6.8.0: `npm ci` fails with local dependency

What I Wanted to Do

Run npm ci in a module with a local dependency on a parent directory.

What Happened Instead

npm ci failed with the following message:

npm ERR! left-pad not accessible from scratch

Reproduction Steps

I have created a test repository that demonstrates the issue:

Clone this and run test.sh.

Details

I suspect this is fallout from https://github.com/npm/cli/pull/86. I had been eagerly awaiting this fix for local dependencies, but it seems they are still buggy.

2019-02-15T01_08_54_287Z-debug.log (1.6 KB)

Platform Info

$ npm --versions
{ scratch: '1.0.0',
  npm: '6.8.0',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.14.1',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.36',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

That looks like a problem in submodule/package-lock.json, I’d expect an additional dependencies object under the scratch dep there.

I’m replying here although this issue is closely related to npm ci fail to local packages.

It looks like the problem of missing dependencies was introduced here: https://github.com/npm/cli/commit/d5137091dd695a2980f7ade85fdc56b2421ff677

Now, without them, the npm-logical-tree package can’t resolve some of the dependencies for this local package, but the question is whether it should or not? I don’t know much about how npm ci works but is the expectation that npm CI should also installs the submodule in their respective folder? These children dependencies have package-lock.json as well, so would these be respected?

Looks like this has been broken for at least a few months now. Any effort to fix this? Anyone know a work-around? I just had to manually edit the child project’s package-lock.json.

3 Likes

I’ve been running into this problem as well - working around this particular behavior is the only reason I’ve been using lerna to manage local dependencies.

From where I’m sitting it feels like a bug, but I could respect if there is a well defined “right way” to handle this scenario.

I have a lot of local packages along with transitive dependencies and so far I have avoided using package-lock.json.
But in recent times, I have run into problems with a few updated packages breaking my project(The exact problem package-lock.json is supposed to solve)

And then when I finally added, package-lock.json I have run into this issue :(

As a work around, I have manually edited the package-lock.json to have the dependencies field.
I dont like this solution though, as it means me\my team needs to remember to manually update package-lock every-time a package is added\removed in the project.

I am open for any other suggestions \ work around !

I am having the same issue with latest npm (6.10.1). Steps to reproduce:

mkdir parent child
cd child
npm init -y
npm install --save left-pad
cd ../parent
npm init -y
npm install --save file:../child
npm ci

npm ci fails with npm ERR! left-pad not accessible from child while I would expect it to succeed without an error.

npm list also looks weird in the parent project:

$ npm list
parent@1.0.0 /private/tmp/parent
└─┬ child@1.0.0 -> /private/tmp/child
  └── UNMET DEPENDENCY left-pad@^1.3.0

package-lock.json in parent looks like this:

{
  "name": "parent",
  "version": "1.0.0",
  "lockfileVersion": 1,
  "requires": true,
  "dependencies": {
    "child": {
      "version": "file:../child",
      "requires": {
        "left-pad": "^1.3.0"
      }
    }
  }
}
1 Like

I opened a PR to fix this: https://github.com/npm/cli/pull/216.

1 Like