`npm ls --json` does not list transitive dependencies for deduped dependencies


(Leo Zhang) #1

What I Wanted to Do

I ran npm ls --json and wanted to parse the dependency graph. I expected that all dependencies would have their transitive dependencies listed under the "dependencies" key.

What Happened Instead

For deduplicated dependencies, transitive dependencies were only listed in their first occurrence.

Reproduction Steps

An easy example here is npm installing:

{
  "dependencies": {
    "babel-polyfill": "6.26.0",
    "jira-client": "6.4.1"
  }
}

and then running npm ls --json. Note that the second copy of babel-runtime doesn’t include its dependencies.

Details

This is problematic for us because the tool parsing this output is written in Go, which traverses maps in random order. Since we can no longer rely on every (package name, package version) combination being identical, we need to add extra logic to ensure that we always pull information from the original (as opposed to deduplicated) entry.

We’re working around this behaviour downstream here.

Platform Info

I tested and confirmed this behaviour on NPM 5.5.1 and 6.4.1 running on Arch Linux.

$ npm --versions
{ npm: '5.5.1',
  ares: '1.10.1-DEV',
  cldr: '31.0.1',
  http_parser: '2.7.0',
  icu: '59.1',
  modules: '57',
  nghttp2: '1.25.0',
  node: '8.9.3',
  openssl: '1.0.2n',
  tz: '2017b',
  unicode: '9.0',
  uv: '1.15.0',
  v8: '6.1.534.48',
  zlib: '1.2.11' }
$ node -p process.platform
linux