cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] npm-shrinkwraps not respected for global installs of local packages?

Open edvincent opened this issue 3 years ago • 3 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

When globally installing a package that contains an npm-shrinkwrap.json file, it's not respected. It's actually always installing the latest version, just as it the shrinkwrap file wasn't there.

This kind of defeats the purpose its serves - as per https://docs.npmjs.com/cli/v8/configuring-npm/npm-shrinkwrap-json: The recommended use-case for npm-shrinkwrap.json is applications deployed through the publishing process on the registry: for example, daemons and command-line tools intended as global installs.

I was actually looking into moving to use that shrinkwrap file exactly for that in https://github.com/coder/code-server/pull/5071 - vending it installed as a global install with deterministic dependencies - because we had issues with latest releases not being compatible. But realized it doesn't actually work at all...

Expected Behavior

As per https://docs.npmjs.com/cli/v8/configuring-npm/npm-shrinkwrap-json, I'd would expect a global install to use the versions from the shrinkwrap file - even when doing a global install...

When doing a non-global install, it works as expected.

Steps To Reproduce

mkdir test
cd test/
npm init # Saying ok to all defaults
npm install [email protected]
npm shrinkwrap
npm pack
npm install -g test-1.0.0.tgz # Attached this tgz to the issue here too

Resulting tgz: test-1.0.0.tgz

One would expect [email protected] in the dependencies.

But [email protected] (at the moment of this writing, the latest version) gets installed:

ubuntu@ip-172-26-4-193:~/test$ npm list -g --depth=10
[...]
└─┬ [email protected]
  └── [email protected]

More confirmations:

  • /home/ubuntu/.nvm/versions/node/v16.17.0/lib/node_modules/test/npm-shrinkwrap.json shows [email protected] as expected
  • /home/ubuntu/.nvm/versions/node/v16.17.0/lib/node_modules/test/node_modules/lru-cache/package.json shows "version": "7.14.0"

Environment

  • npm: 8.18.0 (issue as well with 8.15.0)
  • Node.js: v16.17.0
  • OS Name: Ubuntu 20.02
  • System Model Name: AWS Lightstail Instances
  • npm config:
; "user" config from /home/ubuntu/.npmrc

python = "python3"

; node bin location = /home/ubuntu/.nvm/versions/node/v16.17.0/bin/node
; node version = v16.17.0
; npm local prefix = /home/ubuntu
; npm version = 8.18.0
; cwd = /home/ubuntu
; HOME = /home/ubuntu
; Run `npm config ls -l` to show all defaults.

edvincent avatar Aug 18 '22 20:08 edvincent

Didn't find an issue for this, the only discussion around shrinkwrap problems seems to be in https://github.com/npm/cli/issues/4323

Which I actually used as another package to confirm that the shrinkwrap file wasn't doing anything (later versions than the ones listed in the shrinkwrap file are downloaded)...

edvincent avatar Aug 18 '22 20:08 edvincent

Need a bit more research, but a quick update: this bug seems to only apply to installs done locally. When installing from a remote NPM package, the shrinkwrap file is seems respected... Which is weird because when I installed firebase-tools (from the comment above) it did seem to apply...

edvincent avatar Aug 22 '22 21:08 edvincent

Really weird. I was expecting that consumers of my CLI would have the exact same dependencies I tested my release when including a node-shrinkwrap.json

AllanOricil avatar Sep 16 '25 13:09 AllanOricil