npx npm-force-resolution breaks the install

[mwoodsy]

When I run an npm install the preinstall script breaks the installation process. I've narrowed the issue down to the npx npm-force-resolutions. This appears to be a known issue with that library but the only workaround is to downgrade the version of that library to 0.0.3. This is the error I experience when trying to do an npm install microsoft-cognitiveservices-speech-sdk:

npx: installed 6 in 1.89s

/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/npm_force_resolutions/core.cljs:61
  (go
  ^
Error: Timeout trying to fetch resolutions from npm
    at switch__2144__auto__ (/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/npm_force_resolutions/core.cljs:61:3)
    at /home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/npm_force_resolutions/core.cljs:61:3
    at npm_force_resolutions$core$find_resolutions_$_state_machine__2145__auto____1 (/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/npm_force_resolutions/core.js:476:4)
    at cljs.core.async.impl.ioc-helpers/FN-IDX (/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/npm_force_resolutions/core.js:492:85)
    at cljs.core.async.impl.ioc-helpers/run-state-machine (/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/cljs/core/async/impl/ioc_helpers.cljs:35:23)
    at cljs.core.async.impl.ioc-helpers/run-state-machine-wrapped (/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/cljs/core/async/impl/ioc_helpers.cljs:39:6)
    at fret (/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/cljs/core/async.cljs:490:22)
    at take-cb (/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/cljs/core/async.cljs:188:63)
    at /home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/cljs/core/async/impl/channels.cljs:160:45
    at Immediate.cljs$core$async$impl$dispatch$process_messages (/home/mwoodsy/.npm/_npx/26220/lib/node_modules/npm-force-resolutions/out/cljs/core/async/impl/dispatch.cljs:18:7)
npm WARN optional SKIPPING OPTIONAL DEPENDENCY: fsevents@~2.3.2 (node_modules/chokidar/node_modules/fsevents):
npm WARN notsup SKIPPING OPTIONAL DEPENDENCY: Unsupported platform for fsevents@2.3.2: wanted {"os":"darwin","arch":"any"} (current: {"os":"linux","arch":"x64"})
npm WARN tempusdominus-bootstrap-4@5.39.2 requires a peer of tempusdominus-core@5.19.3 but none is installed. You must install peer dependencies yourself.

npm ERR! code ELIFECYCLE
npm ERR! errno 1
npm ERR! microsoft-cognitiveservices-speech-sdk@1.22.0 preinstall: `npm install --package-lock-only --ignore-scripts --no-audit && npx npm-force-resolutions`
npm ERR! Exit status 1
npm ERR! 
npm ERR! Failed at the microsoft-cognitiveservices-speech-sdk@1.22.0 preinstall script.
npm ERR! This is probably not a problem with npm. There is likely additional logging output above.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/mwoodsy/.npm/_logs/2022-07-07T14_05_40_292Z-debug.log

Environment:
server: amazon linux 2
node: v14.17.6
npm: v6.14.15

[marvinirwin]

This is also happening to me

[BrianMouncer]

I am new to NPX rather than just NPM to install/run node commands.
I will talk with our JS developers and see if we can lock the version of "npm-force-resolutions" that is used in the install script.

In the meantime, can you try running "npm install -g npm-force-resolutions@0.0.3" to preinstall the older version of the module, before installing the speech sdk, and see if that resolves the issue. NPX should use the installed version if it can find one, rather than installing the latest version.

Thanks,

[gabriel-barros-pontes]

When I use "preinstall": "npx npm-force-resolutions@0.0.3" my npm audit still shows critical vulnerabilities.
Is there a new solution to this problem?
I am using npm-force-resolutions to fix vulnerabilities in my component library.

[mwoodsy]

@BrianMouncer Adding "preinstall": "npm install -g npm-force-resolutions@0.0.3" to my package.json lets me get around this issue in my project.

@gabriel-barros-pontes I didn't see any critical vulnerabilities after installing with the preinstall line. Your critical vulnerability is likely caused by another node_module in your package.json.

[anantoghosh]

@glharper @BrianMouncer please remove npm install from the preinstall script when distributing your package as a library. It is trying to run npm install in the user system when they install the package which is wrong, not only does it fail to install with other package managers, yarn 2+ and pnpm, a library should not run it's own npm install. It will mess up the node_modules structure for the user's installation, the package-lock.json is not published with your package anyway https://docs.npmjs.com/cli/v8/configuring-npm/package-lock-json#package-lockjson-vs-npm-shrinkwrapjson. using --package-lock-only does not work for it.

[ayrusme]

when using this library with a custom artifact management tool like nexus which is expecting authentication, the preinstall script breaks the implementation.

[glharper]

@ayrusme @anantoghosh Thanks for reporting this issue and using Speech SDK. We will have a fix in the next release, tentatively scheduled for Jan. 2023.

[anantoghosh]

@glharper Thank you for your work!

[glharper]

@ayrusme @anantoghosh The fix for this issue is now in master. Note that you can pull and build this repo using steps in the README on the front page.
(TLDR;

1. clone the repo, cd into repo
2. npm install
3. npm run build
4. Upon build completion, the generated files will be in the distrib/ folder.)

Hope this helps.

[compulim]

@glharper FYI, one of our customers is using pnpm/rush and hitting this.

AFAIK, their solution does not have package-lock.json because of rush. So npm-force-resolutions might not do anything helpful in their case.

Do you think we should bump/replace those 3 deps instead of forcing resolutions?

[glharper]

@compulim See the two PRs above, which are now in master. npm-force-resolutions has been replaced with overrides, and the "npm preinstall" script has been replaced with "npm setup".

Will overrides not work for your pnpm/rush customer?

[compulim]

Reading from https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides and https://pnpm.io/package_json#pnpmoverrides, I think overrides should work. 😉

[gqq1356]

@BrianMouncer Adding "preinstall": "npm install -g npm-force-resolutions@0.0.3" to my package.json lets me get around this issue in my project.

@gabriel-barros-pontes I didn't see any critical vulnerabilities after installing with the preinstall line. Your critical vulnerability is likely caused by another node_module in your package.json.

thanks！

Finally, the global installation is adopted.
This is my command line history ，about npm install microsoft-cognitiveservices-speech-sdk
4 npx npm-force-resolutions@last 5 npx npm-force-resolutions@0.0.3 6 cd .\js-e2e-express-server\ 7 npx npm-force-resolutions@0.0.3 8 yu 9 npx npm-force-resolutions@0.0.3 10 cls 11 npm install microsoft-cognitiveservices-speech-sdk 12 npm install -g npm-force-resolutions@0.0.3 13 cls 14 dir 15 npm install microsoft-cognitiveservices-speech-sdk
The key is number 12.

[glharper]

The release of v1.25 should fix this, so I'm closing.