npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm 6, with package-lock false, installs packages during remove operations

What I Wanted to Do

Tried to run npm rm --no-save package1 package2

What Happened Instead

Depending on where the dep is listed, sometimes one package is removed, sometimes no packages are removed.

If the packages listed in the rm command are in devDependencies nothing is removed.

If the packages listed in the rm command are in dependencies, sometimes one of them is removed, but never all of the packages listed.

Reproduction Steps

npm ls --depth=0
npm config set package-lock false
npm rm --no-save dep1 dep2
npm ls --depth=0

(not all packages will have been deleted that were asked to be deleted – sometimes there will be no difference in output for both npm ls commands)


I would expect all packages listed in a single rm command to be removed, especially if the package-lock setting is set to false (and there is no package-lock.json in the project).

I understand that the goal for npm is to prevent these sorts of errors from occurring, but, in my opinion, not removing packages that have been requested to be deleted is way more confusing than any other option here.

I am fine if subsequent modifications to the dependencies tree re-installs the removed packages, but to not remove them at all feels like it’s a non-optimum scenario.

Platform Info

Confirmed macOS, arch linux, and ubuntu

$ npm --versions
{ '@scriptollc/ot-engine': '1.0.0',
  npm: '6.1.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.29.0',
  node: '8.11.2',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform

Triage note: tbh I’m pretty sure this is just a support issue with a user being confused about how npm handles installs since npm@5

This is so counter-intuitive that it’s trying to compile an optional dependency when I ask it to remove packages.

[09:09:55] $ npm rm @scriptollc/search-schema @scriptollc/search-worker

> libpq@1.8.8 install /Users/todd/src/showrunner/node_modules/@scriptollc/restkit/node_modules/libpq
> node-gyp rebuild

/bin/sh: pg_config: command not found
gyp: Call to 'pg_config --libdir' returned exit status 127 while in binding.gyp. while trying to load binding.gyp
gyp ERR! configure error
gyp ERR! stack Error: `gyp` failed with exit code: 1
gyp ERR! stack     at ChildProcess.onCpExit (/Users/todd/src/nvm/versions/node/v8.11.2/lib/node_modules/npm/node_modules/node-gyp/lib/configure.js:345:16)
gyp ERR! stack     at emitTwo (events.js:126:13)
gyp ERR! stack     at ChildProcess.emit (events.js:214:7)
gyp ERR! stack     at Process.ChildProcess._handle.onexit (internal/child_process.js:198:12)
gyp ERR! System Darwin 17.6.0
gyp ERR! command "/Users/todd/src/nvm/versions/node/v8.11.2/bin/node" "/Users/todd/src/nvm/versions/node/v8.11.2/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js" "rebuild"
gyp ERR! cwd /Users/todd/src/showrunner/node_modules/@scriptollc/restkit/node_modules/libpq
gyp ERR! node -v v8.11.2
gyp ERR! node-gyp -v v3.7.0
gyp ERR! not ok
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: libpq@1.8.8 (node_modules/libpq):
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: libpq@1.8.8 install: `node-gyp rebuild`

added 3 packages from 2 contributors, removed 1 package and audited 3799 packages in 5.458s
found 0 vulnerabilities

Also with package-lock off, this can churn my dependency tree updating to later versions of packages captured by my current semver range.

Yes, I know I’m not using package-lock, but even regardless this shouldn’t be installing packages when I’m only asking for packages to be removed.

The reinstallation of packages when they are missing from the tree, when package-lock is disabled and no package-lock.json file is present is extremely vexing.

This causes multiple lost hours in our company when trying to debug software.

I would be happy to fix this issue myself if I could even get information on whether or not this is a bug (it seems like it is!) or if this intended behavior.