npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

npm install does not install transitive dependencies of local dependency

What I Wanted to Do

I would like to install a local package and run myfunction defined in the local package. I expect the function to print MYFUNCTION.

What Happened Instead

$ node index.js
    throw err;

Error: Cannot find module 'upper-case'
    at Function.Module._resolveFilename (module.js:538:15)
    at Function.Module._load (module.js:468:25)
    at Module.require (module.js:587:17)
    at require (internal/module.js:11:18)
    at Object.<anonymous> (C:\Users\cbuchacher\src\npm-local-test\lib\index.js:1:74)
    at Module._compile (module.js:643:30)
    at Object.Module._extensions..js (module.js:654:10)
    at Module.load (module.js:556:32)
    at tryModuleLoad (module.js:499:12)
    at Function.Module._load (module.js:491:3)

Reproduction Steps

$ git clone
$ cd npm-local-test/user
$ npm install
$ node index.js


The problem does not appear when using npm install --no-package-lock.

The following issues seem to be related. But I do not get ENOENT errors, and since the proposed fix has not been released, I am not sure how to test easily.

Platform Info

$ npm --versions
{ npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '31.0.1',
  http_parser: '2.7.0',
  icu: '59.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.9.4',
  openssl: '1.0.2n',
  tz: '2017b',
  unicode: '9.0',
  uv: '1.15.0',
  v8: '6.1.534.50',
  zlib: '1.2.11' }
$ node -p process.platform

I re-tested with the proposed fix for the related issues:

$ git clone npm-cli
$ git -C npm-cli checkout origin/iarna/enoent-on-link-up
$ cd npm-local-test/user
$ node ../../npm-cli/bin/npm-cli.js install
$ node ../../npm-cli/bin/npm-cli.js install

The first run still fails to install the upper-case package, but it removes the upper-case package dependency from package-lock.json. The second run installs the upper-case package in …/lib/node_modules, presumably because the removal from package-lock.json has the same effect as installing with --no-package-lock. However, this means that the version of the transient dependency is not locked. I would expect all transient dependencies to be locked as well.

diff --git a/user/package-lock.json b/user/package-lock.json
index fd00ed2..a0ae88b 100644
--- a/user/package-lock.json
+++ b/user/package-lock.json
@@ -8,12 +8,6 @@
       "version": "file:../lib",
       "requires": {
         "upper-case": "^1.1.3"
-      },
-      "dependencies": {
-        "upper-case": {
-          "version": "1.1.3",
-          "bundled": true
-        }

I also noticed that npm install file:../lib ignores lib/package-lock.json, even though it installs packages in lib/node_modules. Not sure if this is worth another ticket.