Bug: `sam build --cached` doesn't `NpmInstall` when `package-lock.json` changes

[davidjb]

Description:

I have Node Lambda functions deployed with SAM and they each have various dependencies. This project is wired up with continuous deployment on GitHub. GitHub's Dependabot will often create security patch updates that only modify package-lock.json, where the dependency has a version range, such as ^3.0.0.

Because nothing else asides from package-lock.json has changed inside the Lambda function's source directory, sam build --cached fails to call NpmInstall, leaving the function with its existing, vulnerable dependencies.

I'm aware this specific issue can be worked around by using https://docs.github.com/en/code-security/dependabot/working-with-dependabot/dependabot-options-reference#versioning-strategy-- to change package.json (which forces SAM to rebuild), but other processes also only trigger changes to package-lock.json - another that affects me is such as use of Local Paths in package.json, which don't have a version to modify within package.json, but does affect the contents of package-lock.json when the local module's deps change.

Steps to reproduce:

1. Run sam init and create a Node JS project.
2. Run sam build --cached and observe NodejsNpmBuilder:NpmInstall is run.
3. Make any change to hello-world/package-lock.json, such as a dependency change.
4. Re-run sam build --cached and observe NodejsNpmBuilder:NpmInstall is not run.
5. Observe that .aws-sam/build/HelloWorldFunction/node_modules/ contents remain unchanged.

Observed result:

$ sam build --cached
Starting Build use cache
Manifest file is changed (new hash: c0e83ff3ce1bd02a0c2a7c02974c24ec) or dependency folder (.aws-sam/deps/668cf3e2-6cd7-4f49-a152-4681eab3f16a) is missing for
(HelloWorldFunction), downloading dependencies and copying/building source
Building codeuri: /home/user/sam-app/hello-world runtime: nodejs22.x architecture: x86_64 functions: HelloWorldFunction
 Running NodejsNpmBuilder:NpmPack
 Running NodejsNpmBuilder:CopyNpmrcAndLockfile
 Running NodejsNpmBuilder:CopySource
 Running NodejsNpmBuilder:NpmInstall
 Running NodejsNpmBuilder:NpmTest
 Running NodejsNpmBuilder:CleanUp
 Running NodejsNpmBuilder:CopyDependencies
 Running NodejsNpmBuilder:CleanUpNpmrc
 Running NodejsNpmBuilder:LockfileCleanUp
 Running NodejsNpmBuilder:LockfileCleanUp

Build Succeeded

Built Artifacts  : .aws-sam/build
Built Template   : .aws-sam/build/template.yaml

Commands you can use next
=========================
[*] Validate SAM template: sam validate
[*] Invoke Function: sam local invoke
[*] Test Function in the Cloud: sam sync --stack-name {{stack-name}} --watch
[*] Deploy: sam deploy --guided

$ echo 'uhoh' > hello-world/package-lock.json # Or actually update a dependency that should be reinstalled and updated...

$ sam build --cached
Starting Build use cache
Manifest is not changed for (HelloWorldFunction), running incremental build
Building codeuri: /home/user/sam-app/hello-world runtime: nodejs22.x architecture: x86_64 functions: HelloWorldFunction
 Running NodejsNpmBuilder:NpmPack
 Running NodejsNpmBuilder:CopyNpmrcAndLockfile
 Running NodejsNpmBuilder:CopySource
 Running NodejsNpmBuilder:CopySource
 Running NodejsNpmBuilder:CleanUpNpmrc
 Running NodejsNpmBuilder:LockfileCleanUp
 Running NodejsNpmBuilder:LockfileCleanUp

Build Succeeded

Built Artifacts  : .aws-sam/build
Built Template   : .aws-sam/build/template.yaml

Commands you can use next
=========================
[*] Validate SAM template: sam validate
[*] Invoke Function: sam local invoke
[*] Test Function in the Cloud: sam sync --stack-name {{stack-name}} --watch
[*] Deploy: sam deploy --guided

Expected result:

SAM to consider contents of package-lock.json as part of the "manifest" for Node projects, since it dictates the precise versions and checksums of what gets installed.

Additional environment details (Ex: Windows, Mac, Amazon Linux etc)

1. OS: Ubuntu 22.04
2. sam --version: SAM CLI, version 1.143.0
3. AWS region: us-east-1