This is a result of the 2 commits that fixed reinstall breaks after npm update to 6.10.2 and Installing the same module under multiple relative paths fails on Linux
A more minimal reproduction case: https://github.com/isaacs/npm-test-file-metadeps/ (Clone and run
The behavior change is that dependencies of linked
file: dependencies are not listed in the
package-lock.json file. So, they’re not installed in
node_modules on subsequent installs.
This is actually a weird bit of behavior if you think it through.
file: dep may be anywhere. In these cases, it’s local in the project, so it’ll be able to load its dependencies from
node_modules. However, if it was
file:../gh-badges, then it wouldn’t. And, if it had dependencies locally in its tree, then those dependencies would not find their deps further up, either.
Logically, a linked dep needs to be treated as a completely independent top-of-tree, and will be in npm v7. (I wrote about this recently on the npm blog.) I was thinking there about having a
--deep option to
npm install, to tell it to also install the children of linked deps (in their own node_modules folder). (Or maybe make it enabled by default, and add a
--shallow to say “don’t bother”.)
I’m going to investigate if it’s possible to list child deps in a way that does not regress the problem that it was intended to fix.
It’s a bit surprising to me that it’s installing the metadeps in absence of a package-lock.json, but only not saving them to the package-lock.json. So at the very least, that is a bug. It should be saving what it does reliably so that it can be repeated.
My apologies, this section of the code is fairly brittle, which is why I intend to replace it.