npm prune is removing packages installed using git

[jsynowiec]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

Packages present under the dependencies in the package.json file that were installed using git/github package links, e.g. github:npm/npm#some-tag are being uninstalled when npm prune is executed.

How can the CLI team reproduce the problem?

1. Install a package using standard syntax, save it as a dependency,
2. Install another a package using git+<proto>:, git:// or github: format, save it as dependency.
3. Run npm prune

Expected: Second package is present.
Actual: Second package is missing.

supporting information:

• npm -v prints: 5.6.0
• node -v prints: 8.9.1
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: macOS
• Network issues (unrelated)

additional information:

Workaround - When a tarball url is used, the package is not removed on prune.

[iarna]

--only=production is not required to reproduce this.

[jsynowiec]

Don't know if this helps but I've noticed that this.idealTree in the Pruner instance lists git dependencies in the childs prop but also as missingDeps.
Also, shouldPrune, especially isExtraneous(child), returns true for those deps, so they end up in toPrune array.

[ValYouW]

For some reason that doesn't happen on windows... npm v5.5.1
Downgraded all the way to v4.6.1 to restore my linux builds...

[rankida]

I just encountered this too. Npm v5.6.0.
If my package is a regular semver (1.x.x) then it is correctly passed over by npm prune --production but if it is a git url it is removed.
I am running MacOS and node v8.9.3

[alphashuro]

I'm having this problem too

[jsynowiec]

@alphashuro @lucasklaassen (and others to follow) please use the 👍 one the issue #19356 (comment) to vote/confirm, rather than comment. You're not adding anything new and all of us are getting notifications about your comments. If you just want to subscribe for updates, use the subscribe button under Notifications that is available in the right column.

[andyghiuta]

Here's a partial output of running npm -ddd install somepackage when a package with git is already installed (eg: en-my-package-name):

npm sill currentTree +-- emojis-list@2.1.0
npm sill currentTree +-- en-my-package-name@1.0.5
npm sill currentTree +-- encodeurl@1.0.1

npm sill idealTree +-- emojis-list@2.1.0
npm sill idealTree +-- encodeurl@1.0.1

npm sill diffTrees remove en-my-package-name@1.0.5

npm sill unbuild en-my-package-name@1.0.5
npm info lifecycle en-my-package-name@1.0.5~preuninstall: en-my-package-name@1.0.5
npm info lifecycle en-my-package-name@1.0.5~uninstall: en-my-package-name@1.0.5
npm verb unbuild rmStuff en-my-package-name@1.0.5 from /path/to/my/repo/node_modules
npm info lifecycle en-my-package-name@1.0.5~postuninstall: en-my-package-name@1.0.5

npm sill remove /path/to/my/repo/node_modules/en-my-package-name

As you can see, en-my-package-name is not listed in the silly logs under the idealTree and subsequently removed.

[elliottcrush]

I've tried to debug this further and failed to come up with the underlying reason, hopefully some more information might help....

When returning true for my git installed package here -> https://github.com/npm/npm/blob/latest/lib/install/deps.js#L67 I can get the prune to work with a git installed module.

if (fromReq.name === 'my-git-installed-package') return true
Perhaps github are returning new meta data and now rawSpec isn't behaving correctly?

Also could be something related to a version bump from https://github.com/npm/npm-package-arg/blob/master/npa.js ?

[andyghiuta]

Indeed the childReq.rawSpec is not the same as requested.rawSpec, so the if on the line https://github.com/npm/npm/blob/latest/lib/install/deps.js#L56 is skipped, although, they are very similar, eg: git+ssh://git@github.com/andyghiuta/test-npm-i.git#83371cdcb95979d0c96027193c4a3e2dfeb51c18 vs git+ssh://git@github.com/andyghiuta/test-npm-i.git. The difference is the commit hash.
It works if after line 56, this would be added:

if (childReq.rawSpec.slice(0, childReq.rawSpec.indexOf('#')) === requested.rawSpec.slice(0, requested.rawSpec.indexOf('#'))) return true

This solution is not ok as it breaks the update of the package, but I don't know enough about npm code to tell where childReq.rawSpec is coming from. I'm guessing from npm-package-arg