Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Cached version installed when it's not the latest on npm #3265

Closed
seishun opened this Issue · 5 comments

5 participants

@seishun

What should happen when the user types npm install package? Let's take a look at the docs:

In most cases, this will install the latest version of the module published on npm.

Unfortunately, the "other" cases aren't well-documented, leaving one potentially confusing edge case: when the package was previously installed from a git repository.

Consider this scenario: the user decides to try a newer version, types npm install git://repo/package, but it doesn't compile (or otherwise doesn't work in a desirable way) and they promptly forget about it. Days later, they want to use the npm version of this package for their project. But typing npm install package actually installs the package previously downloaded from git, leaving the user wondering why it doesn't compile. It's particularly confusing when package.json has the same 'version' field in the npm and git versions.

Possible solutions:

  • npm install package makes sure the cached version is actually the latest npm version before installing it (since the package.json version is unreliable, this would probably involve hashes)
  • Document the "other" cases, making it clear that the cached version might not be the latest npm version
  • Explicitly inform the user which version is actually being installed when they do npm install package, i.e. whether it's being installed from the cache and what the origin of the cache is
@listochkin

I had the same issue. I forked a module and npm install git://my/fork. Soon after that I npm install some-other-module. That some-other-module used the module I forked and despite that it requested an older version npm put the content of my fork in some-other-module's node_modules folder. Clearing npm cache helped, but I sent about 20 minutes debugging strange errors before I finally figured it out.

I would say that's a minor issue, but it sure can surprise people from time to time.

@glasser

This gist demonstrates the issue: https://gist.github.com/glasser/5391502

The string "GitHub" is only in the tarball version of the installed module, not in the version published to the registry. But if you first install it from the tarball, you now won't be able to install it from the registry.

(In fact, even if you first install from the registry, then install from the tarball, you'll still be stuck on the tarball version.)

This happens even if you explicitly specify a package version (eg 0.0.1 for my script), if it matches the tarball's version.

It seems like if you want to be absolutely sure that you install the version that you specify on the command line, you have to either always clean the cache first, or use --force. This is pretty annoying! (Even using shrinkwrap doesn't appear to make things more repeatable here.)

@michaelhood

Unless I've overlooked something in the docs (apologies if I have), this can be fairly unintuitive.

I think the principle of least astonishment demands that a simple npm install somepkg should strive to install the latest version available as listed on the registry. If there is an older version in the cache, that shouldn't matter.

Failing that.. there really should be a way to specify this in the dependencies hash in package.json, I guess? An additional version descriptor for 'latest'?

@dankohn dankohn referenced this issue from a commit in shopbeam/UglifyJS2
@dankohn dankohn Rev uglify version to try to avoid npm cache issue 5f5d0b1
@glasser glasser referenced this issue from a commit in glasser/npm
@glasser glasser Check SHA before using files from cache
Fixes #3265.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
090c19d
@glasser glasser referenced this issue from a commit in meteor/node
@glasser glasser Check SHA before using files from cache
Fixes npm/npm#3265. See See npm/npm#5137.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
baaddf6
@glasser glasser referenced this issue from a commit in meteor/node
@glasser glasser Check SHA before using files from cache
Fixes npm/npm#3265. See npm/npm#5137.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
d707b53
@glasser glasser referenced this issue from a commit in glasser/npm
@glasser glasser Check SHA before using files from cache
Fixes #3265.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
9adf943
@isaacs isaacs closed this issue from a commit
@glasser glasser Check SHA before using files from cache
Fixes #3265.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
a71615a
@isaacs isaacs closed this in a71615a
@glasser

@isaacs @othiym23 It seems to me like my change (a71615a) got reverted by 355bb7e a few days later. Should I submit a PR adding it back?

@glasser glasser referenced this issue from a commit in glasser/npm
@glasser glasser Re-apply a71615a. Fixes #3265 again.
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
1bdcf7f
@glasser

OK, see PR #5821.

@glasser glasser referenced this issue from a commit in glasser/npm
@glasser glasser Re-apply a71615a. Fixes #3265 again, with a test!
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
6f1a265
@glasser glasser referenced this issue from a commit in glasser/npm
@glasser glasser Re-apply a71615a. Fixes #3265 again, with a test!
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
9b2f32b
@glasser glasser referenced this issue from a commit in glasser/npm
@glasser glasser Re-apply a71615a. Fixes #3265 again, with a test!
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
7ce534d
@othiym23 othiym23 referenced this issue from a commit
@glasser glasser Re-apply a71615a. Fixes #3265 again, with a test!
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
9d1a9db
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.