[BUG] BundleDependency behaviour changed

tkalmar commented 7 months ago

Is there an existing issue for this?

[X] I have searched the existing issues

This issue exists in the latest npm version

[X] I am using the latest npm

Current Behavior

The behaviour of npm pack has changed between v8 and v9. For the given package.json:

{
  "name": "npm_reproducer",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "@nestjs/typeorm": "10.0.2"
  },
  "bundleDependencies": ["typeorm"]
}

When packaging with npm v9 i got:

npm notice 
npm notice 📦  npm_reproducer@1.0.0
npm notice === Tarball Contents === 
npm notice 9.6MB npm_reproducer-1.0.0.tgz
npm notice 325B  package.json            
npm notice === Tarball Details === 
npm notice name:          npm_reproducer                          
npm notice version:       1.0.0                                   
npm notice filename:      npm_reproducer-1.0.0.tgz                
npm notice package size:  9.5 MB                                  
npm notice unpacked size: 9.6 MB                                  
npm notice shasum:        a4f59d57e7f4b0a20b077f161d1a86fb8ee5faff
npm notice integrity:     sha512-2KpDThzFhyZug[...]C5PQ7srizpW2g==
npm notice total files:   2                                       
npm notice 
npm_reproducer-1.0.0.tgz

when packaging with v8 i got:

npm notice 
npm notice 📦  npm_reproducer@1.0.0
npm notice === Tarball Contents === 
npm notice 4.7MB npm_reproducer-1.0.0.tgz
npm notice 325B  package.json            
npm notice === Bundled Dependencies === 
npm notice @pkgjs/parseargs
npm notice dayjs
npm notice any-promise
npm notice require-directory
npm notice isexe
npm notice cli-highlight
npm notice @sqltools/formatter
npm notice ansi-regex
npm notice ansi-styles
npm notice app-root-path
npm notice base64-js
npm notice brace-expansion
npm notice buffer
npm notice chalk
npm notice cliui
npm notice color-convert
npm notice color-name
npm notice cross-spawn
npm notice debug
npm notice dotenv
npm notice escalade
npm notice foreground-child
npm notice glob
npm notice has-flag
npm notice highlight.js
npm notice ieee754
npm notice inherits
npm notice is-fullwidth-code-point
npm notice lru-cache
npm notice minimatch
npm notice minipass
npm notice mkdirp
npm notice mz
npm notice object-assign
npm notice parse5-htmlparser2-tree-adapter
npm notice parse5
npm notice path-key
npm notice reflect-metadata
npm notice safe-buffer
npm notice sha.js
npm notice shebang-command
npm notice shebang-regex
npm notice string-width-cjs
npm notice string-width
npm notice strip-ansi-cjs
npm notice strip-ansi
npm notice supports-color
npm notice thenify-all
npm notice thenify
npm notice which
npm notice wrap-ansi-cjs
npm notice wrap-ansi
npm notice y18n
npm notice yargs
npm notice uuid
npm notice @isaacs/cliui
npm notice yargs-parser
npm notice tslib
npm notice typeorm
npm notice signal-exit
npm notice eastasianwidth
npm notice balanced-match
npm notice emoji-regex
npm notice get-caller-file
npm notice jackspeak
npm notice ms
npm notice path-scurry
npm notice === Tarball Details === 
npm notice name:          npm_reproducer                          
npm notice version:       1.0.0                                   
npm notice filename:      npm_reproducer-1.0.0.tgz                
npm notice package size:  9.6 MB                                  
npm notice unpacked size: 33.6 MB                                 
npm notice shasum:        8180e3434f0c76fa008a412ee38839e384d22a23
npm notice integrity:     sha512-8BvJoO20+6uTK[...]VUpwbShzzxW5w==
npm notice bundled deps:  67                                      
npm notice bundled files: 0                                       
npm notice own files:     4968                                    
npm notice total files:   4968                                    
npm notice 
npm_reproducer-1.0.0.tgz

This is a huge difference and not expected from the changelog of v9

Expected Behavior

With the given package.json calling npm install and npm pack should give the same result or at least a Breaking change notice of the changed behaviour.

Steps To Reproduce

With the given package.json call npm install and npm pack once with v8 and once with v9 of npm

Environment

npm: 8.19.2 / 9.8.1
Node.js: 18.12.1 / 18.18.2
OS Name: Ubuntu 20.04
System Model Name: Lenove ThinkPad
npm config: default

milaninfy commented 5 months ago

@tkalmar I believe latest version of npm does not bundle dev and peer dependencies, it will only bundle prod dependencies which are mentioned in bundleDependencies field.

milaninfy commented 5 months ago

npm pack changing behaviour between a major semver change are allowed. This does not seem a bug with npm cli.

tkalmar commented 5 months ago

I would not have raised a bug, if this behaviour could be expected from the changelog/release notes. I think this kind of change is at least worth a mention somewhere ...

npm / cli