When package.json contains the new devEngines key, the checks from the engines fields are disabled. Running npm install --engine-strict will happily install even when using incompatible node or npm versions w.r.t. engines.
This behavior is unexpected. According to the documentation the devEngines serves a different purpose from engines. For this reason they shouldn't interact in this way.
This should especially be the case if the contents of these sections don't overlap, e.g. when engines prescribes a specific node version and devEngines prescribes an npm version. However the mere presence of devEngines disables all engines checks, even if empty.
Currently, the engines field combined with the engine-strict is the only reliable way to enforce correct engine versions. Older npm versions don't support devEngines yet. If devEngines disables the older mechanism, we would need to duplicate the constraints from engines in devEngines until devEngines support is fully adopted.
Expected Behavior
npm install --engine-strict should perform the engines constraint checks from engines (as well as devEngines) value in package.json. Whenever the engines don't match the specified version(s), it should exit with an error.
Notice how npm exits without an error, despite the node version being lower than 999999.
Removing the devEngines will correctly result in npm error code EBADENGINE
Environment
npm: 10.9.0
Node.js: 22.10.0 or 22.11.0 or 23.1.0
OS Name: MacOS 15.1
System Model Name: MacBook
npm config:
; node bin location = /Users/me/.nvm/versions/node/v22.10.0/bin/node
; node version = v22.10.0
; npm local prefix = /Users/me/reproduce-engine-strict-bug
; npm version = 10.9.0
; cwd = /Users/me/tmp/reproduce-engine-strict-bug
; HOME = /Users/me
; Run `npm config ls -l` to show all defaults.
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
When
package.jsoncontains the newdevEngineskey, the checks from theenginesfields are disabled. Runningnpm install --engine-strictwill happily install even when using incompatible node or npm versions w.r.t.engines.This behavior is unexpected. According to the documentation the
devEnginesserves a different purpose fromengines. For this reason they shouldn't interact in this way.This should especially be the case if the contents of these sections don't overlap, e.g. when
enginesprescribes a specificnodeversion anddevEnginesprescribes annpmversion. However the mere presence ofdevEnginesdisables allengineschecks, even if empty.Currently, the
enginesfield combined with theengine-strictis the only reliable way to enforce correct engine versions. Oldernpmversions don't supportdevEnginesyet. IfdevEnginesdisables the older mechanism, we would need to duplicate the constraints fromenginesindevEnginesuntildevEnginessupport is fully adopted.Expected Behavior
npm install --engine-strictshould perform the engines constraint checks fromengines(as well asdevEngines) value inpackage.json. Whenever the engines don't match the specified version(s), it should exit with an error.Steps To Reproduce
In an empty directory
Create the following
package.jsonfileRun
npm install --engine-strictNotice how npm exits without an error, despite the node version being lower than 999999.
Removing the
devEngineswill correctly result innpm error code EBADENGINEEnvironment
10.9.022.10.0or22.11.0or23.1.0