npm
[BUG] git+https protocol not respected when generating package-lock.json
Is there an existing issue for this?
- [X] I have searched the existing issues
This issue exists in the latest npm version
- [X] I am using the latest npm
Current Behavior
When generating package-lock.json, git+https dependencies are resolved to git+ssh.
Expected Behavior
When installing dependencies with the git+https protocol, the resolved versions in package-lock.json should also use the git+https protocol. More generally, the resolved versions should always use the given protocol.
Steps To Reproduce
- Use a fresh installation of NPM (default config)
- Create a project with this
package.json:
{
"name": "test-npm-git",
"private": true,
"version": "never",
"dependencies": {
"noop": "git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0"
}
}
- Run
npm installin the project - Observe the
package-lock.json. For me, it looks like this:
{
"name": "test-npm-git",
"version": "never",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"name": "test-npm-git",
"version": "never",
"dependencies": {
"noop": "git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0"
}
},
"node_modules/noop": {
"version": "1.0.1",
"resolved": "git+ssh://[email protected]/coolaj86/noop.js.git#77ad7f28974dcd87eb0b91be9db9caf544356ad0",
"integrity": "sha512-Ie26MApU6CpCVRyp1GHFSQsY+zKe3uUXqQnu6bW9dYO/Cb1cpp34nvfi69WHpMvxLeG3Bhu9YV9ItP8z5z1HCQ==",
"license": "MIT OR CC0-1.0"
}
},
"dependencies": {
"noop": {
"version": "git+ssh://[email protected]/coolaj86/noop.js.git#77ad7f28974dcd87eb0b91be9db9caf544356ad0",
"integrity": "sha512-Ie26MApU6CpCVRyp1GHFSQsY+zKe3uUXqQnu6bW9dYO/Cb1cpp34nvfi69WHpMvxLeG3Bhu9YV9ItP8z5z1HCQ==",
"from": "noop@git+https://github.com/coolaj86/noop.js#77ad7f28974dcd87eb0b91be9db9caf544356ad0"
}
}
}
Environment
npm -v: 8.3.2
The code responsible for this behavior is https://github.com/npm/cli/blob/v8.3.2/workspaces/arborist/lib/consistent-resolve.js#L25-L27
: hosted ? `git+${
hosted.auth ? hosted.https(hostedOpt) : hosted.sshurl(hostedOpt)
}`
I attempted to fix the behavior, and this is what I came up with:
: hosted ? `git+${
hosted[hosted.default](hostedOpt)
}`
From my preliminary testing, this seems to fix the issue while maintaining backwards compatibility with older package-locks. I've never been in the NPM codebase before, so if I've missed something, please let me know.
For anyone stuck with a broken pipeline, adding this step before npm install can act as a fix:
git config --global url."https://".insteadOf ssh://
The code responsible for this behavior is https://github.com/npm/cli/blob/v8.3.2/workspaces/arborist/lib/consistent-resolve.js#L25-L27
: hosted ? `git+${ hosted.auth ? hosted.https(hostedOpt) : hosted.sshurl(hostedOpt) }`I attempted to fix the behavior, and this is what I came up with:
: hosted ? `git+${ hosted[hosted.default](hostedOpt) }`
PR to fix this created, the actual check is (hosted.auth || hosted.default === "https") (plus the same fix in pacote repo): #8703
If you want to try it by yourself, feel free to test the npm from branch according to the instructions.