search

nrwl / nx

Smart Monorepos · Fast CI
https://nx.dev
MIT License
23.78k stars 2.37k forks source link

Node esbuild generates invalid package-lock.json #28969

Open luuktap opened 1 week ago

luuktap commented 1 week ago

Current Behavior

When building a Node app, the esbuild executor generates an invalid package-lock.json file.

In the repo root's package-lock.json:

Now, when building the app, the outputted package-lock.json file ignores this 3-level deep override. It also messes up the steam-user dependency on @doctormckay/stdlib: "^2.9.1", making it instead depend on version 1.16.1, breaking the library. For some reason, npm ci doesn't catch this during install either.

See my repro repo dist/apps/invalid-lockfile-demo/package-lock.json line 1182 and line 1202.

Expected Behavior

The outputted package-lock.json file includes the required 3-level deep override.

GitHub Repo

https://github.com/luuktap/nx-invalid-lockfile-demo

Steps to Reproduce

  1. Clone repo
  2. npm ci
  3. nx build invalid-lockfile-demo

Nx Report

Node           : 20.18.0
OS             : darwin-arm64
Native Target  : aarch64-macos
npm            : 10.8.2

nx                 : 20.1.0
@nx/js             : 20.1.0
@nx/jest           : 20.1.0
@nx/eslint         : 20.1.0
@nx/workspace      : 20.1.0
@nx/devkit         : 20.1.0
@nx/esbuild        : 20.1.0
@nx/eslint-plugin  : 20.1.0
@nx/node           : 20.1.0
typescript         : 5.5.4
---------------------------------------
Registered Plugins:
@nx/eslint/plugin
@nx/jest/plugin

Failure Logs

Package Manager Version

No response

Operating System

Additional Information

To be able to reproduce, I had to pin the package versions. Also had to install the @doctormckay/stdlib explicitly and pin it to v2. Else npm would (seemingly at random) pick v1 sometimes. If v1 is pinned, there's other packages that don't get installed properly due to 3-level deep overrides. I've verified that the ones I've documented actually cause the entire library to break.