npm install rewrites author field of installed packages; npm ci installs as-is

[darcyclarke]

  Original bug ticket: [https://npm.community/t/10766](https://npm.community/t/10766)
  Originally filed: 2019-10-28T13:06:06.350Z

[novemberborn]

I'm here to answer questions if need be.

[mortentangen]

Any progress on this bug? This is an issue for react native development with cocoapods as the *.podspec file of react native libraries often depend on the author field in package.json (i.e. https://github.com/react-native-webview/react-native-webview/blob/v11.0.2/react-native-webview.podspec#L11).
The Podfile.lock file contains a checksum of the library based on the content of the podspec file. npm install will create a different checksum than npm ci, which is an issue when running releases on CI servers.

[niparx]

@novemberborn
@mortentangen you are correct here:
*.podspec file of react native libraries often depend on the author field in package.json (i.e. https://github.com/react-native-webview/react-native-webview/blob/v11.0.2/react-native-webview.podspec#L11).

But here is what I'm getting, when running npm ci and npm install commands. I'm not an expert in npm/node/js development, so, sorry, if I'm wrong somewhere. It's just what I have found.

As an example, let's take this npm package: react-native-keep-awake.
Here it is author field from package.json file: author. Just for the record, what data is in package repo.

I'm on LTS node fermium

• node v14.18.0
• npm 6.14.15

What I'm getting in ./node_modules/react-native-keep-awake/package.json author field after running npm install:

• "author": { "name": "Kyle Corbitt" },
• package-lock.json file is not modified

What I'm getting in ./node_modules/react-native-keep-awake/package.json author field after running npm ci:

• "author": "Kyle Corbitt",
• package-lock.json file is not modified
• author value is the same as in package repo package.json file. I don't know, if these values are tightly coupled, but, just want to point, that they are the same.

So, what do we have:

1. by running npm ci and npm install we are getting different results in ./node_modules/react-native-keep-awake/package.json author section
2. later, when we installing cocoapods dependencies, as you mentioned, author field from package.json is used for *.podspec file
3. *.podspec file is used for checksum calculation
4. we'll have a mismatch in author field -> mismatch in checksum

I tried the same npm ci/npm install on same project, but with updated node (active LTS will start shortly for this version, 2021-10-26):

• node v16.11.0
• npm 8.0.0
  And with such configuration I do not get author field mismatch.

The fact, that there is no such issue with newer node/npm version, is giving me an assumption, that issue is on npm/node side, rather that on cocoapods side. As I said, I'm not an expert with these tools. I don't know, how exactly they are working, and, possibly, I'm missing something. But this is what I found.