cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] running `npm update` erases the `name` field from `package-lock.json`

Open romainmenke opened this issue 3 years ago • 1 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

running npm update erases the name field from package-lock.json for workspaces.

When the name field is missing other cli commands like npm audit get confused.

Expected Behavior

running npm update does not have unexpected side effects in projects that use workspaces

Steps To Reproduce

I've created a reproduction here: https://github.com/romainmenke/npm-update-bug-1

run npm update and then git diff on branch main to see the effects on package-lock.json

I've also create a pull request with this same diff : https://github.com/romainmenke/npm-update-bug-1/pull/1

Environment

  • npm: 8.18.0
  • Node.js: v18.8.0

romainmenke avatar Sep 05 '22 13:09 romainmenke

seems related :

  • https://github.com/npm/cli/issues/4608
  • https://github.com/npm/cli/issues/4521

romainmenke avatar Sep 05 '22 15:09 romainmenke

Experiencing similar problems with v9.1.1. It is not just update that has a problem. Observations in a new project:

  1. npm init a new project
  2. npm init -w foo/bar creates an entry in package-lock.json with name. Specify a package name of @foo/bar.
  3. npm init -w foo/bar2 creates an entry in package-lock.json without name. Specify a package name of @foo/bar2.
  4. npm init -w foo/bar3 creates an entry in package-lock.json without name but adds name to the foo/bar2 entry. Specify a package name of @foo/bar3.
  5. Running npm ls after creating bar2 and bar3 gets an error on foo/bar3.

Oddly, the bar2/3 entries also get devDependencies attributes.

Repair:

  1. Delete package-lock.json
  2. Run npm install --workspaces
  3. npm ls runs successfully. The names are present in the package-lock.json file

Regression:

  1. Run npm update - name is dropped from all workspace nodes in the package-lock.json file
  2. npm ls fails with an error on every workspace

Edge.js was setting outer edges invalid due to missing name. Have not tracked back to why name is not set in the first place.

Edited to indicate package names should be specified when creating the new workspaces.

webstech avatar Nov 19 '22 06:11 webstech