New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Node.js 14 / NPM 6 - Using dep with npm:
prefix can result in invalid lockfiles
#9654
Comments
Hi there, The Renovate team needs your help! Before we can start work on your issue we first need to know exactly what's causing the current behavior. A minimal reproduction helps us with this. To get started, please read our guide on minimal reproductions to understand what is needed. We may close the issue if you have not provided a minimal reproduction within two weeks. If you need more time, or are stuck, please ask for help or more time in a comment. Good luck, The Renovate team |
Unfortunately there's nothing about your description or the npm ci logs which would get us any close to reproducing or fixing. If you have the debug logs from when such a "bad" commit is made then maybe we can guess at it, but otherwise not. |
There was a chance you've seen it before. I think it has something to do with that I'll mess with it more. |
Do you just use |
It defaults to use the --package-lock-only flag, which sometimes does produce incorrect results (eg often when file: refs are used). Perhaps npm: is another scenario where it's buggy. We have logic to detect existing known buggy scenarios for npm and switch to a full node modules install instead. |
That's it. I deleted node_modules, then ran
|
Any chance if running it twice fixes it? |
just tried - it does not |
npm:
prefix can result in invalid lockfiles
so basically it seems more like an npm bug |
It is, but we should be able to work around the bug like we do with renovate/lib/manager/npm/extract/index.ts Lines 347 to 357 in 10e5119
|
Can you create a minimal reproduction so that we can verify any fix works? |
I tried, but the error didn't happen in it - will need to spend more time on it |
private repo? |
🎉 This issue has been resolved in version 24.119.6 🎉 The release is available on:
Your semantic-release bot 📦🚀 |
oh my bad - it's public now |
BTW although I submitted a hopefully automatic workaround, I realized that we allow a configurable |
What Renovate type, platform and version are you using?
Github
Describe the bug
The generated package-lock file from renovate is sometimes invalid.
I've been using renovate for years, only seeing this for the first time in the past couple days.
When running
npm ci
in the CI process, and when cloning it down locally to verify, I get this error:The logs from that log file are:
Running
npm i
again patches the lock file and it then works.Have you created a minimal reproduction repository?
No, I'm seeing it on multiple repositories, but they are private.
In the example I'm seeing now it's babel-monorepo being updated, but I don't think that's anything to do with the issue as I saw it on another dep as well.
If it's needed I can try to create something, but I don't even know that it'll happen. I use renovate on a lot of repos in many orgs to do the same thing.
Did the way lockfiles get generated change recently? Maybe something to do with npm6/7 which use different lockfile versions? It doesn't change the lockfile version so that seems unlikely..
Please read the minimal reproductions documentation to learn how to make a good minimal reproduction repository.
I do have an .npmrc for this project but I don't think that's the issue either?
Additional context
The text was updated successfully, but these errors were encountered: