-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? # to your account
[BUG] npm ignores package.json if package-lock.json or node_modules folder exists, dependency resolution terribly broken #4422
Comments
This issue might be related to #3376, but it has definitly another much broader scope |
Why would you expect to manually modify the lockfile at all, and then have things be in a reasonable state? That file’s only for npm to modify. |
(separately; I’d try installing node properly, meaning, not from apt - just to rule out that’s what’s causing you problems) |
as i wrote clearly - there are dozends of ways why the And even deleting the lock file when its borked/out of sync to generate a complete new one does not work when there is an incomplete And all npm 6.x can properly handle these cases and do not break an entire installation. They "just work" (tm). |
The package-lock is not supposed to be modified by users. The only way for the two files to be out of sync would be to modify the package.json, in which case, it would be evaluating different packages (or versions). Please re-open this issue if it can be reproduced without directly editing the package-lock or node_modules. |
@fritzy this is only an answer to point 3 But point 4 is ignored here - when there is no |
Did I get that right, |
Reopening based on the last point (ie. |
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
"npm i" ignores the
package.json
file as soon as it finds either apackage-lock.json
file or anode_modules/
folderThe simplified example below clearly demonstrates how current npm (tested with 8.5.0 but the same with latest 7.x) fails to install all packages needed and nodejs crashing the app eventually with missing dependencies...
When the lock file is not in sync with the requirements defined by the
package.json
npm does not recognize it and does not install missing requirements. Same is true if nopackage-lock.json
is available at all but an incompletenode_modules/
folder exists - npm just uses the currentnode_modules/
folder as single point of truth regenerating the lock file from this folders content without checking thepackage.json
wether all dependencies are there.Current versions are broken in the context of recognizing unmet dependencies. Latest working version i know is latest 6.x. Some earlier 7.x versions worked as well but not the current 7.x and 8.x.
Expected Behavior
"npm i" must check the
package.json
as the most important source of truth and fullfill all requirements written there (dependencies and sub-dependencies). It MUST not ignore thepackage json
when it finds apackage-lock.json
or existingnode_modules/
folder.After resolving all dependencies from the
package.json
file it must check whether the existing lock file fullfills these requirements and installs/updates/downgrades everything else inside the lock file. Only resolutions fitting into the requirements from thepackage.json
shall be used.Everything else has to be newly resolved from the package versions available.
This was the normal behaviour for all npm versions up to 6.x latest since years (ever). The
package.json
is the final truth for all versions and dependencies needed and the package-lock.json as well as thenode_modules/
folder are updated if they do not met the requirements defined by thepackage.json
.The current behaviour is just plain wrong and leads to tons of problems whenever someone might fail to commit the updated lock file into the repository or the file is modified for whatever reason...
Steps To Reproduce
1.I created a minimal test project with a dependency having only some sub-dependencies. The packages used do not matter, i used "maskdata" as a smallest possible working example. No JS file needed here. But smae problem exists on bigger projects with hundred s of dependencies:
package.json:
npm i
to inilialize lock file andnode_modules/
folder. Afterwards modify lock file and remove all references to the "lodash.get" package. JSON must be valid afterwards. This may happen with some files not checked into git repo or something else, why this happens does not matter.New (modified) package-lock.json is:
Re-run
npm i
- the lock file is NOT updated to contain the missing dependency of "lodash.get" and the existing "node_modules/lodash.get/" folder is deleted - npm does not validate if thispackage-lock.json
really fulfilles all requirements as stated in package.json! It does not reinstall needed "lodash.get". Executing my "index.js" app crashes with missing dependencies.trying to recreate lock file does not work if "node_modules/" folder is present.
After step 3 the node_modules folder does not contain the needed dependency of "lodash.get" anymore. Now delete the "package-lock.json" file and rerun "npm i" - NPM does not recreate the dependency list from the current
package.json
but only writes the wrong(!) content of the existing "node_modules/" folder into a newpackage-lock.json
file. It does not reinstall needed "lodash.get". Executing my "index.js" app crashes with missing dependencies.Environment
Nodejs installed from official nodesource deb package and included npm@6 updated via
npm i -g npm@latest
to npm@8.5.0.The text was updated successfully, but these errors were encountered: