Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ENOENT: no such file or directory, open './package-lock.json' #10

Open
josguil opened this issue Dec 18, 2019 · 20 comments
Open

ENOENT: no such file or directory, open './package-lock.json' #10

josguil opened this issue Dec 18, 2019 · 20 comments

Comments

@josguil
Copy link

josguil commented Dec 18, 2019

If I try to force resolutions before package-json is present, I get the error:

ENOENT: no such file or directory, open './package-lock.json'

The only workaround is to delete the preinstall instruction, do npm install, then readd the npm force resolutions and then npm install again, but this workaround isn't ideal for automated build systems. Is there any solution?
@ronaldbarendse
Copy link

ronaldbarendse commented Mar 3, 2020
edited
Loading

You should only add npm-force-resolutions after doing the initial install that generates the package-lock.json file. And make sure to include this file together with your package.json to your version control system.

If npm install returns errors after that, your node_modules probably isn't in-sync with the package-lock.json, so you first have to run npm ci (to install the exact versions from the package-lock.json file) 👍

@janrembold
Copy link

IMO npm-force-resolutions should silently exit if there is no package-lock.json and not force the user to manually remove the preinstall script before doing a first installation.

In my case, I just wanted to simply create a fresh lockfile and removed the existing one. Than I had to remove preinstall script, run npm i and add the preinstall script again.

I don't see any downsides on a silent exit

@ronaldbarendse
Copy link

@janrembold I agree it could show a warning instead of throwing an error if the package-lock.json file doesn't exist, as that would indeed make this case a little easier. However, to ensure the correct dependencies are updated/resolved, you'd need to run npm install a second time (as the first only generated the lock file). Either the warning message should be very clear about this and/or this behavior should only be allowed when explicitly enabled (e.g. using a command argument).

FYI If you just want to create a fresh lock file, you can run the following commands:

rm package-lock.json
npm shrinkwrap
ren npm-shrinkwrap.json package-lock.json

@janrembold
Copy link

@ronaldbarendse Fair point 🤔

Would it be possible to run npm shrinkwrap && ren npm-shrinkwrap.json package-lock.json within your package in case of a missing package-lock.json? This would fix the missing file problem and for all other cases it would run as usual.

@lazar-vuckovic
Copy link

An issue popped up in production today that I had to resolve quickly and had to override a nested package. Ran into a problem using npm-force-resolutions in a CI build, since the preinstall script requires the package to already be installed.
Ended up with a dirty temporary workaround - instead of putting the npx command in preinstall, I used the following:
"postshrinkwrap": "npx npm-force-resolutions && npm install --ignore-scripts"
Note the use of postshrinkwrap instead of a postinstall. If you do this in a postinstall, you don't have the package-lock.json file yet.

@lazar-vuckovic lazar-vuckovic mentioned this issue Mar 20, 2020
Closed
@ronaldbarendse
Copy link

@lazar-vuckovic You're having a totally different issue, as this command shouldn't even be executed on a CI build.

The package-lock.json should already be patched with the correct packages and versions on your local machine (using npm install and the postinstall hook), so the CI build can use npm ci to make a reproducible build...

@dcm dcm mentioned this issue Apr 6, 2020
Merged
@elizabethsjudd
Copy link

I'm running in to the same error with our package that uses preinstall: npx npx-force-resolutions but only when installing it in an external package because the package-lock.json file is not published. Is it expected that they also use npm-shrinkwrap to also publish that file or how would we resolve this issue?

@ronaldbarendse
Copy link

After digging deeper, it looks like I've encountered the same problem @lazar-vuckovic had: npm ci also runs the preinstall script (containing npx npm-force-resolutions), altering the package-lock.json file when it's not needed.

I've updated the postshrinkwrap script to make it more quiet and still run scripts of installed dependencies (--no-package-lock ensures the postschrinkwrap script won't get called in a loop):

"scripts": {
    "postshrinkwrap": "npx --quiet npm-force-resolutions && npm install --no-package-lock --no-audit --no-fund --no-progress --silent"
}

@araujoarthur0 araujoarthur0 mentioned this issue May 9, 2020
Closed
@hkang1 hkang1 mentioned this issue Jun 11, 2020
Merged
@sapics sapics mentioned this issue Jun 24, 2020
Closed
pilz added a commit to Patternslib/Patterns that referenced this issue Jul 30, 2020
@pilz
Fix an issue where I couldn't build a bundle depending on patternslib…
e11a57b 
… anymore as described in rogeriochaves/npm-force-resolutions#10
@kshetline
Copy link

I worked around this issue by doing this:

		"preinstall": "bash ./force-resolutions.sh",

With this matching script:

if [ -f package-lock.json ]; then
  npx npm-force-resolutions
fi

...but while this solves the immediate problem, it means my project can't be build on Windows, as was previously possible.

If you have some objection to what everyone else is suggesting, that npm-force-resolutions fail quietly when package-lock.json is not present, but only as a general rule, could you add a command line option to allow quiet failure?

nhartner added a commit to PayString/paystring-cli that referenced this issue Aug 19, 2020
@nhartner
another work around for npm-force-resolutions related to this issue:
36cbef1 
 rogeriochaves/npm-force-resolutions#10
@kshetline
Copy link

Seems janky but this seemed to work for the preinstall script:

"preinstall": "npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions",

It feels wrong to run npm install inside preinstall but the --package-lock-only flag seems to do just so hoping it's ok.

I'll definitely try this, @nhartner. If this does the trick, it'll be a fantastic work-around.

@nhartner
Copy link

Seems janky but this seemed to work for the preinstall script:
"preinstall": "npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions",
It feels wrong to run npm install inside preinstall but the --package-lock-only flag seems to do just so hoping it's ok.

I'll definitely try this, @nhartner. If this does the trick, it'll be a fantastic work-around.

Eh, spoke too soon. It worked locally but not once I published it to npmjs.

@kshetline
Copy link

kshetline commented Aug 19, 2020
edited
Loading

@nhartner, your trick did work in my project, but I'm not publishing an npm package, so maybe that has something to do with it.

My project is a VSCode extension. I started from a clean slate (throwing away my whole node_modules folder and package-lock.json), did an npm i, then another npm i, an npm update, and another npm i, and it all worked great, with a clean audit after each step.

Update: Works great for me in another project too. It's interesting that I can see the warning found 1 low severity vulnerability go by once, then correct itself by time the npm i has finished.

@nhartner
Copy link

@nhartner, your trick did work in my project, but I'm not publishing an npm package, so maybe that has something to do with it.

My project is a VSCode extension. I started from a clean slate (throwing away my whole node_modules folder and package-lock.json), did an npm i, then another npm i, an npm update, and another npm i, and it all worked great, with a clean audit after each step.

Update: Works great for me in another project too. It's interesting that I can see the warning found 1 low severity vulnerability go by once, then correct itself by time the npm i has finished.

You could also add --no-audit flag in the preinstall to squelch the initial vulnerability warning.

@theoutlander theoutlander mentioned this issue Oct 1, 2020
Closed
@w3cj w3cj mentioned this issue Nov 11, 2020
Closed
@danmarshall danmarshall mentioned this issue Jan 13, 2021
Closed
@walterra walterra mentioned this issue Jan 17, 2021
Closed
@joyarzun
Copy link

Seems janky but this seemed to work for the preinstall script:
"preinstall": "npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions",
It feels wrong to run npm install inside preinstall but the --package-lock-only flag seems to do just so hoping it's ok.

I'll definitely try this, @nhartner. If this does the trick, it'll be a fantastic work-around.

Not ideal but works :)

@edgar-arroyo-by
Copy link

hello there

try
"preinstall": "npx npm-force-resolutions || echo 1",

This was referenced Jul 12, 2021
Open
Open
@mfranzke
Copy link

mfranzke commented Jul 12, 2021
edited
Loading

@edgar-arroyo-by I like your solution a lot, especially as this problem even also appears when installing the package you're using this dependency with as a dependency of another project. I've previously built a more complicated solution that would break in other constellations like e.g. PowerShell, but your solution is clean and simple. Awesome !

@angelogiuseppe
Copy link

To anyone experiencing this issue, feel free to try: https://www.npmjs.com/package/force-resolutions

Just change:

"preinstall": "npx npm-force-resolutions"

To:

"preinstall": "npx force-resolutions"

npx force-resolutions does not run when no package-lock.json is detected, and allows the next command inline to be executed as normal. This is useful when installing dependencies for a package that has been already published where package-lock.json is not available.

Feedback and PR's are welcome

kingsae1 added a commit to kingsae1/react-emoji-search that referenced this issue Sep 13, 2022
@kingsae1
Update package.json
6a7bdcb 
If all of the above answers don't work and you still get sh: npm-force-resolutions: command not found try the following:

Just change:

"preinstall": "npx npm-force-resolutions"

To:

"preinstall": "npx force-resolutions"

npx force-resolutions does not run when no package-lock.json is detected, and allows the next command inline to be executed as normal

Credit to: rogeriochaves/npm-force-resolutions#10 (comment)
@naveen2131-hue
Copy link

@edgar-arroyo-by "preinstall": "npm install --package-lock-only --ignore-scripts && npx npm-force-resolutions", scripts
not changing the sub dependencies version from package-lock.json. Any idea, how to solve it as well.
dependency

@everett1992 everett1992 mentioned this issue Jan 22, 2024
Open
@cbtpro
Copy link

cbtpro commented Feb 18, 2024

@janrembold I agree it could show a warning instead of throwing an error if the package-lock.json file doesn't exist, as that would indeed make this case a little easier. However, to ensure the correct dependencies are updated/resolved, you'd need to run npm install a second time (as the first only generated the lock file). Either the warning message should be very clear about this and/or this behavior should only be allowed when explicitly enabled (e.g. using a command argument).

FYI If you just want to create a fresh lock file, you can run the following commands:

rm package-lock.json
npm shrinkwrap
ren npm-shrinkwrap.json package-lock.json

It worked in my case

@Lumi669
Copy link

Lumi669 commented Jun 19, 2024

i am using pnpm instead of npm, so i don't have package-lock.json , i have pnpm-lock.yaml, how to solve this error in such situation?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests