`npm ci` creates an invalid install with optionalDependencies from git

cli
priority:medium
triaged

(Jeff Burn) #1

What I Wanted to Do

I wanted to run npm ci in a project with optional dependencies pointing to github URLs. I am cross-posting this from the original github issue here: https://github.com/npm/npm/issues/20795

What Happened Instead

The optional dependencies were installed using versions from npm registry, not github.

Reproduction Steps

I have created a minimal reproduction of the problem here: https://github.com/jeffora/npm-ci-invalid-optional. This project has a single optional dependency on a fork of left-pad (which itself has no dependencies).

The fork simply adds a console.log line. After running npm install it can be clearly seen by running grep "custom" node_modules/left-pad/index.js. After running npm ci, the custom line is not there.

The CLI output also shows that it is retrieving the package from the registry, not github.

Output of npm ci --loglevel=silly:

npm info it worked if it ends with ok
npm verb cli [ '/usr/local/bin/node',
npm verb cli   '/Users/jeff/.npm-global/bin/npm',
npm verb cli   'ci',
npm verb cli   '--loglevel=silly' ]
npm info using npm@6.1.0
npm info using node@v8.11.1
npm verb npm-session 5c2032fc3220869d
npm info prepare initializing installer
npm verb prepare starting workers
npm verb prepare installation prefix: /Users/jeff/Code/npm-ci-invalid-optional
npm verb prepare using package-lock.json
npm WARN prepare removing existing node_modules/ before installation
npm verb checkLock verifying package-lock data
npm sill tree LogicalTree {
npm sill tree   name: 'npm-ci-invalid-optional',
npm sill tree   version: '1.0.0',
npm sill tree   address: '',
npm sill tree   optional: false,
npm sill tree   dev: false,
npm sill tree   bundled: false,
npm sill tree   resolved: undefined,
npm sill tree   integrity: undefined,
npm sill tree   dependencies:
npm sill tree    Map {
npm sill tree      'left-pad' => LogicalTree {
npm sill tree      name: 'left-pad',
npm sill tree      version: '1.3.0',
npm sill tree      address: 'left-pad',
npm sill tree      optional: true,
npm sill tree      dev: false,
npm sill tree      bundled: false,
npm sill tree      resolved: 'git+https://github.com/jeffora/left-pad.git#806c9eda55a3ac4ad365a344ac9024c3ea183f8c',
npm sill tree      integrity: undefined,
npm sill tree      dependencies: Map {},
npm sill tree      requiredBy: [Object] } },
npm sill tree   requiredBy: Set {} }
npm info prepare Done in 0.033s
npm verb extractTree extracting dependencies to node_modules/
npm sill extractTree left-pad@1.3.0 -> /Users/jeff/Code/npm-ci-invalid-optional/node_modules/left-pad
sill tarball no local data for left-pad@1.3.0. Extracting by manifest. /Users/jeff/Code/npm-ci-invalid-optional/node_modules/left-pad
http fetch GET 200 https://registry.npmjs.org/left-pad 29ms (from cache)Users/jeff/Code/npm-ci-invalid-optional/node_modules/left-pad
http fetch GET 200 https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz 7ms (from cache)
sill extract left-pad@1.3.0 extracted to /Users/jeff/Code/npm-ci-invalid-optional/node_modules/left-pad (75ms)
npm info extractTree Done in 0.5s
npm verb updateJson updating json deps to include _from
npm info updateJson Done in 0.002s
npm verb buildTree finalizing tree and running scripts
npm sill buildTree linking npm-ci-invalid-optional@1.0.0
npm info lifecycle npm-ci-invalid-optional@1.0.0~preinstall: npm-ci-invalid-optional@1.0.0
npm sill buildTree linking left-pad@1.3.0
npm info lifecycle left-pad@1.3.0~preinstall: left-pad@1.3.0
npm info lifecycle left-pad@1.3.0~install: left-pad@1.3.0
npm info lifecycle left-pad@1.3.0~postinstall: left-pad@1.3.0
npm info lifecycle npm-ci-invalid-optional@1.0.0~install: npm-ci-invalid-optional@1.0.0
npm info lifecycle npm-ci-invalid-optional@1.0.0~postinstall: npm-ci-invalid-optional@1.0.0
npm info buildTree Done in 0.003s
npm info garbageCollect Done in 0s
npm info lifecycle npm-ci-invalid-optional@1.0.0~prepublish: npm-ci-invalid-optional@1.0.0
npm info runScript Done in 0s
npm info lifecycle npm-ci-invalid-optional@1.0.0~prepare: npm-ci-invalid-optional@1.0.0
npm info runScript Done in 0s
npm verb teardown shutting down workers.
npm info teardown Done in 0s
npm info run-scripts total script time: 0.001s
npm info run-time total run time: 0.54s
added 1 packages in 0.54s
npm verb exit [ 0, true ]
npm timing npm Completed in 709ms
npm info ok

Details

Versions:

{ 'npm-ci-invalid-optional': '1.0.0',
  npm: '6.1.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.11.1',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.50',
  zlib: '1.2.11' }

(Kenny Sabir) #2

[content redacted by @zkat]


(David Halls) #3

Yep, I’m seeing this too. Worked around it by publishing a scoped package - not ideal but works.


(Kat Marchán) #4

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.


(Kat Marchán) #5