Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm ci ignores --production flag and always installs devDependencies. #2017

Closed
zenwarr opened this issue Oct 22, 2020 · 8 comments
Closed

[BUG] npm ci ignores --production flag and always installs devDependencies. #2017

zenwarr opened this issue Oct 22, 2020 · 8 comments
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release
Milestone
OSS - Sprint 19

Comments

@zenwarr
Copy link

zenwarr commented Oct 22, 2020

Current Behavior:

npm ci --production installs dependencies marked as dev in package-lock.json.

Expected Behavior:

I expect npm ci to not install any packages marked as dev in lockfile.
npm 6 behaves as expected and installs only production dependencies with --production flag.
In example below, I expect @types/yargs to not be installed for production.

Steps To Reproduce:

npm init -y
npm i yargs && npm i -D @types/yargs

npm ci
ls node_modules

npm ci --production
ls node_modules

Expected output (npm 6.14.8)

$ npm ci
npm WARN prepare removing existing node_modules/ before installation
added 18 packages in 0.295s
$ ls node_modules
ansi-regex   cliui          color-name   escalade         is-fullwidth-code-point  string-width  @types     y18n   yargs-parser
ansi-styles  color-convert  emoji-regex  get-caller-file  require-directory        strip-ansi    wrap-ansi  yargs
$ npm ci --production
npm WARN prepare removing existing node_modules/ before installation
added 16 packages in 0.263s
$ ls node_modules
ansi-regex   cliui          color-name   escalade         is-fullwidth-code-point  string-width  wrap-ansi  yargs
ansi-styles  color-convert  emoji-regex  get-caller-file  require-directory        strip-ansi    y18n       yargs-parser

Actual output (npm 7.0.3)

$ npm ci
added 18 packages, and audited 18 packages in 846ms

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ ls node_modules
ansi-regex   cliui          color-name   escalade         is-fullwidth-code-point  string-width  @types     y18n   yargs-parser
ansi-styles  color-convert  emoji-regex  get-caller-file  require-directory        strip-ansi    wrap-ansi  yargs
$ npm ci --production

added 18 packages, and audited 18 packages in 821ms

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ ls node_modules
ansi-regex   cliui          color-name   escalade         is-fullwidth-code-point  string-width  @types     y18n   yargs-parser
ansi-styles  color-convert  emoji-regex  get-caller-file  require-directory        strip-ansi    wrap-ansi  yargs

Environment:

  • OS: Ubuntu 20.04
  • Node: 12.9.1
  • npm: 7.0.3
  • NODE_ENV is empty
@zenwarr zenwarr added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Oct 22, 2020
@JensEggers JensEggers mentioned this issue Oct 23, 2020
Closed
@juliankleine
Copy link

juliankleine commented Oct 26, 2020
edited
Loading

Also ignores NODE_ENV
Tested with NODE_ENV=production npm ci

darcyclarke added a commit that referenced this issue Nov 12, 2020
@darcyclarke
fix: pass flatOptions through to Arborist.reify in npm ci
4f92465 
Fixes: #2017
@darcyclarke darcyclarke mentioned this issue Nov 12, 2020
Closed
@darcyclarke darcyclarke removed the Needs Triage needs review for next steps label Nov 12, 2020
darcyclarke added a commit that referenced this issue Nov 13, 2020
@darcyclarke
fix: pass flatOptions through to Arborist.reify in npm ci
823f99d 
Fixes: #2017

Credit: @darcyclarke
Close: #2159
Reviewed-by: @ruyadorno
@isaacs isaacs closed this as completed in 786e364 Nov 13, 2020
@darcyclarke darcyclarke mentioned this issue Nov 13, 2020
Closed
@darcyclarke darcyclarke added this to the OSS - Sprint 19 milestone Nov 16, 2020
@ryanblock ryanblock mentioned this issue Dec 16, 2020
Closed
@Ketler13
Copy link

Ketler13 commented Aug 3, 2021

It happens again in 7.20.3. Does anyone have the same problems?

@cheslijones
Copy link

I'm running into this issue with 7.24.0 as I've explained here.

# creating a node base
FROM node:16-slim as node-base
ENV CI=true

# builder-base is used to build dependencies
FROM node-base as builder-base
ENV NODE_ENV=production
COPY ./package-lock.json ./package.json ./
RUN npm install --production
# RUN npm ci --production

Using either npm install --production or npm ci --production when you docker run -it <image_id> bash and look at node_modules, all of the devDependencies are in there like jest and estlint.

@isaacs
Copy link
Contributor

isaacs commented Oct 5, 2021

@cheslijones works for me here:

$ cat package.json
{
  "devDependencies": {
    "abbrev": "^1.1.1"
  }
}

$ npm i --production

up to date, audited 1 package in 234ms

found 0 vulnerabilities

$ tree
.
├── node_modules
│  └── .package-lock.json
├── package-lock.json
└── package.json

$ cat package-lock.json
{
  "name": "x",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "devDependencies": {
        "abbrev": "^1.1.1"
      }
    },
    "node_modules/abbrev": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==",
      "dev": true
    }
  },
  "dependencies": {
    "abbrev": {
      "version": "1.1.1",
      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q==",
      "dev": true
    }
  }
}

$ npm ci --production

up to date, audited 1 package in 219ms

found 0 vulnerabilities

$ tree
.
├── node_modules
│  └── .package-lock.json
├── package-lock.json
└── package.json

Is it possible that you have something with a production dependency on one of your devDependencies? Can you inspect your package-lock.json file and see if those dev deps have "dev": true in their lockfile entries?

@cheslijones
Copy link

Sorry, disregard. I didn't realize that by jest and eslint being part of react-scripts (a production dependency) in create-react-app that it would automatically make jest and eslint a production dependency.

@isaacs
Copy link
Contributor

isaacs commented Oct 6, 2021

@cheslijones happy to help :)

@Piliponful
Copy link

There are no flag --production in npm ci docs https://docs.npmjs.com/cli/v8/commands/npm-ci

And if you think how it works you'll understand why.
npm ci installs all the packages from package-lock.json so what would flag production mean?

@s3nPy
Copy link

s3nPy commented Jun 21, 2022

@Piliponful Because after npm install --only=prod i run npm ci --only=prod and get:

Error: cipm can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with npm install before continuing.

Log also with some missing packages errors that are clearly not in package-lock.json.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Milestone
OSS - Sprint 19
Development

Successfully merging a pull request may close this issue.

fix: pass flatOptions through to Arborist.reify in npm ci npm/cli
8 participants
@isaacs @darcyclarke @zenwarr @s3nPy @Piliponful @Ketler13 @juliankleine @cheslijones