npm install isn't idempotent

What I Wanted to Do

Install all dependencies that are described in this package.json file by executing npm install.

{
  "name": "idempotent-test",
  "version": "0.0.1",
  "private": true,
  "author": "Jason Yeo <jasonyeo88@gmail.com>",
  "description": "A node project to demostrate a bug",
  "dependencies": {
    "hapi": "8.1.0"
  }
}

What Happened Instead

Installation succeeds but not all dependencies were installed. For example, isemail@1.2.0 and joi@4.x.x wasn’t installed.

$ npm ls | grep isemail
  │ ├── isemail@1.1.1
npm ERR! missing: joi@4.x.x, required by catbox@4.2.0

Thereafter, I tried to do npm install again, and it seems like it finally installed all the dependencies.

$ npm i
npm WARN deprecated joi@4.9.0: This version is no longer maintained. Please upgrade to the latest version.
added 3 packages from 7 contributors and audited 154 packages in 2.901s
found 81 vulnerabilities (6 low, 72 moderate, 3 high)
  run `npm audit fix` to fix them, or `npm audit` for details
$ npm ls | grep isemail
  │   ├── isemail@1.2.0
  │ ├── isemail@1.1.1

What I Expect

npm install should be idempotent and I should only need to run it once.

Reproduction Steps

Run npm install on the following package.json:

{
  "name": "idempotent-test",
  "version": "0.0.1",
  "private": true,
  "author": "Jason Yeo <jasonyeo88@gmail.com>",
  "description": "A node project to demostrate a bug",
  "dependencies": {
    "hapi": "8.1.0"
  }
}

Details

Platform Info

I am able to reproduce this on macosx 10.14 and debian stretch. I am using the latest version of npm:

$ npm --versions
{ 'idempotent-test': '0.0.1',
  npm: '6.6.0-next.1',
  ares: '1.15.0',
  cldr: '34.0',
  http_parser: '2.8.0',
  icu: '63.1',
  llhttp: '1.0.1',
  modules: '67',
  napi: '3',
  nghttp2: '1.34.0',
  node: '11.6.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.24.1',
  v8: '7.0.276.38-node.13',
  zlib: '1.2.11' }
$ node -p process.platform
linux

I am also able to reproduce this on the node:11 docker image provided by docker hub.

After some testing I found out that isemail isn’t in the shrinkwrap of hapi. npm follows the shrinkwrap at the first install, and at the second install I guess it has it’s own shrinkwrap and doesn’t use the other anymore. Not sure whether this is intended behaviour or not.

We don’t support partial shrinkwraps since npm@5 – If hapi chooses to continue doing this, that’s on them, and we’re not going to fix minor installer issues caused by these partial, hand-edited shrinkwraps.

Hmmm ok, so I’m supposed to run npm install twice?

Ideally, no, but in this case, this is out of our “happy path” for users and we currently have no intention of fixing it.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.