npm-shrinkwrap.json handles metadata inconsistently #3581
Comments
|
How does this problem affect you? For us it leads to lots of dependencies being downloaded over and over again. Example: If async was installed with an empty cache: Or if async was installed from the cache: If the resolved is set then that means the tgz will be downloaded every install regardless whether it's in the cache or not. |
|
I suspect the reason is that the package.json for a downloaded dependency looks different when installed from the cache and when it's installed fresh from the central repo. I made two folders and installed async in both, first with an empty cache and then from the cache. A diff between the two folders yield: |
|
I wrote a small, but ugly, shell script that creates a shrinkwrap file that does not download unnecessary modules again on subsequent npm install. It basically removed all modules from node_modules that experience the problem, runs npm install to make sure they get put in the npm cache. It then deletes problematic modules again and runs node_modules to make sure all modules are installed from the cache. At the end a shrinkwrap file is created where all dependencies have been installed from the cache which mean they will not have to be re-downloaded. |
|
Wow, after a lot of head-scratching and debugging, I finally arrived at this same thing. Two symptoms for me:
|
Ensure npm scripts are run after restoring cache
|
@aseemk Completely agree, I've just been hit by those 2 issues you pointed out. |
This is so annoying that coworkers suggested to modify shrinkwrap.json manually or removing shrinkwrap. |
|
I discovered a very simple workaround for now — just run this after every shrinkwrap: var fs = require('fs');
var shrinkwrap = require('./npm-shrinkwrap.json');
function replacer(key, val) {
if (key === 'resolved' && this.from && this.version) {
return undefined;
} else {
return val;
}
}
fs.writeFileSync('./npm-shrinkwrap.json', JSON.stringify(shrinkwrap, replacer, 2));It takes advantage of You can run that manually after every shrinkwrap, or wrap it in bash to shrinkwrap too: npm shrinkwrap
echo '''
// above JS goes here
''' | nodeHope this helps! |
|
@aseemk Thx for the script! |
|
I know we should not use npm while deploying BUT the current shrinkwrap problem might worsen the current npm instabilities issues. If all projects using shrinkwrap are re-downloading packages I guess npm is under big load due to this bug (partly). |
|
Funny enough the number of expressjs downloads doubled 5 monthes ago, when this issue was created http://npm-stat.vorba.ch/charts.html?package=express This does not seems to be a summer effect since last year did not see the same raise. |
|
It's safe to say that this bug is not significantly affecting downloads. We're simply still in the exponential portion of npm's growth curve. Shrinkwrap usage is a rounding error. That being said, this is indeed a bug, and should be fixed. Those "resolved" fields should be added in the cache data, not just in the installed package.json. |
|
I hope too it's not affecting downloads or not too much. But given every company using npm install and shrinkwrap in deployments and given the hype for "continuous deployment" I thought that could be one of the tiny reason for the raise in npm downloads. |
|
This bug, as might've said above, also affects unpublished modules that were installed manually with |
|
Seems that removing those |
|
@moll Ah, right, that's why my package was misbehaving... I guess I'll just be making sure that one |
|
👍 any suggestions on how to fix the cache to write the resolved fields ? |
|
Quick regex fix for me. Leaves resolved for git repos. Were these |
|
Run It will generate
|
|
Heads up, wrote a quick tool, clingwrap to simplify updating shrinkwrap. Interested in a PR to get this behavior in core npm? |
|
if you attempt to remove 'from' and 'resolved' fields from shrinkwrap, be aware that ynpm install would fail if the version of dependent package is a git url instead of a regular semver, e.g. |
|
@tinyfrog, exactly. We only want to prune |
We need to be able to build angular at older shas, without the lock file / shrinkwrap file the dependencies will resolve differently on different machines and at different times. This will help us avoid broken builds and hard to track down issues. I had to manually edit this file after it was generated because `npm shrinkwrap` will install optional dependencies as if they were hard dependencies. See: npm/npm#2679 (comment) My manual edit: ``` diff --git a/npm-shrinkwrap.json b/npm-shrinkwrap.json index 756df44..dc157eb 100644 --- a/npm-shrinkwrap.json +++ b/npm-shrinkwrap.json @@ -3110,19 +3110,7 @@ "chokidar": { "version": "0.8.1", "from": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz", - "dependencies": { - "fsevents": { - "version": "0.1.6", - "from": "fsevents@0.1.6", - "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-0.1.6.tgz" - }, - "recursive-readdir": { - "version": "0.0.2", - "from": "recursive-readdir@0.0.2", - "resolved": "https://registry.npmjs.org/recursive-readdir/-/recursive-readdir-0.0.2.tgz" - } - } + "resolved": "https://registry.npmjs.org/chokidar/-/chokidar-0.8.1.tgz" }, "glob": { "version": "3.2.9", ``` Additionally chokidar doesn't list the dependencies above as optional, but that will hopefully be soon fixed: paulmillr/chokidar#106 In the meantime the patch from the PR above needs to be applied to node_modules/karma/node_modules/chokidar/package.json before running `npm shrinkwrap` ---- After this change is applied, angular core developers don't need to do anything differently, except when updating dependencies we need to call `npm update && npm shrinkwrap --dev` followed by reappling my patch above until npm's bug. Closes #6653
from our experiements it appears that the presense or absense of the from and resolved properties makes no difference on the behavior of but updates these properties with different values depending on different state of the cache and node_modules. So in order to get clean diffs during updates, we are just going to drop these properties and have a script to do this automatically. Long term this should be fixed in npm: npm/npm#3581
This is to deal with npm/npm#3581 See the previous commit for more info. Closes angular#6672
This is to deal with npm/npm#3581 See the previous commit for more info. Closes angular#6672
from our experiements it appears that the presense or absense of the from and resolved properties makes no difference on the behavior of but updates these properties with different values depending on different state of the cache and node_modules. So in order to get clean diffs during updates, we are just going to drop these properties and have a script to do this automatically. Long term this should be fixed in npm: npm/npm#3581
|
We stumbled over the same problems as the angular guys (again) in socketio/engine.io-client#370. These issues seem to be related and they have long discussions about this problem as you can see in their commits. |
|
This has been moved to the npm roadmap, which we're using instead of the confusing |
|
fwiw, we've been using https://www.npmjs.com/package/shonkwrap to handle this for a while now and not really run into any issues. |
Unfortunately, npm shrinkwrap is inconsistent. npm/npm#3581 Also the npm-shrinkwrap format has changed once more.
`npm shrinkwrap` spits out different metadata depending on the npm version, which makes our diffs much too difficult to read properly. Browsing [the issue](npm/npm#3581) I found [a little script](https://github.com/angular/angular.js/blob/master/scripts/npm/clean-shrinkwrap.js) we can use to tidy up the shrinkwrap and keep it consistent. I've also tried to document the npm install process.
|
This thread is long and covers a lot of ground, but I believe the original issue of the opener (that is, |
|
The behavior from the issue description continues to occur in the npm@3.8.0. This is very annoying.
@othiym23 please, can you reopen this issue? |
|
I'm seeing the same issue. Shrinkwrapping on one computer differs from another: "dependencies": {
"babel-code-frame": {
"version": "6.7.2",
"from": "babel-code-frame@>=6.7.2 <7.0.0"
}
},
...
}Becomes: "dependencies": {
"babel-code-frame": {
"version": "6.7.2",
"from": "babel-code-frame@6.7.2",
"resolved": "https://registry.npmjs.org/babel-code-frame/-/babel-code-frame-6.7.2.tgz"
},
...
}The shorter version is definitely preferable, since otherwise it ends up being TMI, and verifying changelogs on updated packages is more of a headache, especially since Github will often not even show the lengthy diff. |
|
I also have the same issue with npm @3.10.3. Basically, I just updated my project number in package.json, but somehow the dependencies verion in shrinkwrap.json changed as well. From: To: |
and others
If npm resolves a file from a registry when shrinkwrap is run a "resolved" property is added to the npm-shrinkwrap.json file. If npm finds that the file is in the cache then this property is not written.
npm cache clear
npm init
npm install winston
npm shrinkwrap
check shrinkwrap file and see "resolved" properties
rm -rf node_modules npm-shrinkwrap.json
npm install winston
npm shrinkwrap
check shrinkwrap file and see "resolved" properties do not exist
It seems that npm shrinkwrap should generate the same output regardless of if the file came from the cache or if the file came from the registry. This becomes more important if one is mixing private and public registries as it seems that the resolved property is used to locate a dependency.
The text was updated successfully, but these errors were encountered: