search

npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.46k stars 3.15k forks source link

[BUG] Dependencies scripts don't run when using v1 shrinkwrap #5525

Open koterpillar opened 2 years ago

koterpillar commented 2 years ago

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

When:

B's custom install script does not run, instead it is replaced with node-gyp rebuild.

Example:

When installing @freekii/layerone-keytar@1.0.10, keytar's install script will not run, falling back to node-gyp rebuild. If the machine has no Python and required system libraries, that will fail whereas the prebuild-install would have succeeded.

Expected Behavior

Dependencies' install scripts should run as specified in their package.json.

(Using example above) Installing @freekii/layerone-keytar@1.0.10 runs keytar's prebuild-install.

Steps To Reproduce

  1. Create an empty npm package with a single dependency keytar (or use existing @freekii/layerone-keytar@1.0.10 and skip to sten 4).
  2. Using npm 6, run npm shrinkwrap.
  3. Publish the package to npm with the generated shrinkwrap.
  4. On a machine without Python or C build tools (e.g. node:16 Docker container), install the above package from npm.
  5. Observe the error from gyp:
npm ERR! code 1
npm ERR! path /usr/local/lib/node_modules/@freekii/layerone-keytar/node_modules/keytar
npm ERR! command failed
npm ERR! command sh -c -- node-gyp rebuild
(...)

Environment

koterpillar commented 2 years ago

Please note this is not a bug in npm 6. It was only used to produce the example package, but I expect npm 8 to be able to install older packages from the registry regardless.

koterpillar commented 2 years ago

I believe the meta.loadedFromDisk check is causing the bug here: https://github.com/npm/cli/blob/e5761b9adafe8607ad68baa9599ad4eb228bc6be/workspaces/arborist/lib/arborist/rebuild.js#L257