npm install --production tries to install devDependencies with node v10.11.0 (npm v6.4.1)

cli
priority:medium
triaged

(Mark Smith) #1

What I Wanted to Do

I was trying to install modules using --production flag: npm install --production
Expecting npm to not try to install the devDependencies, similar to the behaviour for node v9.3.0 (npm v5.5.1).

What Happened Instead

Command tries to install the devDependencies.

Reproduction Steps

Create a package.json with a module pointing to a repo without a deployment key configured:

{
“name”: “test-npm-production-flag”,
“description”: “npm install --production flag issue”,
“dependencies”: {},
“devDependencies”: {
“[redacted-project-name]”: “git+ssh://git@[redacted-url].git”
}
}

Then run:

npm install --production

Details

Works as expected with node v9.3.0 (npm v5.5.1), but not with node v10.11.0 (npm v6.4.1):

mark@test:~/tmpfolder/test-npm-production-flag$ nvm use 9.3.0
Now using node v9.3.0 (npm v5.5.1)
mark@test:~/tmpfolder/test-npm-production-flag$ cat package.json
{
  "name": "test-npm-production-flag",
  "description": "npm install --production flag issue",
  "dependencies": {},
  "devDependencies": {
    "[redacted-project-name]": "git+ssh://git@[redacted-url].git"
  }
}
mark@test:~/tmpfolder/test-npm-production-flag$ npm install --production
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN test-npm-production-flag@ No repository field.
npm WARN test-npm-production-flag@ No license field.

up to date in 0.173s
mark@test:~/tmpfolder/test-npm-production-flag$ nvm use default
Now using node v10.11.0 (npm v6.4.1)
mark@test:~/tmpfolder/test-npm-production-flag$ npm install --production
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: [redacted-project-name]@git+ssh://git@[redacted-url].git (node_modules/[redacted-project-name]):
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: Error while executing:
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: /usr/bin/git ls-remote -h -t ssh://git@[redacted-url].git
npm WARN optional SKIPPING OPTIONAL DEPENDENCY:
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: repository access denied. deployment key is not associated with the requested repository.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fatal: Could not read from remote repository.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY:
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: Please make sure you have the correct access rights
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: and the repository exists.
npm WARN optional SKIPPING OPTIONAL DEPENDENCY:
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: exited with error code: 128
npm WARN test-npm-production-flag@ No repository field.
npm WARN test-npm-production-flag@ No license field.

up to date in 2.347s
found 0 vulnerabilities

mark@test:~/tmpfolder/test-npm-production-flag$

I checked the release notes but didn’t see anything mentioning a change in how the --production flag works.

Platform Info

mark@test:~/tmpfolder/test-npm-production-flag$ npm --versions
{ npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.33.0',
  node: '10.11.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.0',
  v8: '6.8.275.32-node.28',
  zlib: '1.2.11' }
mark@test:~/tmpfolder/test-npm-production-flag$ node -p process.platform
linux

(Kat Marchán) #2

I think this is a duplicate of optional dependencies installed with --no-optional


(Lars Willighagen) #3

Don’t know, this might just be npm trying to get the manifest before checking whether the package should be installed or not. At least it’s not solved by my solution in the other thread.


(Kat Marchán) #4

huh, noted. I figured they were the same sort of issue and your is-only-dev thing would take care of this. :thinking:


(Mark Smith) #5

is-only-dev ?


(Lars Willighagen) #6

This part of the PR for the other issue.


(Mark Smith) #7

Thanks for the link, I see it now in your other PR install scripts.


(Mark Smith) #8

Do you need some more information from me?

This is affecting my production install, is there a work around?


(Lars Willighagen) #9

No, not for me. I can reproduce the issue locally. This problem is probably caused by how npm resolves dependencies, fetching the manifest no matter if it will actually be installed or not. Changing would be pretty major, I think, and I’m not on that level of contributions yet.

On my machine and in the log you posted it’s just a non-fatal warning, so ignoring it should be fine. If it’s causing other problems, please report those.


(Mark Smith) #10

The thing that had me worried was this output:

exited with error code: 128

So I was thinking that it would cause the script that triggered it to fail. I’ve checked the script and it runs to completion because the npm command actually exits with status code 0. I guess that’s what you mean when you said it was a non-fatal warning message?

It’s still not ideal though because I’d rather not send a ping to the repo every time I re-install the node modules. Is there a work around to stop the unnecessary network request?


(Mark Smith) #11

Another reason why this is actually quite a bad bug is that, on top of pinging the repo every time node modules are installed, it also completely blocks uninstallation of modules, so in a security breach situation where a hacked package has been introduced it becomes much more difficult to uninstall the module because the uninstall command exits with a fatal error.


(Norman Xu) #12

i can confirm this issue with node v9.11.1

Update:
It seems the issue is to do with package-lock.json, once the package-lock.json is remove, it installs only the production deps