Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Regression? Change? Can no longer install a single package without all the other dependencies in package.json #3023

Closed
dandv opened this issue Apr 4, 2021 · 6 comments
Closed

Regression? Change? Can no longer install a single package without all the other dependencies in package.json #3023

dandv opened this issue Apr 4, 2021 · 6 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release

Comments

@dandv
Copy link

dandv commented Apr 4, 2021
edited
Loading

Current Behavior:

Running npm install <package> --no-package-lock --production --no-save will still install all other dependencies listed in package.json.

Expected Behavior:

This did not use to be the case with npm 6. NPM 6 would install only the requested package.

Steps To Reproduce:

  1. npm install cheerio # this will install 14 packages in node_modules
  2. rm -rf node_modules package-lock.json
  3. npm install local-iso-dt --no-package-lock --production --no-save

This will output added 15 packages, and node_modules does contain all the cheerio dependencies, instead of just the zero-dependency local-iso-dt module.

Environment:

  • OS: Ubuntu 20.04
  • Node: 14.16.0
  • npm: 7.8.0

Related
@dandv dandv added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Apr 4, 2021
@ljharb
Copy link
Contributor

ljharb commented Apr 4, 2021

Just curious, why do you need --production on that command? npm install <package> never installs its dev deps. Additionally, with --no-save, why do you need --no-package-lock?

If you just do npm install local-iso-dt --no-save, what happens?

@dandv
Copy link
Author

dandv commented Apr 4, 2021

@ljharb none if those options are needed; I just used them as a sanity check.

Running just npm install local-iso-dt --no-save produces the same result - cheerio and its deps are installed.

@nlf
Copy link
Contributor

nlf commented Apr 6, 2021

npm 7 always does its best to work on full package trees rather than individual packages. that is, we do our best to ensure that what's on disk in your node_modules directory satisfies your complete requested dependency tree as specified in your package.json.

when adding a package, we add it to the dependency tree in your package.json, and then make your node_modules match that final, complete, tree. we currently do not have a way to install a single package in a project that contains a package.json.

if you have a use case for it, you may consider opening an rfc or a discussion at https://github.com/npm/rfcs

@nlf nlf closed this as completed Apr 6, 2021
@dandv
Copy link
Author

dandv commented Apr 8, 2021

Thanks @nlf, created npm/rfcs#364.

@ronilan ronilan mentioned this issue Jul 2, 2021
Closed
wei2912 added a commit to AdvisorySG/mentorship-page that referenced this issue Aug 5, 2021
@wei2912
deploy-lambda: Install only airtable
14efb6e 
See npm/cli#3023 for more details. On Node
v16, it appears that --no-package-lock is no longer supported.
@kgryte
Copy link

kgryte commented Aug 12, 2021

I agree with @dandv that the behavior observed in npm v7 is unexpected, especially as v7 provides no way to override using a package.json as the sole source of truth without explicitly changing and/or removing the package.json file.

@tomchambers2
Copy link

I have just run into this with an authenticated package. We have a package @private/component-library and we are using a script that uses @aws-sdk/client-codeartifact to authenticate the private repo.

Because of trying to install everything in package.json it fails with a 401 when trying to install from the private repo when all the user wants to install initially is the aws package.

We could install it globally but then we lose versioning etc.

@Lipata Lipata mentioned this issue Jun 11, 2022
Closed
jtrobles-cdd added a commit to cordada/github-actions-utils that referenced this issue Jul 28, 2022
@jtrobles-cdd
fix: Remove existing Node.js package*.json files in Git Commit Linter
208e760 
If a `package.json` file exists, NPM will always install every
dependency specified in it, even if using `npm install` to install only
a single specific package.

Related GitHub issue: npm/cli#3023
@jtrobles-cdd jtrobles-cdd mentioned this issue Jul 28, 2022
Merged
@trentm trentm mentioned this issue Nov 1, 2023
Merged
2 tasks
@dyladan dyladan mentioned this issue Nov 16, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@dandv @ljharb @nlf @kgryte @tomchambers2