This repository was archived by the owner on Aug 11, 2022. It is now read-only.
This repository was archived by the owner on Aug 11, 2022. It is now read-only.
NPM 5 corrupts "version" field if package-lock.json is used #19006
Description
I'm opening this issue because:
- npm is crashing.
- npm is producing an incorrect install.
- npm is doing something I don't understand.
- Other (see below for feature requests):
What's going wrong?
When using a "file://" version specifier that points to a tarball file, NPM stores this specifier in package-lock.json. NPM 5 wrongly copies this version specifier into "version" field of the package.json file that is written into the node_modules folder.
I suspect that this is a bug because:
- The error only occurs when package-lock.json is present
- The bug doesn't repro at all with NPM 4
How can the CLI team reproduce the problem?
- Unzip repro.zip to produce a folder called "repro"
- Using NPM version 5.5.1, run "npm install"
- Observe that node_modules/example/package.json has a correct "version" value of "1.0.0":
{
"_from": "file:example-1.0.0.tgz",
"_id": "example@1.0.0",
"_inBundle": false,
"_integrity": "sha1-mx4qiwi/O84j5ts+khQiuPoHWus=",
"_location": "/example",
"_phantomChildren": {},
"_requested": {
"type": "file",
"where": "D:\\repro",
"raw": "example@file://./example-1.0.0.tgz",
"name": "example",
"escapedName": "example",
"rawSpec": "file://./example-1.0.0.tgz",
"saveSpec": "file:example-1.0.0.tgz",
"fetchSpec": "D:\\repro\\example-1.0.0.tgz"
},
"_requiredBy": [
"/"
],
"_resolved": "D:\\repro\\example-1.0.0.tgz",
"_spec": "example@file://./example-1.0.0.tgz",
"_where": "D:\\repro",
"author": "",
"bundleDependencies": false,
"deprecated": false,
"description": "",
"license": "ISC",
"main": "index.js",
"name": "example",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"version": "1.0.0"
}
- Delete the node_modules folder
- Run "npm install" a second time (now that package-lock.json has been created)
- Observe that the "version" field now shows "file:example-1.0.0.tgz"
{
"_args": [
[
"example@file:example-1.0.0.tgz",
"D:\\repro"
]
],
"_from": "example@file:example-1.0.0.tgz",
"_id": "example@file:example-1.0.0.tgz",
"_inBundle": false,
"_integrity": "sha1-mx4qiwi/O84j5ts+khQiuPoHWus=",
"_location": "/example",
"_phantomChildren": {},
"_requested": {
"type": "file",
"where": "D:\\repro",
"raw": "example@file:example-1.0.0.tgz",
"name": "example",
"escapedName": "example",
"rawSpec": "file:example-1.0.0.tgz",
"saveSpec": "file:example-1.0.0.tgz",
"fetchSpec": "D:\\repro\\example-1.0.0.tgz"
},
"_requiredBy": [
"/"
],
"_spec": "file:example-1.0.0.tgz",
"_where": "D:\\repro",
"author": "",
"description": "",
"license": "ISC",
"main": "index.js",
"name": "example",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"version": "file:example-1.0.0.tgz"
}
The bad value "file:example-1.0.0.tgz" causes other tools to fail, e.g. read-package-tree fails with this error:
ERROR: Failed to parse package.json for foo: Invalid version: "file:example-1.0.0.tgz"
supporting information:
npm -vprints: 5.5.1node -vprints: v6.10.2npm config get registryprints:- Windows, OS X/macOS, or Linux?: Windows
- Network issues:
- Geographic location where npm was run:
- I use a proxy to connect to the npm registry.
- I use a proxy to connect to the web.
- I use a proxy when downloading Git repos.
- I access the npm registry via a VPN
- I don't use a proxy, but have limited or unreliable internet access.
- Container:
- I develop using Vagrant on Windows.
- I develop using Vagrant on OS X or Linux.
- I develop / deploy using Docker.
- I deploy to a PaaS (Triton, Heroku).