md for details.