NPM will skip over transitive dependencies that point to non-github URLs.

(This is related to my Stack Overflow question/answer)

What I Wanted to Do

I wanted to install a dependency A which depended on B, and B pointed to an arbitrary git URL

"B": "git+https://username:password@giturl.com/username/B"

In a new project C, I installed A expecting B to be installed as a transitive dependency.

What Happened Instead

Instead B was no where to be found. I looked through C's package.json and package-lock.json and could not find a trace of B (although A's other dependencies were there)

Also I tested this bug with a repo on github.com, and this problem does not occur. It only happens with custom git URLs.

Reproduction Steps

  1. Create a package A that depends on B, which points to a non-github git URL.
  2. Install A in a new project C
  3. B is missing.

Details

I was able to work around this issue by using either the --global-style or --legacy-bundling flag which leads me to believe the problem lies in deduping. From your docs:

The --global-style argument will cause npm to install the package into your local node_modules folder with the same layout it uses with the global node_modules folder. Only your direct dependencies will show in node_modules and everything they depend on will be flattened in their node_modules folders. This obviously will eliminate some deduping.

Platform Info

$ npm --versions

{ app4: '1.0.0',
  npm: '6.10.1',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  modules: '64',
  napi: '4',
  nghttp2: '1.34.0',
  node: '10.16.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '6.8.275.32-node.52',
  zlib: '1.2.11' }

$ node -p process.platform

darwin