search

airbnb / hypernova

A service for server-side rendering your JavaScript views
MIT License
5.82k stars 207 forks source link

npm install keeps failing on npm v6 #118

Closed wingleung closed 6 years ago

wingleung commented 6 years ago

npm install within the hypernova repo on npm@6 keeps failing.

Steps to reproduce

npm install

...
> hypernova@2.2.5 build /Users/leungwi/Projects/VRT/sporza/NODE/contrib/hypernova
> babel src -d lib

src/Module.js -> lib/Module.js
src/coordinator.js -> lib/coordinator.js
src/createGetComponent.js -> lib/createGetComponent.js
src/createVM.js -> lib/createVM.js
src/environment.js -> lib/environment.js
src/getFiles.js -> lib/getFiles.js
src/index.js -> lib/index.js
src/loadModules.js -> lib/loadModules.js
src/server.js -> lib/server.js
src/utils/BatchManager.js -> lib/utils/BatchManager.js
src/utils/lifecycle.js -> lib/utils/lifecycle.js
src/utils/logger.js -> lib/utils/logger.js
src/utils/renderBatch.js -> lib/utils/renderBatch.js
src/worker.js -> lib/worker.js
up to date in 3.952s
[!] 7 vulnerabilities found [3729 packages audited]
    Severity: 5 low | 2 critical
    Run `npm audit` for more detail

npm audit

npm ERR! code EAUDITNOLOCK
npm ERR! audit Neither npm-shrinkwrap.json nor package-lock.json found: Cannot audit a project without a lockfile
npm ERR! audit Try creating one first with: npm i --package-lock-only

npm i --package-lock-only installs all the packages but doesn't create a package-lock.json because the .npmrc has package-lock disabled.

ljharb commented 6 years ago

No; if npm audit fails without a lockfile, then npm audit is broken.

The proper fix here is to add audit=false to .npmrc, until npm fixes the issue with npm audit.

ljharb commented 6 years ago

ahh, i see that npm audit fails but npm install doesn't.

This is a non-problem; npm audit isn't really necessary.

wingleung commented 6 years ago

@ljharb should we disable npm audit? package-lock.json is never available so npm audit will (temporarily?) not work.

On npm install there is a small report that some dependencies are vulnerable but it doesn't say which. To know which ones, we should use npm audit, resulting in the EAUDITNOLOCK error message. Is this useful?

...
[!] 7 vulnerabilities found [3729 packages audited]
    Severity: 5 low | 2 critical
    Run `npm audit` for more detail

branch is ready if need be -> https://github.com/wingleung/hypernova/commit/8310d1d37e4b81a8e7bac9c21df3fa1359040174

ljharb commented 6 years ago

npm audit is planned to eventually work without a lockfile, so I think we can just ignore the feature and warning for now.