-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm install
sometimes removes indirect dependencies if a parent node was deleted from the lockfile
#7746
Comments
This test case demonstrates npm#7746. Currently, it fails. Note that it passes if reify is called twice.
I've put together an arborist test case to demonstrate the issue: https://github.com/TrevorBurnham/cli/tree/7746-bug-test-case You can run the test case on that branch with this command:
Notably, the test passes if you perform |
This addresses an edge case where a dep could be placed in the tree with unsatisfied indirect dependencies (see test case).
I've submitted a PR that appears to address this issue (at least as far as the test case is concerned): #7752 I'd welcome alternative fix suggestions. I'm new to this codebase, but from what I can tell, here's what's happening when building the ideal tree in the test case:
So the problem is that no checks are performed for indirect dependencies of the placed dep. The PR addresses that by adding the placed dep's children to the deps queue, so that they get checked for missing deps. I'm sure there's a more elegant solution that I'm missing! I'd love to hear any thoughts. |
This addresses an edge case where a dep could be placed in the tree with unsatisfied indirect dependencies (see test case).
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
My team sometimes deletes nodes from
package-lock.json
as specific package versions are deleted from our internal registry. Our expectation is thatnpm install
should then install the latest version of that package that satisfies the requirements inpackage.json
, without changing indirect dependencies unnecessarily.However, we're seeing an issue where
npm install
sometimes deletes an indirect dependency of the deleted node, even as it replaces that node. We have to runnpm install
a second time in order to restore the indirect dependency.This issue only seems to occur when there's a different version of the indirect dependency installed.
Expected Behavior
We expect
package-lock.json
to always be in a consistent state after annpm install
, with all dependencies satisfied.Steps To Reproduce
I've created a CodeSandbox: https://codesandbox.io/p/devbox/quirky-rain-rv9lkl You can create a new project in the same state by running
npm install [email protected] && npm install [email protected] && npm install [email protected]
.Once you have that project set up, the steps to replicate the bug are:
"node_modules/mocha"
node frompackage-lock.json
.npm install
."node_modules/mocha"
node, but removed the"node_modules/mocha/node_modules/brace-expansion"
node. That directory has also been deleted fromnode_modules
. This means that mocha's indirect dependency onbrace-expansion@^2.0.1
(by way of its dependency onminimatch@^5.1.6
) is unsatisfied; mocha would instead use[email protected]
, which is installed at the root ofnode_modules
.npm install
again and observe that"node_modules/mocha/node_modules/brace-expansion"
has been restored in bothpackage-lock.json
andnode_modules
.Environment
I've observed this issue in npm v8, v9, and v10.
The text was updated successfully, but these errors were encountered: