Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

install: correct reqBy spec for opt deps #117

Closed
wants to merge 1 commit into from

Conversation

larsgw
Copy link
Contributor

@larsgw larsgw commented Dec 13, 2018

Return the correct spec for optional dependencies in getRequested.

See https://npm.community/t/242

Return the correct spec for optional dependencies in getRequested.

See https://npm.community/t/242
@larsgw larsgw requested a review from a team as a code owner December 13, 2018 16:44
@larsgw
Copy link
Contributor Author

larsgw commented Dec 13, 2018

As with #115:

I'm not really sure how to integration-test this without actually cloning git projects at the moment.

Ideas are welcome.

@zkat zkat added semver:patch semver patch level for changes needs-discussion labels Jan 7, 2019
@aeschright
Copy link
Contributor

This patch won't resolve the underlying problem -- we actually need to fix what's being put into the package-lock.json so that optional git dependencies are stored using the same format as the others.

@aeschright aeschright closed this Jan 7, 2019
@larsgw
Copy link
Contributor Author

larsgw commented Jan 8, 2019

If I remember correctly, that's what this patch is supposed to do (I'll check this afternoon). Or are you suggesting a more general fix?

@larsgw
Copy link
Contributor Author

larsgw commented Jan 8, 2019

I checked, given this package.json:

{
  "name": "060",
  "version": "1.0.0",
  "optionalDependencies": {
    "left-pad": "git+https://github.com/jeffora/left-pad.git#custom-left-pad"
  }
}

npm@6.5.0 produces this entry for left-pad:

    ...
    "left-pad": {
      "version": "1.3.0",
      "resolved": "git+https://github.com/jeffora/left-pad.git#806c9eda55a3ac4ad365a344ac9024c3ea183f8c",
      "optional": true
    }
    ...

While my patch produces this:

    ...
    "left-pad": {
      "version": "git+https://github.com/jeffora/left-pad.git#806c9eda55a3ac4ad365a344ac9024c3ea183f8c",
      "from": "git+https://github.com/jeffora/left-pad.git#custom-left-pad",
      "optional": true
    }
    ...

The latter works with npm ci, but I can add back the resolved field. However, that's not how dependencies and devDependencies work.

I'll try to add tests (given #115 (comment)) later, but not before my thoughts are confirmed of course.

@iarna
Copy link
Contributor

iarna commented Jan 10, 2019

We DO want output like what you quoted, but I'm concerned about your patch for this reason. You wrote this:

return npa.resolve(name, deps[name] || devDeps[name], reqBy.realpath) return npa.resolve(name, deps[name] || devDeps[name] || optDeps[name], reqBy.realpath)

And the thing is, because normalize-package-data (and in turn read-package-json) add all optional deps to regular deps, this patch should be a no-op, because the package metadata we get out of read-package-json will always have all optional deps also included in dependencies.

@iarna
Copy link
Contributor

iarna commented Jan 10, 2019

If your patch does fix something, it means something else has gone very wrong somewhere along the way, and we should patch that.

@gurpreetatwal
Copy link

Hi all, so I stepped through the code and I believe I have figured out where along the way things went bad. Specifically, it's in the savePackageJson function in install/lib/save.js.

cli/lib/install/save.js

Lines 63 to 70 in ab0f026

fs.readFile(saveTarget, 'utf8', iferr(next, function (packagejson) {
const indent = detectIndent(packagejson).indent
const newline = detectNewline(packagejson)
try {
tree.package = parseJSON(packagejson)
} catch (ex) {
return next(ex)
}

It replaces tree.package as read by read-package-json with just a fs.readFile of package.json. The in turn breaks that invariant that all optional dependencies should be included in dependencies.

Also the next function eventually invokes saveShrinkWrap as called by exports.saveRequested in lib/install/save.js

I'm not sure what the fix is here as I don't understand the npm code too well, but willing to offer more help if I can get some pointers.

@larsgw
Copy link
Contributor Author

larsgw commented Jan 20, 2019

It seems the new tree.package from parseJSON isn't passed to anywhere else (apart from saveShrinkwrap of course), so I think it's safe to do this:

let pkg
try {
  pkg = parseJSON(packagejson)
} catch (ex) {
  return next(ex)
}

As for the tests, I'm not really sure.

@DrSensor
Copy link

Hi, I also bump a similar issue but with file:

package-lock.json

{
		...
		"@obot/cli": {
			"version": "0.2.1",
			"resolved": "/home/wildan/Projects/OSS/bot-byte/packages/cli",
			"optional": true,
			"requires": {
				"@oclif/command": "^1.5.8",
				"@oclif/config": "^1.12.0",
				"@oclif/errors": "^1.2.2",
				"@oclif/plugin-help": "^2.1.4"
			},
			"dependencies": {...}
		},
		...
}

package.json

{
	...
	"optionalDependencies": {
		"@obot/cli": "file:packages/cli"
	}
	...
}
$ npm ci
npm ERR! cipm can only install packages when your package.json and package-lock.json or npm-shrinkwrap.json are in sync. Please update your lock file with `npm install` before continuing.
npm ERR!
npm ERR!
npm ERR! Invalid: lock file's @obot/cli@0.2.1 does not satisfy @obot/cli@file:packages/cli
npm ERR!

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/wildan/.npm/_logs/2019-01-29T09_06_29_704Z-debug.log

DrSensor added a commit to DrSensor/bot-byte that referenced this pull request Jan 29, 2019
DrSensor added a commit to DrSensor/bot-byte that referenced this pull request Jan 29, 2019
DrSensor added a commit to DrSensor/bot-byte that referenced this pull request Jan 30, 2019
DrSensor added a commit to DrSensor/bot-byte that referenced this pull request Jan 30, 2019
@gurpreetatwal
Copy link

@zkat @iarna any thoughts on the above solution? I'd love to help implement, just need some guidance. This same fix also fixes another issue my team is experiencing with package-lock.json and github dependencies. I'm still trying to create a minimal reproduction of that problem, but the code above seems troublesome

@larsgw
Copy link
Contributor Author

larsgw commented Feb 17, 2019

How can I help you?

BTW, another possible solution: save package-lock.json before saving package.json.

@nictownsend
Copy link

nictownsend commented Feb 18, 2020

Are there any updates on this? I have optional dependencies that can't currently be pushed to a registry.

antongolub pushed a commit to antongolub-forks/npm-cli that referenced this pull request May 18, 2024
🤖 I have created a release *beep* *boop*
---


## [4.0.4](npm/bin-links@v4.0.3...v4.0.4)
(2024-05-04)

### Bug Fixes

*
[`100a4b7`](npm/bin-links@100a4b7)
[npm#117](npm/bin-links#117) linting:
no-unused-vars (@lukekarrys)

### Chores

*
[`e955437`](npm/bin-links@e955437)
[npm#117](npm/bin-links#117) bump
@npmcli/template-oss to 4.22.0 (@lukekarrys)
*
[`b602aca`](npm/bin-links@b602aca)
[npm#117](npm/bin-links#117) postinstall for
dependabot template-oss PR (@lukekarrys)
*
[`955cc34`](npm/bin-links@955cc34)
[npm#116](npm/bin-links#116) bump
@npmcli/template-oss from 4.21.3 to 4.21.4 (@dependabot[bot])

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
semver:patch semver patch level for changes
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants