npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm install does not install transitive dependencies of local dependency

What I Wanted to Do

I would like to install a local package and run myfunction defined in the local package. I expect the function to print MYFUNCTION.

What Happened Instead

$ node index.js
module.js:540
    throw err;
    ^

Error: Cannot find module 'upper-case'
    at Function.Module._resolveFilename (module.js:538:15)
    at Function.Module._load (module.js:468:25)
    at Module.require (module.js:587:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (C:\Users\cbuchacher\src\npm-local-test\lib\index.js:1:74)
    at Module._compile (module.js:643:30)
    at Object.Module._extensions..js (module.js:654:10)
    at Module.load (module.js:556:32)
    at tryModuleLoad (module.js:499:12)
    at Function.Module._load (module.js:491:3)

Reproduction Steps

$ git clone https://github.com/cbuchacher/npm-local-test
$ cd npm-local-test/user
$ npm install
$ node index.js

Details

The problem does not appear when using npm install --no-package-lock.

The following issues seem to be related. But I do not get ENOENT errors, and since the proposed fix has not been released, I am not sure how to test easily.


Platform Info

$ npm --versions
{ npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '31.0.1',
  http_parser: '2.7.0',
  icu: '59.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.9.4',
  openssl: '1.0.2n',
  tz: '2017b',
  unicode: '9.0',
  uv: '1.15.0',
  v8: '6.1.534.50',
  zlib: '1.2.11' }
$ node -p process.platform
win32


I re-tested with the proposed fix for the related issues:

$ git clone https://github.com/npm/cli npm-cli
$ git -C npm-cli checkout origin/iarna/enoent-on-link-up
$ cd npm-local-test/user
$ node ../../npm-cli/bin/npm-cli.js install
$ node ../../npm-cli/bin/npm-cli.js install

The first run still fails to install the upper-case package, but it removes the upper-case package dependency from package-lock.json. The second run installs the upper-case package in …/lib/node_modules, presumably because the removal from package-lock.json has the same effect as installing with --no-package-lock. However, this means that the version of the transient dependency is not locked. I would expect all transient dependencies to be locked as well.

diff --git a/user/package-lock.json b/user/package-lock.json
index fd00ed2..a0ae88b 100644
--- a/user/package-lock.json
+++ b/user/package-lock.json
@@ -8,12 +8,6 @@
       "version": "file:../lib",
       "requires": {
         "upper-case": "^1.1.3"
-      },
-      "dependencies": {
-        "upper-case": {
-          "version": "1.1.3",
-          "bundled": true
-        }
       }
     }
   }


I also noticed that npm install file:../lib ignores lib/package-lock.json, even though it installs packages in lib/node_modules. Not sure if this is worth another ticket.