search

npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.23k stars 3.01k forks source link

[BUG] `overrides` in `package.json` do not allow file paths of any kind (including fake ones) #5843

Closed aibolit closed 1 year ago

aibolit commented 1 year ago

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

I am seeing the error

npm verb stack TypeError: Invalid comparator: ./_EXCLUDED_

Expected Behavior

The override library uses the file path specified like in major version 8. When the path specified points to nothing the dependency is ignored.

The usage is explained in this stackoverflow which doesnt work anymore

Steps To Reproduce

add an overrides section which points to a path kind of like

"overrides": {
  "canvas": "./_EXCLUDED_"
}

Environment

location = "project"

; node bin location = C:\Users\someuser\somepath.gradle\nodejs\node-v18.12.1-win-x64\node.exe ; node version = v18.12.1 ; npm local prefix = C:\Users\someuser\somepath ; npm version = 9.1.1 ; cwd = C:\Users\someuser\somepath ; HOME = C:\Users\someuser ; Run npm config ls -l to show all defaults.

ljharb commented 1 year ago

What if you point it to false?

aibolit commented 1 year ago

it basically ignores the override

boris-petrov commented 1 year ago

The same happens if a github URL is used:

"overrides": {
  "some-package": "github:owner/some-package#ec9dc9981403f2e56d2233430681866741bc170c"
},
nguyentoanit commented 1 year ago

Does anyone get this issue in npm v8.19.3 when using a reference to a spec?

"overrides": {
    "foo": {
      "@aws-cdk/aws-apigatewayv2-alpha": "$@aws-cdk/aws-apigatewayv2-alpha",
      "@aws-cdk/aws-apigatewayv2-integrations-alpha": "$@aws-cdk/aws-apigatewayv2-integrations-alpha"
    },
  }
trusktr commented 1 year ago

I got this error after upgrading to npm 9:

npm ERR! Invalid comparator: trusktr/three.js#d2fbde04e079890747e318adb2b3b88f8c556d38

Specifically:

36 verbose stack TypeError: Invalid comparator: trusktr/three.js#d2fbde04e079890747e318adb2b3b88f8c556d38
36 verbose stack     at Comparator.parse (/Users/trusktr/.npm-packages/lib/node_modules/npm/node_modules/semver/classes/comparator.js:38:13)
36 verbose stack     at new Comparator (/Users/trusktr/.npm-packages/lib/node_modules/npm/node_modules/semver/classes/comparator.js:22:10)
36 verbose stack     at /Users/trusktr/.npm-packages/lib/node_modules/npm/node_modules/semver/classes/range.js:133:47
36 verbose stack     at Array.map (<anonymous>)
36 verbose stack     at Range.parseRange (/Users/trusktr/.npm-packages/lib/node_modules/npm/node_modules/semver/classes/range.js:133:35)
36 verbose stack     at /Users/trusktr/.npm-packages/lib/node_modules/npm/node_modules/semver/classes/range.js:34:22
36 verbose stack     at Array.map (<anonymous>)
36 verbose stack     at new Range (/Users/trusktr/.npm-packages/lib/node_modules/npm/node_modules/semver/classes/range.js:34:8)
36 verbose stack     at Object.intersects (/Users/trusktr/.npm-packages/lib/node_modules/npm/node_modules/semver/ranges/intersects.js:3:8)
36 verbose stack     at OverrideSet.getEdgeRule (/Users/trusktr/.npm-packages/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/override-set.js:53:18)

My package.json has this:

    "dependencies": {
        "lume": "0.3.0-alpha.10",
        "three": "trusktr/three.js#d2fbde04e079890747e318adb2b3b88f8c556d38"
    },
    "overrides": {
        "three": "$three",
        "lume": {
            "three": "$three"
        },
    },

https://github.com/LUMECraft/first-person-shooter/blob/38d9cda1d63816c7b4e02093712795989b45c4e1/package.json#L29-L60

reproduction:

Using npm 9:

git clone https://github.com/LUMECraft/first-person-shooter.git
cd first-person-shooter
npm install
maxbilbow commented 1 year ago

Is there any official way to exclude dependencies other than the "../EXCLUDE" (above) that I've been using? Feels like a hack.

Is this something for which a standard approach hasn't yet been decided? Or is it undesirable behaviour for some reason?

matteatsleftovers commented 1 year ago

I'm pretty new to using overrides in my package.json files, ha, but I'm running into a similar error for npm-hosted package overrides. When I try to override the deprecated rollup-plugin-terser package (pulled in from another dependency) with its successor hosted in npm packages, I see the "invalid comparator" error mentioned above.

Heck, I may even be using the wrong syntax to begin with, but here's what I'm trying to use to override the deprecation:

"overrides": {
  "rollup-plugin-terser": "npm:@rollup/plugin-terser@^0.2.0",
}

Output of running npm install with this override on npm 8.19.2/node.js 16.18.1 (LTS Gallium):

nvm use lts/gallium && npm install
Now using node v16.18.1 (npm v8.19.2)

up to date, audited 3003 packages in 3s

390 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Output on npm 9.1.2/node.js 18.12.1 (LTS Hydrogen):

nvm use lts/hydrogen && npm install
Now using node v18.12.1 (npm v9.1.2)
npm ERR! Invalid comparator: npm:@rollup/plugin-terser@^0.2.0

npm ERR! A complete log of this run can be found in:
npm ERR!     [REDACTED]

If I remove the package-shifting overrides altogether, the LTS Hydrogen output is happy again (except for deprecation 😅):

nvm use lts/hydrogen && npm install
Now using node v18.12.1 (npm v9.1.2)
npm WARN deprecated rollup-plugin-terser@7.0.2: This package has been deprecated and is no longer maintained. Please use @rollup/plugin-terser

added 5 packages, removed 2 packages, and audited 3006 packages in 3s

390 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
trusktr commented 1 year ago

I really hope this can be fixed. Overrides otherwise only fully work in npm v8.

MondoGao commented 1 year ago

This was fixed in https://github.com/npm/cli/pull/5960