peitschie commented 4 years ago

What / Why

When a repository is configured locally that is different to an existing package-lock.json resolved URL, subsequent re-installations of modules with the --no-save option will fail to resolve child dependencies.

Current Behavior

Given a project with an existing dependency & package-lock.json file (for example, on cordova-plugin-qrscanner), when the local registry is changed and npm install --no-save cordova-plugin-qrscanner is executed, then npm ls shows that there are unmet dependencies for the module.

Steps to Reproduce

With a simple NPM project, using the default npm repository

Install a dependency and save to package-lock.json with the current URL: npm install --save-production cordova-plugin-qrscanner. At this point the resolved URL in the package-lock.json file is probably https://registry.npmjs.org/cordova-plugin-qrscanner/-/cordova-plugin-qrscanner-3.0.1.tgz.
Next, change the registry (e.g., to an Artifactory mirror): npm config set registry https://artifactory.localnet/artifactory/api/npm/npmjs.org/
Re-install the same dependency, this time with the --no-save option specified: npm install --no-save cordova-plugin-qrscanner
View the results: npm ls --depth=0

Locally, on NPM v6.9.0, step 4 shows

C:\temp\reproduction>npm ls --depth=0
reproduction@1.0.0 C:\temp\reproduction
`-- UNMET DEPENDENCY cordova-plugin-qrscanner@3.0.1
  +-- qrcode-reader@1.0.4
  `-- webrtc-adapter@3.4.3

Full reproduction script:

C:\temp\reproduction>npm install --save-production cordova-plugin-qrscanner
npm notice created a lockfile as package-lock.json. You should commit this file.
npm WARN reproduction@1.0.0 No description
npm WARN reproduction@1.0.0 No repository field.

+ cordova-plugin-qrscanner@3.0.1
added 4 packages from 2 contributors and audited 4 packages in 2.495s
found 0 vulnerabilities

C:\temp\reproduction>npm ls --depth=0
reproduction@1.0.0 C:\temp\reproduction
`-- cordova-plugin-qrscanner@3.0.1

C:\temp\reproduction>npm config set registry https://artifactory.localnet/artifactory/api/npm/npmjs.org/

C:\temp\reproduction>npm login
* omitted *

C:\temp\reproduction>npm install --no-save cordova-plugin-qrscanner
npm WARN reproduction@1.0.0 No description
npm WARN reproduction@1.0.0 No repository field.

+ cordova-plugin-qrscanner@3.0.1
updated 1 package in 0.532s

C:\temp\reproduction>npm ls --depth=0
reproduction@1.0.0 C:\temp\reproduction
`-- UNMET DEPENDENCY cordova-plugin-qrscanner@3.0.1
  +-- qrcode-reader@1.0.4
  `-- webrtc-adapter@3.4.3

npm ERR! missing: cordova-plugin-qrscanner@3.0.1, required by reproduction@1.0.0
npm ERR! missing: qrcode-reader@1.0.4, required by cordova-plugin-qrscanner@3.0.1

Expected Behavior

After executing npm install --no-save cordova-plugin-qrscanner, npm ls should show all dependencies are satisfied for the module, irrespective of the whether the configured repository matches the resolved URL in the package-lock.json file.

Who

n/a

darcyclarke commented 3 years ago

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.