Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Cached version installed when it's not the latest on npm #3265

Closed
seishun opened this Issue · 5 comments

5 participants

Nikolai Vavilov Андрей Листочкин (Andrey Listochkin) David Glasser Michael Hood Forrest L Norvell
Nikolai Vavilov

What should happen when the user types npm install package? Let's take a look at the docs:

In most cases, this will install the latest version of the module published on npm.

Unfortunately, the "other" cases aren't well-documented, leaving one potentially confusing edge case: when the package was previously installed from a git repository.

Consider this scenario: the user decides to try a newer version, types npm install git://repo/package, but it doesn't compile (or otherwise doesn't work in a desirable way) and they promptly forget about it. Days later, they want to use the npm version of this package for their project. But typing npm install package actually installs the package previously downloaded from git, leaving the user wondering why it doesn't compile. It's particularly confusing when package.json has the same 'version' field in the npm and git versions.

Possible solutions:

  • npm install package makes sure the cached version is actually the latest npm version before installing it (since the package.json version is unreliable, this would probably involve hashes)
  • Document the "other" cases, making it clear that the cached version might not be the latest npm version
  • Explicitly inform the user which version is actually being installed when they do npm install package, i.e. whether it's being installed from the cache and what the origin of the cache is
Андрей Листочкин (Andrey Listochkin)

I had the same issue. I forked a module and npm install git://my/fork. Soon after that I npm install some-other-module. That some-other-module used the module I forked and despite that it requested an older version npm put the content of my fork in some-other-module's node_modules folder. Clearing npm cache helped, but I sent about 20 minutes debugging strange errors before I finally figured it out.

I would say that's a minor issue, but it sure can surprise people from time to time.

David Glasser

This gist demonstrates the issue: https://gist.github.com/glasser/5391502

The string "GitHub" is only in the tarball version of the installed module, not in the version published to the registry. But if you first install it from the tarball, you now won't be able to install it from the registry.

(In fact, even if you first install from the registry, then install from the tarball, you'll still be stuck on the tarball version.)

This happens even if you explicitly specify a package version (eg 0.0.1 for my script), if it matches the tarball's version.

It seems like if you want to be absolutely sure that you install the version that you specify on the command line, you have to either always clean the cache first, or use --force. This is pretty annoying! (Even using shrinkwrap doesn't appear to make things more repeatable here.)

Michael Hood

Unless I've overlooked something in the docs (apologies if I have), this can be fairly unintuitive.

I think the principle of least astonishment demands that a simple npm install somepkg should strive to install the latest version available as listed on the registry. If there is an older version in the cache, that shouldn't matter.

Failing that.. there really should be a way to specify this in the dependencies hash in package.json, I guess? An additional version descriptor for 'latest'?

Dan Kohn dankohn referenced this issue from a commit in shopbeam/UglifyJS2
Dan Kohn dankohn Rev uglify version to try to avoid npm cache issue 5f5d0b1
David Glasser glasser referenced this issue from a commit in glasser/npm
David Glasser glasser Check SHA before using files from cache
Fixes #3265.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
090c19d
David Glasser glasser referenced this issue from a commit in meteor/node
David Glasser glasser Check SHA before using files from cache
Fixes npm/npm#3265. See See npm/npm#5137.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
baaddf6
David Glasser glasser referenced this issue from a commit in meteor/node
David Glasser glasser Check SHA before using files from cache
Fixes npm/npm#3265. See npm/npm#5137.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
d707b53
David Glasser glasser referenced this issue from a commit in glasser/npm
David Glasser glasser Check SHA before using files from cache
Fixes #3265.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
9adf943
isaacs isaacs closed this issue from a commit
David Glasser glasser Check SHA before using files from cache
Fixes #3265.

Because 'npm install' *always* writes every package to the cache (even
if it isn't installed from the registry) before installing it, it's easy
to end up in a situation where "npm install foo" installs something
other than the appropriate version from the registry.  eg:

  npm cache clean
  # Install a fork of version 0.0.1:
  npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
  rm -rf node_modules
  # Before this commit, this would install the same fork as above
  npm install npm-cache-corruption
a71615a
isaacs isaacs closed this in a71615a
David Glasser

@isaacs @othiym23 It seems to me like my change (a71615a) got reverted by 355bb7e a few days later. Should I submit a PR adding it back?

David Glasser glasser referenced this issue from a commit in glasser/npm
David Glasser glasser Re-apply a71615a. Fixes #3265 again.
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
1bdcf7f
David Glasser

OK, see PR #5821.

David Glasser glasser referenced this issue from a commit in glasser/npm
David Glasser glasser Re-apply a71615a. Fixes #3265 again, with a test!
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
6f1a265
David Glasser glasser referenced this issue from a commit in glasser/npm
David Glasser glasser Re-apply a71615a. Fixes #3265 again, with a test!
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
9b2f32b
David Glasser glasser referenced this issue from a commit in glasser/npm
David Glasser glasser Re-apply a71615a. Fixes #3265 again, with a test!
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
7ce534d
Forrest L Norvell othiym23 referenced this issue from a commit
David Glasser glasser Re-apply a71615a. Fixes #3265 again, with a test!
a71615a accidentally got reverted by 355bb7e, which split the changed
file into multiple files.

Original commit message:

    Check SHA before using files from cache

    Fixes #3265.

    Because 'npm install' *always* writes every package to the cache (even
    if it isn't installed from the registry) before installing it, it's easy
    to end up in a situation where "npm install foo" installs something
    other than the appropriate version from the registry.  eg:

      npm cache clean
      # Install a fork of version 0.0.1:
      npm install https://github.com/glasser/npm-cache-corruption/tarball/93c447e
      rm -rf node_modules
      # Before this commit, this would install the same fork as above
      npm install npm-cache-corruption
9d1a9db
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.