Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

[BUG] npm-shrinkwrap.json published within package is ignored during npm i somepackage #7977

Open
2 tasks done
wiggisser opened this issue Dec 12, 2024 · 0 comments
Open
2 tasks done
Labels
Bug thing that needs fixing Needs Triage needs review for next steps

Comments

@wiggisser
Copy link

wiggisser commented Dec 12, 2024

Is there an existing issue for this?

  • I have searched the existing issues

I've seen a similar issues in #5349 and #5325 but they seem to be about installing local tarballs only, and one of them even mentions, that it works if installing from remote. But that't not the case for me. May also be related to #4583 as I'm not using npmjs.org as registry but github.

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

I have a package @myorg/shrinkwraptest (which is published and installable via github). The published package includes a npm-shrinkwrap.json file which looks like this

{
  "name": "@myorg/shrinkwraptest",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@myorg/shrinkwraptest",
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "mogoose": "^8.1"
      },
...
    "node_modules/mongodb": {
      "version": "6.3.0",
      "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.3.0.tgz",
      "integrity": "sha512-tt0KuGjGtLUhLoU263+xvQmPHEGTw5LbcNC73EoFRYgSHwZt5tsoJC110hDyO1kjQzpgNrpdcSza9PknWN4LrA==",
      "dependencies": {
        "@mongodb-js/saslprep": "^1.1.0",
        "bson": "^6.2.0",
        "mongodb-connection-string-url": "^3.0.0"
      },
      "engines": {
        "node": ">=16.20.1"
      },
    },
    ...
    "node_modules/mongoose": {
      "version": "8.1.3",
      "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-8.1.3.tgz",
      "integrity": "sha512-a5MajZSDJiQgy0iQcR+MIpFe7zehGJI4doJ6Dh1MvnGh8/HNNhr5pn07RPA86KCTjP2vuKdffpFmvXxcHiUOjw==",
      "dependencies": {
        "bson": "^6.2.0",
        "kareem": "2.5.1",
        "mongodb": "6.3.0",
        "mpath": "0.9.0",
        "mquery": "5.0.0",
        "ms": "2.1.3",
        "sift": "16.0.1"
      },
      "engines": {
        "node": ">=16.20.1"
      },
      "funding": {
        "type": "opencollective",
        "url": "https://opencollective.com/mongoose"
      }
    }
    ...
  }
}

When I then do npm i @myorg/shrinkwraptest.json in a new empty folder and then inspect the node_modules folder I see, that the mongoose package is installed in version 8.8.4 and the mongodb package is installed in version 6.10.0 (which are the respective latest versions at the time I'm creating this issue)

This is the (relevant) output of npm ls --depth 3

/test # npm ls --depth 3
test@ /test
`-- @myorg/shrinkwrap@1.0.0
  `-- mongoose@8.8.4
    ...
    +-- mongodb@6.10.0
   ...

Expected Behavior

Reading the docs, I'd expect when I do an

npm i @myorg/shrinkwraptest

this contained npm-shrinkwrap.json should be respected and mongoose@8.1.3 and mongodb@6.3 should be installed.

Steps To Reproduce

  1. Install a package from a remote repository which has a npm-shrinkwrap.json bundled with it
  2. Compare the versions the contained npm-shrinkwrap.json with the version of the acutally installed packages

Environment

Environment

  • npm: 10.9.2
  • Node.js: 23.4.0
  • OS Name: FROM node:23.4-alpine3.20
  • npm config:

; "user" config from /root/.npmrc

@myorg:registry = "https://npm.pkg.github.com/"
//npm.pkg.github.com/:_authToken = ...

; node bin location = /usr/local/bin/node
; node version = v23.4.0
; npm local prefix = /test
; npm version = 10.9.2
; cwd = /test
; HOME = /root

@wiggisser wiggisser added Bug thing that needs fixing Needs Triage needs review for next steps labels Dec 12, 2024
@wiggisser wiggisser changed the title [BUG] <title> [BUG] npm-shrinkwrap.json published within package is ignored during npm i somepackage Dec 12, 2024
# for free to join this conversation on GitHub. Already have an account? # to comment
Labels
Bug thing that needs fixing Needs Triage needs review for next steps
Projects
None yet
Development

No branches or pull requests

1 participant