search

npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.46k stars 3.15k forks source link

[BUG] --legacy-peer-deps doesn't work if own package has no peerDependencies #6262

Open haihovu opened 1 year ago

haihovu commented 1 year ago

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

This issue was observed in both v8 and v9. The problem is as follows: I have a package.json that includes some dependent packages that themselves have peerDependencies. When running npm i or npm ci, all peer dependencies of my own package as well as those of the dependent packages are installed as expected. When running npm i --legacy-peer-deps or npm ci --legacy-peer-deps no peer dependencies of my own package or those of the dependents are installed, with an exception: if my own package does not specify any peer dependecies itself then npm ci --legacy-peer-deps seem to ignore the --legacy-peer-deps flag and went ahead and install all the dependents' peer dependencies. This problem is not observed when my own package has at least one peer dependency.

Expected Behavior

If my own package.json has no peer dependency, but my dependent packages have peer dependencies, then npm ci --legacy-peer-deps should not install any peer dependency from those dependent packages.

Steps To Reproduce

Create an empty package.json then pull in a package with known peer dependencies, say react-native (which has one peer dependency: react), in the dependencies section (make sure your package.json has no peerDependencies, or empty peerDependencies). Now run npm i. You should see all the peer dendencies packages installed in node_modules (in this case it's react). Now run npm ci --legacy-peer-deps, you will see that all the peer dependencies packages (again react) are still installed in node_modules. Now add a simple package in your own peerDependencies, say chai. Now run npm i, you should still see all the peer dependencies packages installed in node_modules. Now run npm ci --legacy-peer-deps, you should see all the peer dependencies packages (again in our case, react) removed from the node_modules as expected.

Environment

; "user" config from /localhome/haiv/.npmrc ... ; node bin location = /localhome/haiv/.nvm/versions/node/v18.12.1/bin/node ; node version = v18.12.1 ; npm local prefix = /localhome/haiv/workspaces/npmtest ; npm version = 8.19.4 ; cwd = /localhome/haiv/workspaces/npmtest ; HOME = /localhome/haiv ; Run npm config ls -l to show all defaults.

ljharb commented 1 year ago

legacy peer deps doesn’t mean “install no peer deps”, it means “do what npm < 7 did”, which i believe did install some in this case.

(The best solution is to explicitly add the peer deps you need, and avoid using the legacy peer deps option)

haihovu commented 1 year ago

NPM v6 does not install peer dependencies at all, but clearly this isn't the case with --legacy-peer-deps in v7+, which was my gripe, that it installed peer deps even when we want it to behave like the legacy way. So this does fail the 'do what npm <7 did' aspiration.