npm does not install github deep dependencies with a since-mutated package.json

priority:medium
help-wanted
cli
triaged

(Aram Drevekenin) #1

What I Wanted to Do

Install a package that has a deep dependency on a Github package whose name in package.json changed (added an org). The package in question and a way of reproducing this: npm install feathers-hooks-common@1.7.2

What Happened Instead

The package is installed, the dependency is not. It is also not added to package-lock.json

Reproduction Steps

Run npm install with this package.json file:

{
  "name": "npm-issue",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "author": "",                                                                                                                                                                                                                                
  "license": "ISC",
  "dependencies": {
    "feathers-hooks-common": "1.7.2"
  }
}

cat ./node_modules/feathers-hooks-common/package.json:

// ...
  "dependencies": {
    "debug": "^2.2.0",
    "feathers-hooks-utils": "^0.1.1",
    "get-parameter-names": "git+https://github.com/benbotto/get-parameter-names.git",
    "object.assign": "^4.0.4"
  },
// ...

cat package-lock.json | grep 'get-parameter-names' ===> empty
ls -l ./node_modules/ | grep 'get-parameter-names' ===> empty

Details

I actually debugged this a bit and found the problem (I think!). I wanted to file a PR to fix this, but the fix requires some decision making I did not want to do without an OK from the CLI team beforehand (and possibly some guidance as well).

What happens:
The requirement, as can seen in the package.json dependencies (and the registry manifest, ofc), is named get-parameter-names which was likely true when (this version) of the package was published, but since then the package was added to the @avejidah organization and thus changed its name to @avejidah/get-parameter-names. Since Github is not an immutable medium, this causes trouble when installing the dependency and reaching here: https://github.com/npm/npm/blob/4c65cd952bc8627811735bea76b9b110cc4fc80e/lib/install/deps.js#L160
This returns false (because feathers-hooks-common@1.7.2's manifest has no child dependency called @avejidah/get-parameter-names, but rather one that is called get-parameter-names and thus the package is not added).

Here I got stuck fixing this, since I am not 100% certain what would be the desirable change to isDep to make this work. I’d be very happy to work on this after discussing possible solutions with the CLI team, if there is a will.

For context, this was discovered due to this issue: https://github.com/yarnpkg/yarn/issues/5930

Versions:

{ 'npm-issue': '1.0.0',
  npm: '6.1.0',
  ares: '1.13.0',
  cldr: '32.0.1',
  http_parser: '2.7.0',
  icu: '60.2',
  modules: '59',
  napi: '2',
  nghttp2: '1.29.0',
  node: '9.8.0',
  openssl: '1.0.2n',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.46-node.21',
  zlib: '1.2.11' }

(Kat Marchán) #3

I’ve been out of the office since right around when this got posted, so I haven’t been able to take a look at the repro, and may not be able to for a while. I appreciate the report, though. I’ll remove the countdown for now so we have more time for it.


(Aram Drevekenin) #4

@zkat - polite (I hope) ping? I’d still be happy to work on this if you feel you have the time for some initial decisions/guidance.


(Kat Marchán) #5

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.