The npm community forum has been discontinued.
To discuss usage of npm, visit the GitHub Support Community.
npm 6.9.1 is broken due to .git folder in published tarball
npm install firstname.lastname@example.org -g; npm install email@example.com -g fails.
You can upgrade to latest npm but you cannot downgrade.
This is due to
npm ERR! EISGIT
If you run
npm pack npm to download the tarball and unpack it you fill find
./.git/logs in there.
This is probably a linux related issue.
I’m running in to the same issue.
npm install -g npm@latest … any subsequent attempts to re-install npm (downgrade) will fail
[2019-06-27T18:17:33.971Z] + npm install -g npm@latest [2019-06-27T18:17:38.093Z] npm ERR! path /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm [2019-06-27T18:17:38.093Z] npm ERR! code EISGIT [2019-06-27T18:17:38.093Z] npm ERR! git /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm: Appears to be a git repo or submodule. [2019-06-27T18:17:38.093Z] npm ERR! git /var/lib/jenkins/tools/jenkins.plugins.nodejs.tools.NodeJSInstallation/NodeJS-LTS/lib/node_modules/npm [2019-06-27T18:17:38.093Z] npm ERR! git Refusing to remove it. Update manually, [2019-06-27T18:17:38.093Z] npm ERR! git or move it out of the way first.
This bug is amazing =D (forgive me, I’ve always been weirdly excited about twisty corner cases!) npm publish ignores .git folders by default but forces all files named readme to be included… And that forced include overrides the exclude. And then there was once a remote branch named readme… and that goes in the .git folder, gets included in the publish, which then permanently borks your npm install, because of EISGIT, which in turn is a restriction that’s afaik entirely vestigial, copied forward from earlier versions of npm without clear insight into why you’d want that restriction in the first place.
I suspect this potential was introduced with the tar rewrite. It never happened before, because no one publishing before had a git repo with a remote ref like that, either through luck, or by following the setup guide which recommends using a separate copy of the repo for publication.
This is gonna be brutal to fix though, 'cause there’s no facility for the existing version to fix itself in this scenario. Would have to fallback to some npx-able thing that removes the .git folder, and communicating that is gonna be rough.
Pack issue previously reported here: `npm pack` includes items from `.git` folder if there is a branch called `readme` (regression in 6.9.0)
https://github.com/npm/cli/pull/204 should fix this. I’ll be throwing out a new release soon without the .git.
6.9.2 has been published. As Rebecca said, you’ll likely need to uninstall npm manually (or at least rimraf the .git directory inside it), but things should be good going forward. We are discussing whether to unpublish 6.9.1 as well, but this should stop any further accidents.
This is not just a bug due to a readme branch
See firstname.lastname@example.org which contains a .git folder with a single file index.
There is another root cause for publishing .git directory.
And again email@example.com which also has a .git directory with just the index in it.
I think that’s due to this: https://github.com/Raynos/tape-cluster/blob/master/package.json#L8
So I’ll consider that a separate bug. Should definitely file a bug in
npm-packlist for this, though.
Just to clarify;
main: 'index' will include any file called
index recursively, including dotfiles into the tarball ? including
If it was
main: 'index.js' this would not be an issue unless I had
.git/index.js in my .git folder for some unknown reason.
yup, that’s what I’m saying. I think we only recently started making sure
main was included in the tarball, but I can’t find that commit right now.
you should be able to test this with
npm pack --dry-run
Can confirm with
npm pack --dry-run that setting it to
index.js resolves the issue; can also confirm that changing main in a completely unrelated project to
npm pack --dry-run
Can you file an issue about this in https://github.com/npm/npm-packlist/issues?