Optional dependency removed in lock file by dedupe


(Franklin Yu) #1

What I Wanted to Do

I run npm dedupe on Windows and expect that optional dependencies stay in lock file package-lock.json.

What Happened Instead

The optional dependency is removed from lock file.

Reproduction Steps

  1. In an empty directory, initialize a package with npm init.
  2. Install the package sane with npm install sane. The package would be saved as dependency, along with its dependency fsevents, which is optional. Resolved version of fsevents is added to package-lock.json, even if it is not actually installed. This is expected.
  3. Run npm dedupe and check the lock file. fsevents is removed from the lock file. This is not expected.


The command returned 0, so npm-debug.log was not generated.

Platform Info

$ npm --versions
{ 'rdl-parser': '0.1.0',
  npm: '6.4.1',
  ares: '1.14.0',
  cldr: '33.1',
  http_parser: '2.8.0',
  icu: '62.1',
  modules: '64',
  napi: '3',
  nghttp2: '1.34.0',
  node: '10.13.0',
  openssl: '1.1.0i',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }
$ node -p process.platform

(Lars Willighagen) #2

Dedupe gets its idealTree (the target it works towards) from the currentTree, which is determined via node_modules (and so doesn’t have fsevents). AFAICT, either we don’t save deduping changes in package-lock.json, which circumvents the problem of removing failed optional deps but is generally a bad idea, or we incorporate package-lock.json in the idealTree, with the side-effect of installing non-installed deps present in package-lock.json. I don’t know if that last thing is a problem, but it does solve the issue and all the tests still pass: