[BUG] Installing an aliased package with an empty name will install the 'undefined' package

[okx-code]

Is there an existing issue for this?

• [X] I have searched the existing issues

This issue exists in the latest npm version

• [X] I am using the latest npm

Current Behavior

Installing an aliased package with no name will actually install the package 'undefined'

Expected Behavior

Installing an aliased package with no name should fail.

Steps To Reproduce

1. Create an project with npm init
2. Run npm install a@npm:

npm warn deprecated [email protected]: this package has been deprecated

added 1 package, and audited 2 packages in 763ms

found 0 vulnerabilities

3. Look at package-lock.json, and see that it evaluated to 'undefined':

{
  "name": "bug",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "bug",
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "a": "npm:undefined@^0.1.0"
      }
    },
    "node_modules/a": {
      "name": "undefined",
      "version": "0.1.0",
      "resolved": "https://registry.npmjs.org/undefined/-/undefined-0.1.0.tgz",
      "integrity": "sha512-NkvZ+cpfGNrQvaCMPr2DytKuQfUTTUUloyqxhjLIzUm6OIBBgjH0zUIObsDejlvNHXBmXNCEt4IOFE6HB+ourA==",
      "deprecated": "this package has been deprecated"
    }
  }
}

I think the issue is in the npa function of npm-package-arg, I will submit a PR to fix this, but wanted to file an issue first.

Environment

• npm: 10.8.1

[ljharb]

Presumably it should fail to install, since the name field is required?

[okx-code]

Yes, it should fail.