npm@6 is currently used to generate the lockfile.

[oscard0m]

What do you think about a check run to assure lockfiles manually generated are using the expected version? Do you think is worth it? Are there any existing checks for that? @gr2m @wolfy1339 @G-Rath

Originally posted by @wolfy1339 in octokit/plugin-enterprise-server.js#387 (comment)

[wolfy1339]

If you check the property lockfileVersion, it should be equal to 1 when using npm@6

[oscard0m]

If you check the property lockfileVersion, it should be equal to 1 when using npm@6

Checking npm docs and GitHub Blog seems like lockfileVersion 2 is backwards compatible with lockfileVersion 1.

2: The lockfile version used by npm v7, which is backwards compatible to v1 lockfiles.

@wolfy1339 did you find any issue with npm@6 when using lockfileVersion 2? If not, is it necessary to assure lockfileVersion is 1 ?

[wolfy1339]

There isn't any specific issues with lockfileVersion: 2.

While it is backwards compatible, it logs a warning in previous versions of npm.

All the dependency automation currently outputs v1 lockfiles.

Introduces additional noise into diffs. Which could possibly not be an issue once they are upgraded to v2

[gr2m]

Currently all node versions including Node 16 ship with npm 6 by default, so I'd stick to that until the first LTS version ships with npm 7+

Introduces additional noise into diffs

I'd say that's the only problem right now

[oscard0m]

I just installed npm@6 in my local. I thought it was already LTS version. Thanks @wolfy1339 and @gr2m