npm install does not install transitive dependencies of local dependency

cli
help-wanted
priority:medium
triaged

(Clemens Buchacher) #1

What I Wanted to Do

I would like to install a local package and run myfunction defined in the local package. I expect the function to print MYFUNCTION.

What Happened Instead

$ node index.js
module.js:540
    throw err;
    ^

Error: Cannot find module 'upper-case'
    at Function.Module._resolveFilename (module.js:538:15)
    at Function.Module._load (module.js:468:25)
    at Module.require (module.js:587:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (C:\Users\cbuchacher\src\npm-local-test\lib\index.js:1:74)
    at Module._compile (module.js:643:30)
    at Object.Module._extensions..js (module.js:654:10)
    at Module.load (module.js:556:32)
    at tryModuleLoad (module.js:499:12)
    at Function.Module._load (module.js:491:3)

Reproduction Steps

$ git clone https://github.com/cbuchacher/npm-local-test
$ cd npm-local-test/user
$ npm install
$ node index.js

Details

The problem does not appear when using npm install --no-package-lock.

The following issues seem to be related. But I do not get ENOENT errors, and since the proposed fix has not been released, I am not sure how to test easily.


Platform Info

$ npm --versions
{ npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '31.0.1',
  http_parser: '2.7.0',
  icu: '59.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.9.4',
  openssl: '1.0.2n',
  tz: '2017b',
  unicode: '9.0',
  uv: '1.15.0',
  v8: '6.1.534.50',
  zlib: '1.2.11' }
$ node -p process.platform
win32

(Clemens Buchacher) #2

I re-tested with the proposed fix for the related issues:

$ git clone https://github.com/npm/cli npm-cli
$ git -C npm-cli checkout origin/iarna/enoent-on-link-up
$ cd npm-local-test/user
$ node ../../npm-cli/bin/npm-cli.js install
$ node ../../npm-cli/bin/npm-cli.js install

The first run still fails to install the upper-case package, but it removes the upper-case package dependency from package-lock.json. The second run installs the upper-case package in …/lib/node_modules, presumably because the removal from package-lock.json has the same effect as installing with --no-package-lock. However, this means that the version of the transient dependency is not locked. I would expect all transient dependencies to be locked as well.

diff --git a/user/package-lock.json b/user/package-lock.json
index fd00ed2..a0ae88b 100644
--- a/user/package-lock.json
+++ b/user/package-lock.json
@@ -8,12 +8,6 @@
       "version": "file:../lib",
       "requires": {
         "upper-case": "^1.1.3"
-      },
-      "dependencies": {
-        "upper-case": {
-          "version": "1.1.3",
-          "bundled": true
-        }
       }
     }
   }

(Clemens Buchacher) #3

I also noticed that npm install file:../lib ignores lib/package-lock.json, even though it installs packages in lib/node_modules. Not sure if this is worth another ticket.