npm installs unpublished packages

registry
priority:medium
triaged

(Augustin Calin) #1

What I Wanted to Do

Install latest d-array published version ^1.0.0 (which is 1.2.4)

What Happened Instead

Installed version 1.3.0 (which does no longer exists).

Reproduction Steps

You have to have an older package-lock.json (see below) and just run npm install.

Details

It’s possible to install an unpublished version of a package if you still have an older package-lock.json file which was referencing that version.
For example:

package.json
{
“name”: “d3arr”,
“version”: “1.0.0”,
“description”: “”,
“main”: “index.js”,
“scripts”: {
“test”: “echo “error: no test specified” && exit 1”
},
“author”: “”,
“license”: “isc”,
“dependencies”: {
“d3-array”: “^1.0.0”
}
}

package-lock.json:

{
“name”: “d3arr”,
“version”: “1.0.0”,
“lockfileversion”: 1,
“requires”: true,
“dependencies”: {
“d3-array”: {
“version”: “1.3.0”,
“resolved”: “https://registry.npmjs.org/d3-array/-/d3-array-1.3.0.tgz”,
“integrity”: “sha512-synorys34ockyqwrlpuhk3xvgvdvjj6xlghjt/9ufvhaewr2pwb8heaavvc7g2lzfiqxti/oymjo0jxmr1oanw==”
}
}
}

Now if you run npm install, d-array@1.3.0 is installed, even if it doesn’t exist on npm oficial registry.

Platform Info

$ npm --versions
{ lge: '0.0.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.13.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '6.8.275.32-node.36',
  zlib: '1.2.11' }

$ node -p process.platform
win32

(Kat Marchán) #2

Does this still happen if you install with --cache /tmp/fresh-npm-cache?


(Augustin Calin) #4

Yes, it is the same. d3-array version 1.3.0 is installed.
I also tried npm cache verify and npm cache clean --force – with the same result.