[BUG] dependencies are not installed by npm

[tmokmss]

Describe the bug

Hi, I'm using PDK with npm and observing a weird behavior about npm install or npm update. Could you check this? The reproduction steps are below.

Expected Behavior

npm i aws-prototyping-sdk should install all the dependencies, and npm update won't remove any packages.

Current Behavior

Not all the required packages are installed on npm i aws-prototyping-sdk.

Also npm update removes several dependent packages of PDK, causing inconsistency between package.json and package-lock.json.

Reproduction Steps

Run the following commands in an empty directory:

npm init -y
npm i aws-prototyping-sdk
npm ci
# -> npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.

npm i
npm ci
# -> success

npm update
npm ci
# -> npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.

I confirmed the issue on both npm v8 and v9.

Possible Solution

No response

Additional Information/Context

npm ci is the command we recommend for customers to use to install dependencies, but currently customers sometimes see the above error, getting confused. (e.g. after running npm update, they get the error on npm ci.)

PDK version used

0.13.5

What languages are you seeing this issue on?

TypeScript

Environment details (OS name and version, etc.)

macOS 12.6.3

[agdimech]

This has been resolved in #315

[tmokmss]

Hi @agdimech thank you for working on the issue! I'm afraid it is still not fixed though. I see the same npm error by the same reproduction step:

npm init -y
npm i aws-prototyping-sdk
npm ci
# expecting npm ci successes, but we get the below error:
# -> npm ERR! `npm ci` can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.

Reproducible with aws-prototyping-sdk: 0.14.16.

[tmokmss]

Hi @agdimech I did a bit of research about this. The below is the command history when reproducing this issue:

$ npm install aws-prototyping-sdk

added 8 packages, and audited 119 packages in 20s

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm install

added 135 packages, and audited 254 packages in 9s

26 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm update

removed 135 packages, and audited 119 packages in 452ms

11 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

so 135 packages are missing right after running npm install aws-prototyping-sdk, added after npm install, and removed again after npm update.

I found all of the 135 packages are from @nrwl/devkit, and it is set as a bundledDependencies

less node_moduels/aws-prototyping-sdk/package.json

# we can find this.
  "bundledDependencies": [
    "@nrwl/devkit"
  ],

This issue should be fixed by removing this bundled dependency. The question is then why do we need this package as a bundled dependency?

It seems it is coming from this code:
https://github.com/aws/aws-prototyping-sdk/blob/f869d5de99b1ae853f3cdb5c8ab55d6ab033f1d9/private/projects/nx-monorepo-project.ts#L22

Reading through this stackoverflow comment, I don't see much reason to do that.