cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] Wrong lock file modification for optional dependency

Open kirrg001 opened this issue 1 year ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

Lock file is incorrect after updating optional dependency.

Steps to reproduce:

package.json

{
  "name": "prisma-opt",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "optionalDependencies": {
    "prisma": "^5.13.0"
  },
  "author": "",
  "license": "ISC"
}

package-lock.json

{
  "name": "prisma-opt",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "prisma-opt",
      "version": "1.0.0",
      "license": "ISC",
      "optionalDependencies": {
        "prisma": "^5.13.0"
      }
    },

`

I want to update prisma to 5.14.0 running:

npm i prisma@^5.14.0 --save-optional

(I also tried npm i prisma@^5.14.0 and npm i prisma@latest, same behaviour)

package.json (correct)

  "optionalDependencies": {
    "prisma": "^5.14.0"
}

package-lock.json (wrong)

{
  "name": "prisma-opt",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "prisma-opt",
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "prisma": "5.14.0"
      },
      "optionalDependencies": {
        "prisma": "^5.14.0"
      }
    },

"dependencies": { "prisma": "5.14.0" },

Running npm install again (correct)

{
  "name": "prisma-opt",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "prisma-opt",
      "version": "1.0.0",
      "license": "ISC",
      "optionalDependencies": {
        "prisma": "^5.14.0"
      }
    },

Expected Behavior

I do not expect that this change appears in the lock file:

"dependencies": { "prisma": "5.14.0" },

Or I do not expect that after npm install the change get's removed.

Steps To Reproduce

See "Current Behavior"

Please note: The steps to reproduce I have shared is a minimal application. This bug appears in my large application with having lot's of dev dependencies and optional dependencies, but we do not have production dependencies.

Environment

  • npm: 10.7.0
  • Node.js: Latest v18 (Also tested latest v22)
  • OS Name: OSX
  • System Model Name:
  • npm config:
; copy and paste output from `npm config ls` here

kirrg001 avatar May 15 '24 10:05 kirrg001

Hello,

I spent some time looking into this issue, and it seems like this is intended behavior for when you install a package. According to a comment, optional dependencies are added to production dependencies to support "previous npm versions that require this behaviour."

I'll still open a PR to see how the project maintainers/engineers feel about changing this since it can come off as confusing to the user.

rahulio96 avatar Aug 07 '24 23:08 rahulio96

yes ty

xan187 avatar Aug 15 '24 08:08 xan187