npm install ignores version for git+ssh dependency and gets master instead when git client is 1.x.x

help-wanted
triaged
cli
priority:medium

(Francesco Merletti) #1

What I Wanted to Do

When try to install a dependency such as git+ssh://git@github.com/mjs2020/npm-git-test-dep1.git#v1.0.1 I get the right version on my local dev machine (OSX with git 2.17.0): v1.0.1

When building on my CI server (Jenkins on Centos 6 with git 1.7.1) I expect the same version to be installed.

What Happened Instead

I get the latest master instead: v2.0.0

Node and npm versions are the same but git versions are different.

Local dev env (correct behaviour): git version 2.17.0

CI server (incorrect behaviour): git version 1.7.1

Reproduction Steps

I’ve set up Dockerfiles to replicate the behaviour. Steps to reproduce:


# Clone demo repo:

git@github.com:mjs2020/npm-git-test-project.git

cd npm-git-test-project

Replicate failing behaviour:


# Start a docker container with centos6 and git 1.7.1 and copy in your ~/.ssh/id_rsa

docker build -t npmtest-centos6 --build-arg ssh_prv_key="$(cat ~/.ssh/id_rsa)" -f centos6/Dockerfile . && docker run -it npmtest-centos6

# From inside the container, if your id_rsa has a passphrase remove it (leave it empty):

# there might be a better way but I couldn't find one

ssh-keygen -p

# Then run npm install:

cd /root/npmtest

npm i && npm ls

Result:


npm-git-test-project@1.0.0 /root/npmtest

β”œβ”€β”¬ npm-git-test-dep1@2.0.0 (git+ssh://git@github.com/mjs2020/npm-git-test-dep1.git#259ee70dd39655907684321a137cc740913a4eab)

β”‚ └── npm-git-test-dep2@1.0.1 invalid (git+ssh://git@github.com/mjs2020/npm-git-test-dep2.git#070ca902e392b96a3f4848428af9cf3f6da7c6b6)

└── npm-git-test-dep2@2.0.0 (git+ssh://git@github.com/mjs2020/npm-git-test-dep2.git#070ca902e392b96a3f4848428af9cf3f6da7c6b6)

If you are running git 2.17.0 on your machine you can run npm i && npm ls, otherwise you can replicate with the following docker container:


# Start a docker container with centos6 and git 1.7.1 and copy in your ~/.ssh/id_rsa

docker build -t npmtest-centos7 --build-arg ssh_prv_key="$(cat ~/.ssh/id_rsa)" -f centos7/Dockerfile . && docker run -it npmtest-centos7

# From inside the container, if your id_rsa has a passphrase remove it (leave it empty):

# there might be a better way but I couldn't find one

ssh-keygen -p

# Then run npm install:

cd /root/npmtest

npm i && npm ls

Either way the new result:


npm-git-test-project@1.0.0 /root/npmtest

+-- npm-git-test-dep1@1.0.1 (git+ssh://git@github.com/mjs2020/npm-git-test-dep1.git#259ee70dd39655907684321a137cc740913a4eab)

| `-- npm-git-test-dep2@1.0.1 invalid (git+ssh://git@github.com/mjs2020/npm-git-test-dep2.git#070ca902e392b96a3f4848428af9cf3f6da7c6b6)

`-- npm-git-test-dep2@1.0.1 (git+ssh://git@github.com/mjs2020/npm-git-test-dep2.git#070ca902e392b96a3f4848428af9cf3f6da7c6b6)

Details

TL;DR:

When using git client 1.x.x npm install from dependencies with git+ssh and a version installs latest master.

When using git client 2.x.x it installs the correct expected dependency.

The β€œinvalid” in the npm ls output is a separate issue reported here: "npm i" does not dedupe "git+ssh" dependencies and results in invalid or UNMET DEPENDENCY states

Platform Info

Tested with:


$ npm --versions

6.5.0

$ node -p process.platform

linux


(Francesco Merletti) #2

A note for anyone else encounteing this issue on a Jenkins server. Apart from upgrading to git 2.x.x I also had to unset GIT_SSH before running npm i as that was pointing to a jenkins script and failing event with git 2.x.x installed.