npm ci (sometimes?) doesn't show an error when package.json and package-lock.json have different GitHub branch URLs


(John Dunning) #1

What I Wanted to Do

I was trying to reproduce locally this error I started getting on travis-ci builds:

$ npm ci
npm WARN prepare removing existing node_modules/ before installation
Unhandled rejection Error: Command failed: /usr/bin/git checkout 1ffe576d8197b8319df50bd88681ec03990ce424
fatal: reference is not a tree: 1ffe576d8197b8319df50bd88681ec03990ce424

I cloned a test copy of my repo that I was trying to build on travis, ran npm ci, and expected to get the same error. But the install succeeded!

What Happened Instead

The reason the travis build was failing seems to be that I’d updated package.json to point to a dependency on an existing branch (this was on a separate repo of my own):

"quick-score": "github:fwextensions/quick-score#develop",

But package-lock.json was still pointing at a branch that I’d deleted on GitHub (because I hadn’t run npm install afterwards):

"quick-score": {
  "version": "github:fwextensions/quick-score#1ffe576d8197b8319df50bd88681ec03990ce424",
  "from": "github:fwextensions/quick-score#feature/min-score"

That commit still existed on GitHub, but it was unreachable if you simply cloned the quick-score repo and then tried to check out that commit.

Reproduction Steps

  1. Check out this commit on this repo: (Not familiar enough with git to tell you how.)
  2. Run npm ci on Windows vs. Travis’s Ubuntu build.


Two things seem to be going wrong:

  1. npm ci seems to be behaving differently on travis-ci vs. locally on Windows in terms of checking out GitHub branches. On travis it’s acting like it cloned the repo and then did get checkout <sha>, which fails, whereas on Windows it seems like it was pulling the commit right from GitHub, where it still was reachable via the URL in package-lock.json.
  2. When a GitHub repo URL is pointing at different branches in package.json vs. package-lock.json, npm ci doesn’t produce any warning or error. Based on the docs (“If dependencies in the package lock do not match those in package.json , npm ci will exit with an error, instead of updating the package lock.”), I would’ve expected it to. Is it looking only at the URL before the hash when checking for differences? Is it because the module version is 0.0.0 in both branches?

Platform Info

$ npm --versions
{ 'quick-score-demo': '0.0.0',
  npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.4',
  openssl: '1.0.2p',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform