cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] npm removes invalid references instead of failing with an error starting in `9.6.6`

Open yeikel opened this issue 10 months ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

Starting with npm 9.6.6 if we run npm install [email protected] --package-lock-only with a package.json containing invalid references, it succeeds and removes the invalid references instead of failing with a validation error like previous versions

npm install fails as expected

I went over the release notes of 9.6.6 and I could not find any mention about this change in behavior. Was this intentional?

Expected Behavior

In 9.6.5 the same command fails with the error npm ERR! must provide string spec

Steps To Reproduce

Reproducer : https://github.com/yeikel/npm-invalid-dependency-removed Logs : https://github.com/yeikel/npm-invalid-dependency-removed/actions/runs/5994585281/job/16256409062

  1. git clone https://github.com/yeikel/npm-invalid-dependency-removed.git
  2. nvm install 18
  3. nvm use 18
  4. npm --version -> 9.6.7
  5. Run npm install [email protected] --package-lock-only

Expected : npm should fail with the following error npm ERR! must provide string spec

Actual :

  • npm succeeds
  • npm removes the invalid dependencies from the package.json 
diff --git a/package.json b/package.json
index fc17427..22a8ea8 100644
--- a/package.json
+++ b/package.json
@@ -1,4 +1,3 @@
-
 {
   "name": "name",
   "version": "1.0.0",
@@ -15,12 +14,6 @@
   },
   "homepage": "https://github.com/waltfy/PROTO_TEST#readme",
   "dependencies": {
-    "fetch-factory": "^0.0.1"
-  },
-  "devDependencies": {
-    "etag": "^1.0.0",
-    "cordova-plugin-geolocation": {
-      "GEOLOCATION_USAGE_DESCRIPTION": "To locate you"
-    }
+    "fetch-factory": "^0.0.2"
   }
 }

Environment

  • npm: Any after 9.6.5
  • Node.js: 18

yeikel avatar Aug 28 '23 01:08 yeikel

This would technically be a breaking change for the end user and therefore not inline with the semantic versioning spec.

THETCR avatar Aug 31 '23 16:08 THETCR

@wraithgar Do you have any insights about this one? From the release diff, it seems that you are the main contributor of this release

yeikel avatar Mar 16 '24 04:03 yeikel