Skip to content
This repository has been archived by the owner on Aug 11, 2022. It is now read-only.

npm install (6.1.0) doesn't update package-lock.json when using Git URL as dependency #21203

Open
2 of 5 tasks
fzheng opened this issue Jul 12, 2018 · 0 comments
Open
2 of 5 tasks

npm install (6.1.0) doesn't update package-lock.json when using Git URL as dependency #21203

fzheng opened this issue Jul 12, 2018 · 0 comments

Comments

@fzheng
Copy link

fzheng commented Jul 12, 2018
edited

I'm opening this issue because:

  • npm is crashing.
  • npm is producing an incorrect install.
  • npm is doing something I don't understand.
  • npm is producing incorrect or undesirable behavior.
  • Other (see below for feature requests):

What's going wrong?

npm install (6.1.0) doesn't update package-lock.json when using Git URL as dependency. In our team, devs are using npm i while devops are using npm ci, so that the application behaves quite differently during the deliver cycle due to inconsistent lock packages. This issue doesn't exist in npm 5.7.0 and below.

How can the CLI team reproduce the problem?

  1. git clone https://github.com/fzheng/package.lock.master
  2. package.json in package.lock.master is
"dependencies": {
    "package.lock.slave": "git+ssh://git@github.com/fzheng/package.lock.slave.git#master"
}
  1. package-lock.json in package.lock.master is
"dependencies": {
    "package.lock.slave": {
      "version": "git+ssh://git@github.com/fzheng/package.lock.slave.git#a315ce7d158fd7b490a7d92b286a91ef2c6c6b1b",
      "from": "git+ssh://git@github.com/fzheng/package.lock.slave.git#master"
    }
}
  1. Please notice that in https://github.com/fzheng/package.lock.slave, the latest git commit is 1c01d, not a315c. Commit 1c01d is to calculate cubic, while Commit a315c is to calculate square.
  2. Please do npm install in package.lock.master
$ npm i
added 1 package from 1 contributor and audited 1 package in 2.101s
found 0 vulnerabilities

please notice that the package-lock.json wasn't updated even though the dependency has a new commit, however, node index.js still somehow uses the latest code from dependency.

$ node index.js 3
27
  1. Please rm -rf node_modules and do npm ci in package.lock.master.
$ npm ci
added 1 packages in 1.357s

please notice that this time, node index.js generates square result.

$ node index.js 3
9

supporting information:

  • npm -v prints: 6.1.0
  • node -v prints: v8.11.3
  • npm config get registry prints: https://registry.npmjs.org/
  • Windows, OS X/macOS, or Linux?: macOS Sierra
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fzheng