search

quaertym / ember-cli-dependency-checker

Ember CLI addon for checking missing node and bower dependencies before running ember commands
MIT License
40 stars 38 forks source link

Broken with npm5 generated shrinkwraps #76

Closed kanongil closed 7 years ago

kanongil commented 7 years ago

When I run any ember command I get a long list of missing packages:

Missing npm-shrinkwrap packages: 
Package: extend
Required by: mtv-cast-receiver / fsevents
  * Specified: https://registry.npmjs.org/extend/-/extend-3.0.0.tgz
  * Installed: 3.0.0
…

Apparently, a bunch of the packages use the package download url as the version in npm-shrinkwrap.json, eg.:

        "extend": {
          "version": "https://registry.npmjs.org/extend/-/extend-3.0.0.tgz",
          "integrity": "sha1-WkdDU7nzNT3dgXbf03uRyDpG8dQ=",
          "dev": true,
          "optional": true
        },

As far as I can tell, it is allowed within the design of package locks, and needs to be handled here.

I suspect the solution would be to also do a check against the "_resolved" field in the installed package.json?

rwjblue commented 7 years ago

I definitely agree that they are allowed (based on the official format docs), but in my local package-lock.json / npm-shrinkwrap.json tests all of the version fields are semver compatible version numbers. Like:

    "resolve": {
      "version": "1.3.3",
      "resolved": "https://registry.npmjs.org/resolve/-/resolve-1.3.3.tgz",
      "integrity": "sha1-ZVkHw0aahoDcLeOidaj91paR8OU=",
      "dev": true
    }

I'm curious why version has these URL's in your case...

kanongil commented 7 years ago

I'm not sure about the exact trigger. I don't seem to be able to replicate it again.

However, others seems to be able to: https://github.com/npm/npm/issues/17187 & https://github.com/npm/npm/issues/16926.