"npm i" does not dedupe "git+ssh" dependencies and results in invalid or UNMET DEPENDENCY states

What I Wanted to Do

I have a project which has dependencies referenced via git+ssh links from github. One dependency is both a direct and a sub-dependency as follows:

npm-git-test-project@1.0.0
β”œβ”€β”¬ npm-git-test-dep1@1.0.1
β”‚ └── npm-git-test-dep2@1.0.1
└── npm-git-test-dep2@1.0.1

When I run npm i I expect the two dependencies to be installed and npm-git-test-dep2 to be deduped:

npm-git-test-project@1.0.0
β”œβ”€β”¬ npm-git-test-dep1@1.0.1 (git+ssh://git@github.com/mjs2020/npm-git-test-dep1.git#259ee70dd39655907684321a137cc740913a4eab)
β”‚ └── npm-git-test-dep2@1.0.1 deduped (git+ssh://git@github.com/mjs2020/npm-git-test-dep2.git#070ca902e392b96a3f4848428af9cf3f6da7c6b6)
└── npm-git-test-dep2@1.0.1 (git+ssh://git@github.com/mjs2020/npm-git-test-dep2.git#070ca902e392b96a3f4848428af9cf3f6da7c6b6)

What Happened Instead

When I run npm i, it claims to have installed 3 packages: added 3 packages and audited 3 packages in 5.137s and when I run npm ls it shows I have an invalid dependency:

npm-git-test-project@1.0.0 /Users/merlef01/projects/npm-git-test-project
β”œβ”€β”¬ npm-git-test-dep1@1.0.1 (git+ssh://git@github.com/mjs2020/npm-git-test-dep1.git#259ee70dd39655907684321a137cc740913a4eab)
β”‚ └── npm-git-test-dep2@1.0.1 invalid (git+ssh://git@github.com/mjs2020/npm-git-test-dep2.git#070ca902e392b96a3f4848428af9cf3f6da7c6b6)
└── npm-git-test-dep2@1.0.1 (git+ssh://git@github.com/mjs2020/npm-git-test-dep2.git#070ca902e392b96a3f4848428af9cf3f6da7c6b6)

npm ERR! invalid: npm-git-test-dep2@1.0.1 /Users/merlef01/projects/npm-git-test-project/node_modules/npm-git-test-dep1/node_modules/npm-git-test-dep2

In the real scenario dep1 fails to require dep2 with Error: Cannot find module

npm ci also fails to install and leads to all dependencies showing as UNMET DEPENDENCY

Reproduction Steps

I’ve made a setup to reproduce this:



Steps to reproduce

git clone git@github.com:mjs2020/npm-git-test-project.git
cd npm-git-test-project
npm i
npm ls
# shows invalid
npm i
npm ls
# shows unmet dependency
npm dedupe
npm ls
# shows correctly deduped dependency

Details

I have downgraded npm to 5.10.0 and it did not replicate the issue described. Upgrading to 6.1.0 re-introduced it so this behaviour was introduced in between those versions.

The dependency repos have been tagged using npm version minor

Platform Info

$ npm --versions
<!-- paste output here -->

{ β€˜npm-git-test-project’: β€˜1.0.0’,
npm: β€˜6.5.0’,
ares: β€˜1.10.1-DEV’,
cldr: β€˜32.0’,
http_parser: β€˜2.8.0’,
icu: β€˜60.1’,
modules: β€˜57’,
napi: β€˜3’,
nghttp2: β€˜1.29.0’,
node: β€˜8.11.2’,
openssl: β€˜1.0.2o’,
tz: β€˜2017c’,
unicode: β€˜10.0’,
uv: β€˜1.19.1’,
v8: β€˜6.2.414.54’,
zlib: β€˜1.2.11’ }

$ node -p process.platform
<!-- paste output here -->
`darwin`

Removing the (invalid) package-lock.json worked for me, in part. The npm ls version was probably due to a mismatch in info there or in derived files. The npm ci install is still a bit weird, I’ll look into that now.

The only Error: Cannot find module I saw was caused by package, since it isn’t in package.json at all.

BTW: when the lock specifies a dependency to not be deduped, npm i won’t usually do that. An exception is probably when a different package that depends on the duplicate dependency is introduced.

This issue has been triaged and we’ve noted it as part of future work on the CLI. I don’t have a timeline for you, but we consider this important enough that we intend to address it in the near future. Thanks for the report, and we’ll share any relevant updates as they happen!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.