npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

package-lock.json is "order of installation" dependent.

What I Wanted to Do

Add eslint@latest as a dependency without warnings.

What Happened Instead

npm install eslint@latest produced a warning:
npm WARN ajv-keywords@3.2.0 requires a peer of ajv@^6.0.0 but none is installed. You must install peer dependencies yourself.

npm ls also produces a lot output and ends with an error:
npm ERR! peer dep missing: ajv@^6.0.0, required by ajv-keywords@3.2.0

Reproduction Steps

mkdir test
cd test
npm init # set description and repo to avoid extra warnings
npm i semantic-release@10 # has warnings, can be ignored
npm i eslint # creates the issue

Details

Important note! If the packages are installed in the reverse order, then the issue does not occur.

mkdir test
cd test
npm init # set description and repo to avoid extra warnings
npm i eslint # no issue
npm i semantic-release@10

npm ls after this is fine, no complaints.

This gist contains the final package.json, and the resulting broken and working package-lock.json files.

Platform Info

$ npm --versions

{ node: '8.11.1',
  npm: '6.2.0',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  nghttp2: '1.25.0',
  openssl: '1.0.2o',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.1',
  v8: '6.2.414.50',
  zlib: '1.2.11' }

$ node -p process.platform
darwin


Turns out this is even easier to repro than I thought. Move eslint to dev dependencies, and the issue appears with just npm install in a clean directory. Put both in the same dependency section and it goes away. I presume npm is installing dependencies before devDependencies, but alphabetical within a section.


Triage note: This is the infamous ajv peerDep bug. We already know we need to basically add another pass to make sure this peerDep issue stops happening. The surface bug OP is pointing out, though, isn’t really a bug: we already know that the CLI is order-dependent, and that’s part of its design.