`npm i` on uninitialised/empty directory installs the `undefined` npm package

What I Wanted to Do

Ran npm install by accident on an empty directory. I expected an error message to appear, or in general no side effects.

What Happened Instead

It installed undefined (https://www.npmjs.com/package/undefined) in node_modules, and created a package-lock.json with said package.

Reproduction Steps

fresh_dir_name=$RANDOM
mkdir $fresh_dir_name
cd $fresh_dir_name
npm i

Details

npm WARN deprecated undefined@0.1.0: this package has been deprecated
npm WARN saveError ENOENT: no such file or directory, open ‘/omitted/dirname/package.json’
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN enoent ENOENT: no such file or directory, open ‘/omitted/dirname/package.json’
npm WARN dirname No description
npm WARN dirname No repository field.
npm WARN dirname No README data
npm WARN dirname No license field.

updated 1 package and audited 1 package in 1.384s
found 0 vulnerabilities

Platform Info

$ npm --versions
{ npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.11.3',
  openssl: '1.0.2o',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.19.1',
  v8: '6.2.414.54',
  zlib: '1.2.11' }
$ node -p process.platform
darwin

I cannot reproduce this issue entirely: there is no package installed for me, just the lock file created. I’ll check with my colleagues, but as you mentioned, I wouldn’t expect a file creation.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.