search

sharedstreets / sharedstreets-js

SharedStreets (Node.js & Javascript)
https://sharedstreets.io
MIT License
78 stars 25 forks source link

sharedstreets package is installing its own version of npm as a dependency #49

Closed louh closed 5 years ago

louh commented 5 years ago

I've had a really strange bug in my environment that I've tracked down to the sharedstreets package somehow, but I can't explain it, so I'm hoping I might get some insight if I post it here.

For some reason, installing sharedstreets as a dependency in my app causes an older version of npm to be installed in node_modules. This creates conflicts with my system's global npm, and adds a bunch of additional modules.

I can duplicate this even on a fresh directory:

mkdir test && cd test
npm init
npm install sharedstreets
# then open package-lock.json
    "sharedstreets": {
      "version": "0.9.3",
      "resolved": "https://registry.npmjs.org/sharedstreets/-/sharedstreets-0.9.3.tgz",
      "integrity": "sha512-sh04w2Xy/odF8fLqi4hQOU2bh6hlJDruBh8rUrDdxiE7Rey4hXMh4JI5KKq4cLO7ozEbzwEVyOyETvLlud54Gw==",
      "requires": {
        "@turf/along": "^6.0.1",
        "@turf/bearing": "^6.0.1",
        "@turf/helpers": "^6.0.1",
        "@turf/invariant": "^6.0.1",
        "@turf/length": "^6.0.1",
        "bignumber.js": "6.x",
        "npm": "^5.8.0",
        "sharedstreets-types": "^1.3.1"
      }
    }

Notice that npm@5.8.0 is in the "requires" field.

What's very strange, of course, is that npm is not listed as a dependency in your package.json. Or in yarn.lock (although I'm not using yarn). So where is it coming from? Somewhere else that I'm missing?

My environment is a MacOSX 10.14.1, Node v12.2.0, npm v6.9.0.

morganherlocker commented 5 years ago

Hey @louh, thank you for flagging. I do not believe npm is entering the package-lock any longer (I scanned the package-lock.json on master). A big feature branch was merged yesterday and one of the changes moved the project from yarn to npm. I suspect the issue you found could have been caused by some gnarly interaction between yarn and npm, but I am not sure. Closing, but feel free to reopen if you still see an issue.

louh commented 5 years ago

Hey @morganherlocker, thanks for the update.

I took a closer look at the package entry on npm (https://www.npmjs.com/package/sharedstreets), which specifies the latest version as 0.9.3, whereas your current package.json is 0.12.0. So, looking back at commit history, I see that npm was previously added and removed as a dependency (reference commit 868d6664ac4e14c3b432d3cda3f4a5b43a8d5d52). However, I don't believe any of the more recent versions had been published to npm.