-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm ci
erroneously installs optional OS-constrained transitive dependency through direct shrinkwrap dependency
#7622
Labels
Comments
restjohn
added
Bug
thing that needs fixing
Needs Triage
needs review for next steps
labels
Jul 2, 2024
restjohn
changed the title
[BUG]
[BUG] Jul 2, 2024
npm ci
erroneously installs optional OS-constrained transitive dependencynpm ci
erroneously installs optional OS-constrained transitive dependency through direct shrinkwrap dependency
restjohn
added a commit
to ngageoint/mage-server
that referenced
this issue
Jul 3, 2024
…in package-lock to work around npm issue npm/cli#7622
Aside from the problem of forcing installation of an optional dependency, another cause of this bug is that npm is installing the dev dependencies from the shrinkwrapped package. Apparently this is quite a long-standing issue. |
restjohn
added a commit
to ngageoint/mage-server
that referenced
this issue
Jul 4, 2024
* [ci] remove obsolete workflows * [ci] remove unused pre-latest node versions list; enforce ordering on the list; create an explicit LTS version to use for packaging * [ci] wip: separate plugin builds * [service] upgrade better-sqlite3 dep to build with node 22 * [ci] fix triggering repo paths in workflows * [ci] fix typos in workflow files * [ci] add arcgis service plugin workflow * [plugins/image] exclude spec dir with large test images from package * bump core beta version to 6.3.0-beta.5 * [ci] remove plugin publishing from core release workflow * [ci] fix artifact name typos [skip ci] * [plugins/arcgis] update mage.service dep in package-lock * [service] brand new shrinkwrap to attempt to correct os-specific fsevents dep erroneous installation in plugin projects; upgrade typescript to 4.9 to accommodate @types/lodash upgrade * bump core packages versions to 6.3.0-beta.6 * [plugins/arcgis] move @types/geojson dep to dev dependencies * [plugins/arcgis] manually add optional and dev flags to fsevents dep in package-lock to work around npm issue npm/cli#7622 * [service] minor shrinkwrap update on qs dep * [plugins/arcgis] add a test file to get the ball rolling and make ci pass running the test command * [plugins/arcgis] wip: plugin naming: rename service package * [plugins/arcgis] wip: plugin naming: move web artifacts to consistent project structure * [plugins/arcgis] wip: plugin naming: fix references to old project structure names * [plugins/arcgis] remove unused index file in web-app * [plugins/arcgis] add test config to web-app * [plugins/arcgis] add actions ci workflow for web-app * [plugins/arcgis] add a dummy test in web-app to pass build * [plugins/image] constrain mage core dep to 6.3.0-beta+ * [plugins/image] manually add dev and optional flags to fsevents in service package-lock so build does not fail on non-darwin platforms * [ci] add image service plugin release workflow * [plugins/image] update typescript and mongoose deps to match core mage * [ci] rename image plugin release workflow * [ci] rename arcgis web-app artifacts for consistency * [ci] remove obsolete env var * [ci] add arcgis plugin release workflow * [ci] add nga-msi plugin release workflow * [instance] fix references to renamed arcgis packages
Others are having issues with shrinkwrap as well: #4323. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Consider a package,
lib1
, with the following characteristics.optionalDependency
, with an OS constraint, such asfsevents
package.json
Developer A creates another package,
app1
, which depends onlib1
, and generatesapp1
'spackage-lock.json
withnpm install
also on the platform matching said OS constraint.Developer B, OR a CI process, on a different platform from said OS constraint, runs
npm ci
to installapp1
's dependencies.npm ci
produces an error like the following.Examining
app1
'spackage-lock.json
reveals that npm does not include an"optional": true
entry in the package-lock block forlib1
'sfsevents
dependency.Expected Behavior
npm ci
should retain the optional nature of the platform-specific dependency and proceed with a successful clean install ofapp1
's dependencies regardless of the dependencies.Steps To Reproduce
cd app1
npm ci
Please see the README in the demo repository for quite a bit more detail about the nuances of this behavior.
Also note that the demo repository package
lib1.shrinkwrap
references thefsevents
package through a devDependency, and npm should not be attempting to installlib1.shrinkwrap
devDependencies from theapp1
package anyway.Environment
The text was updated successfully, but these errors were encountered: