Dependencies reported by npm does not match package.json

I’m running into a weird behavior that I have a hard time explaining.

Background:

A long time ago my project paraviewweb had a dependency to canvas + node-pre-gyp for which I removed.
Yet those dependencies still show up in your web interface, or in mpn show paraviewweb or when paraviewweb is declared as a dependency of another project.

paraviewweb package.json snippet

[...]
    "dependencies": {
        "base64-js": "1.3.1",
        "commander": "3.0.0",
        "jszip": "3.2.2",
        "pako": "1.0.10",
        "shelljs": "0.8.3"
    },
    "devDependencies": {
[...]

But yet they are not found inside the package-lock.json which is expected.

Then when I run

$ npm show paraviewweb

paraviewweb@3.2.9 | BSD-3-Clause | deps: 7 | versions: 334
Web framework for building interactive visualization relying on VTK or ParaView to produce visualization data
https://github.com/kitware/paraviewweb#readme

bin: pvw-html-data-bundle

dist
.tarball https://registry.npmjs.org/paraviewweb/-/paraviewweb-3.2.9.tgz
.shasum: a84b5495a848bad85ad47a3803592a2a40366e12
.integrity: sha512-IeryUI5twyZR+IgGNYiyvx2jx48SaopahLUIAo40nydUuIqL+IxQ0Vq0Bz4HdhHldw7/+BKvCXRP5DDJGZHuyA==
.unpackedSize: 18.2 MB

dependencies:
base64-js: 1.3.1      canvas: ^1.6.9        commander: 3.0.0      jszip: 3.2.2          node-pre-gyp: ^0.10.0 pako: 1.0.10          shelljs: 0.8.3        

maintainers:
- sebastien.jourdain <sebastien.jourdain@kitware.com>

dist-tags:
latest: 3.2.9  

published an hour ago by kwrobot <sebastien.jourdain+robot@kitware.com>

Then when I try to bring paraviewweb to a new project

$ mkdir tmp
$ cd tmp/
$ npm install paraviewweb

> canvas@1.6.13 install /Users/seb/Desktop/tmp/node_modules/canvas
> node-gyp rebuild

[...]

+ paraviewweb@3.2.9
added 81 packages from 59 contributors in 13.605s
[+] no known vulnerabilities found [134 packages audited]

$ npm ls
/Users/seb/Desktop/tmp
└─┬ paraviewweb@3.2.9
  β”œβ”€β”€ base64-js@1.3.1
  β”œβ”€β”¬ canvas@1.6.13 .   <============= Where is it coming from?
  β”‚ └── nan@2.14.0

Please let me know if I missed any action on my end to properly prune any deprecated/unused dependency.

The main issue with that dependency is that it does not build on a lot of system which prevent my libs/applications to be installed or used.

Thanks for your help,

Seb

While still trying to figuring out a way to remove that dependency, I thought I would try to publish a new version of paraviewweb with the latest version of canvas to hopefully trigger an update on that dependency list.

So I added to my package.json

     "dependencies": {
         "base64-js": "1.3.1",
+        "canvas": "^2.6.0",
         "commander": "3.0.0",
         "jszip": "3.2.2",
+        "node-pre-gyp": "^0.13.0",
         "pako": "1.0.10",
         "shelljs": "0.8.3"
     },

A new version get published 3.2.10 which still show canvas: ^1.6.9

$ npm show paraviewweb

paraviewweb@3.2.10 | BSD-3-Clause | deps: 7 | versions: 335
Web framework for building interactive visualization relying on VTK or ParaView to produce visualization data
https://github.com/kitware/paraviewweb#readme

bin: pvw-html-data-bundle

dist
.tarball https://registry.npmjs.org/paraviewweb/-/paraviewweb-3.2.10.tgz
.shasum: adfda9f698cb80133a1ab0195275c7f1021730dd
.integrity: sha512-FLMld6KZdnT4ELU4xSraXpOjpasdOWrqpQdm1UoWnmF8h8Uf2FoNU54zevR300CGAZQKwGMDBlRbJLgbX49diQ==
.unpackedSize: 18.2 MB

dependencies:
base64-js: 1.3.1      canvas: ^1.6.9        commander: 3.0.0      jszip: 3.2.2          node-pre-gyp: ^0.10.0 pako: 1.0.10          shelljs: 0.8.3        

maintainers:
- kwrobot <sebastien.jourdain+robot@kitware.com>
- sebastien.jourdain <sebastien.jourdain@kitware.com>

dist-tags:
latest: 3.2.10  

published 9 minutes ago by kwrobot <sebastien.jourdain+robot@kitware.com>

And indeed when installing 3.2.10 as a dependency in another project canvas: 1.6.13 get installed rather than 2.6.*???

$ npm ls paraviewweb canvas
pvw-visualizer@0.0.0-semantically-release /Users/seb/Documents/code/Web/visualizer
└─┬ paraviewweb@3.2.10 
  └── canvas@1.6.13 

So right now, I’m pushing a new version removing the dependency again but with little hope that will solve my problem.

I really hope that someone from npm can do its magic to prune that dependency list in their database. And if you need to remove the releases 3.2.[9-11], please go for it as nothing depend on them…

Thanks for any help you could provide.

Sebastien

Then the strangest part is that the dependency list manage to update the versions on the other dependencies but canvas and node-pre-gyp remain fixed regardless of version update or deletion.

$ npm show paraviewweb@3.2.8

dependencies:
base64-js: 1.3.0      canvas: ^1.6.9        commander: 2.15.1     jszip: 3.1.5          node-pre-gyp: ^0.10.0 pako: 1.0.6           shelljs: 0.8.2
$ npm show paraviewweb@3.2.9

dependencies:
base64-js: 1.3.1      canvas: ^1.6.9        commander: 3.0.0      jszip: 3.2.2          node-pre-gyp: ^0.10.0 pako: 1.0.10          shelljs: 0.8.3        

Sorry for keep pushing new messages to that topic, but I try to share as much as I can about my discoveries in case it could help your debugging.

I found these lines in your .travis.yml which match up with the zombie versions:

- npm install node-pre-gyp@0.10.0
- npm install canvas@1.6.9

OMG, thank you so much for pointing it out. Sorry for the noise and thank you for looking into it…

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.