cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] Deep dependency in workspace missing

Open kumavis opened this issue 3 years ago • 11 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

  • mono repo with multiple workspaces
  • one workspace includes [email protected]
  • after non-failing npm install, missing at least one deep normal dependency (dep path is all non-dev non-bundled dep)
  • dep path: workspace(browserify) > [email protected] > [email protected] > (missing) is-generator-function@^1.0.7

package-lock.json includes 2 references, showing that it recognizes its a dependency

   ...
    "packages/browserify/node_modules/util": {
      "version": "0.12.4",
      ...
      "dependencies": {
        ...
        "is-generator-function": "^1.0.7",
        ...
      }
    },

        "util": {
          "version": "0.12.4",
          "dev": true,
          "requires": {
            ...
            "is-generator-function": "^1.0.7",
            ...
          }
        }

but does not include any entry for is-generator-function

Expected Behavior

it should install the full tree of non-dev deep deps

Steps To Reproduce

  1. this repo and branch https://github.com/lavamoat/lavamoat/tree/npm-hell
➜ node -v
v14.17.6
➜ npm -v
8.5.2
  1. npm install from root
  2. npm ls util confirm parent deep dep is installed (as expected)
➜ npm ls util      
lavamoat@ /home/user/Development/LavaMoat
├─┬ [email protected] -> ./packages/browserify
│ └─┬ [email protected]
│   ├─┬ [email protected]
│   │ └── [email protected]
│   └── [email protected]
├─┬ [email protected] -> ./packages/perf
│ └─┬ [email protected]
│   └── [email protected]
└─┬ [email protected] -> ./packages/viz
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]
  1. npm ls is-generator-function confirm deep dep is NOT installed (bug!)
➜ npm ls is-generator-function
lavamoat@ /home/user/Development/LavaMoat
└── (empty)

Environment

  • npm: 8.5.2
  • Node.js: 14.17.6
  • OS Name: pop-os
  • System Model Name: system76
  • npm config:
 "user" config from /home/user/.npmrc

//registry.npmjs.org/:_authToken = (protected) 

; "project" config from /home/user/Development/LavaMoat/.npmrc

ignore-scripts = true 

; node bin location = /home/user/.nvm/versions/node/v14.17.6/bin/node
; cwd = /home/user/Development/LavaMoat
; HOME = /home/user
; Run `npm config ls -l` to show all defaults.

kumavis avatar Feb 25 '22 10:02 kumavis

( pardon the branch name :skull: )

kumavis avatar Feb 25 '22 10:02 kumavis

whoa, this is an interesting one. you're absolutely right, we're totally failing to install that dependency despite it being a requirement of [email protected]. even worse, npm ls doesn't even identify that there's a missing dependency.

( pardon the branch name 💀 )

i find it to be accurate lol

nlf avatar Mar 07 '22 20:03 nlf

I am running into the same problem (If i'm understanding the OP correctly).

package-a
   +- @aws-sdk/client-sts^3.67.0
       +- [email protected]
package-b
  +- fast-xml-parser^4.0.7
    +- strnum^1.0.5
  • package-a requires @aws-sdk/client-sts^3.67.0 which in turn requires [email protected] which has no strnum dependency
  • package-b requires fast-xml-parser^4.07 which in turn requires strnum^1.0.5

Ultimately after running npm i or npm ci (with workspaces enabled) I get the following folder structure:

root/
|
+- node_modules/
  +- @aws-sdk/
    +- client-sts/
  +- [email protected]
|
+- package-a/
  +- package.json
+- package-b/
  +- package.json
  +- node_modules/
    +- [email protected]
|
+- package.json
+- package-lock.json

Note that the strnum dependency is not installed in the root node_modules nor in the nested-workspace node_modules directory for package-b. It does appear that the root package-lock.json file is updated correctly; it's just that the module is never installed:

// root/package-lock.json
// ...
    "packages/package-b/node_modules/fast-xml-parser": {
      "version": "4.0.7",
      "license": "MIT",
      "dependencies": {
        "strnum": "^1.0.5"
      },
      "bin": {
        "fxparser": "src/cli/cli.js"
      },
      "funding": {
        "type": "paypal",
        "url": "https://paypal.me/naturalintelligence"
      }
    },
// ...

Environment

npm: 8.7.0 Node.js: 16.14.2 OS Name: macOS 12.2.1

bcdxn avatar Apr 21 '22 18:04 bcdxn

I'm struggling with the same now, has this issue gone totally cold?

aasen avatar Dec 09 '22 16:12 aasen

Had the same problem recently. Delete package-lock.js + delete node_modules + npm install helped me

angfal avatar Jan 03 '23 11:01 angfal

I have the same issue. Node v19.6.0 - NPM 9.4.1 - MacOS 13.2.1 (22D68)

edolix avatar Mar 22 '23 11:03 edolix

Same issue here: Now using node v20.3.0 (npm v9.6.7)

char0n avatar Jul 26 '23 13:07 char0n

Issue is still present

chlorophant avatar Feb 14 '24 01:02 chlorophant

This is a dealbreaker for me. NPM is not usable in my project as it just does not install some of the dependencies no matter what I do. Yarn works fine in this situation, so I am switching to Yarn.

podlomar avatar Apr 25 '24 12:04 podlomar

I had this issue with node v20 and npm 10 I fixed it after upgrade to node v22 + removed node_modules (all of them, including the ones in workspaces) + remove lock file + re-run npm install.

mondaychen avatar Aug 06 '24 15:08 mondaychen

Glad to hear that. Is there some issue or report from NPM stating that this has been resolved? I would much like to switich back to NPM from Yarn, but I need to be sure this is working. We had so many problems with workspaces that my teammates are gonna kill me if it stops working again.

podlomar avatar Aug 06 '24 15:08 podlomar