cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] v11.6.1 fails to install optionalDependencies of inner package (even if build works)

Open otaviojacobi opened this issue 2 months ago • 5 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

This issue exists in the latest npm version

  • [x] I am using the latest npm

Current Behavior

If we have two packages, for example, package child:

{
  "name": "child-package-repro",
  "version": "1.0.3",
  "optionalDependencies": {
    "pg": "^8.16.3"
  }
}

and package parent:

{
  "name": "parent-package",
  "version": "1.0.0",
  "dependencies": {
    "child-package-repro": "1.0.3"
  }
}

When npm install on the parent package, if it contains a package-lock.json (generated with previous versions) with the optionalDependency (which is marked as optional) it will completely remove the pg dependency. More over, this worked fine in v11.6.0 and before.

Expected Behavior

The optional dependency pg should be installed in parent/node_modules/child-package/node_modules/pg (or hoisted to parent/node_modules/pg).

Steps To Reproduce

With this package: https://github.com/otaviojacobi/npm-cli-repro

  1. Inside the parent directory run:
  2. npm install
  3. npm ls pg will result with:
❯ npm ls pg
[email protected] /home/repro/parent
└── (empty)

While if you install with any previous version of npm (11.6.0 or lower):

❯ npm ls pg
[email protected] /home/repro/parent
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected] deduped

My understanding is that this issue is coming from https://github.com/npm/cli/pull/8579 which is causing a optionalDependency to be removed from the final tree.

Environment

No response

otaviojacobi avatar Oct 01 '25 20:10 otaviojacobi

Note: I published the child package as a mean for easy repro of this as local resolution wasn't reproducible

otaviojacobi avatar Oct 01 '25 21:10 otaviojacobi

Here is the 11.6.1 dep graph before pg is pruned:

flowchart
parent_package_1_0_0["`[email protected] (prod)`"]
parent_package_1_0_0-->|prod|child_package_repro_1_0_3
child_package_repro_1_0_3["`[email protected] (prod)`"]
child_package_repro_1_0_3-.->|optional|pg_8_16_3
pg_8_16_3["`[email protected] (peer, optional)`"]
pg_8_16_3-.->|peerOptional|pg_native___3_0_1
pg_8_16_3-->|prod|pg_connection_string_2_9_1
pg_8_16_3-->|prod|pg_pool_3_10_1
pg_8_16_3-->|prod|pg_protocol_1_10_3
pg_8_16_3-->|prod|pg_types_2_2_0
pg_8_16_3-->|prod|pgpass_1_0_5
pg_8_16_3-.->|optional|pg_cloudflare_1_2_7
pg_cloudflare_1_2_7["`[email protected] (optional)`"]
pg_connection_string_2_9_1["`[email protected] (optional)`"]
pg_int8_1_0_1["`[email protected] (optional)`"]
pg_pool_3_10_1["`[email protected] (optional)`"]
pg_pool_3_10_1-->|peer|pg_8_16_3
pg_protocol_1_10_3["`[email protected] (optional)`"]
pg_types_2_2_0["`[email protected] (optional)`"]
pg_types_2_2_0-->|prod|pg_int8_1_0_1
pg_types_2_2_0-->|prod|postgres_array_2_0_0
pg_types_2_2_0-->|prod|postgres_bytea_1_0_0
pg_types_2_2_0-->|prod|postgres_date_1_0_7
pg_types_2_2_0-->|prod|postgres_interval_1_2_0
pgpass_1_0_5["`[email protected] (optional)`"]
pgpass_1_0_5-->|prod|split2_4_2_0
postgres_array_2_0_0["`[email protected] (optional)`"]
postgres_bytea_1_0_0["`[email protected] (optional)`"]
postgres_date_1_0_7["`[email protected] (optional)`"]
postgres_interval_1_2_0["`[email protected] (optional)`"]
postgres_interval_1_2_0-->|prod|xtend_4_0_2
split2_4_2_0["`[email protected] (optional)`"]
xtend_4_0_2["`[email protected] (optional)`"]

Notice pg has flags peer (incorrect) and optional (correct), causing it to be (incorrectly) pruned when installing from lockfile.

Fixed by #8645

~/Projects/npm-cli-repro/parent on master
$ node ../../npm-cli install

added 15 packages, and audited 16 packages in 2s

found 0 vulnerabilities
~/Projects/npm-cli-repro/parent on master*
$ node ../../npm-cli ls pg
[email protected] /Users/liam.mitchell/Projects/npm-cli-repro/parent
└─┬ [email protected]
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected] deduped

where node ../../npm-cli is equivalent to npm with this fix.

liamcmitchell avatar Oct 12 '25 20:10 liamcmitchell

Might be related: pg-native as optional dependency does not get installed with npm v11.6.1, but its fine with v11.6.0.

Node: v24.10.0

kirrg001 avatar Oct 13 '25 14:10 kirrg001

This got fixed for us in v11.6.4, but I see other issues

v11.6.4

$ npm ls mssql @instana/root@ /project ├─┬ @instana/[email protected] -> ./packages/collector │ └─┬ [email protected] │ └── [email protected] deduped invalid: "^9.1.1 || ^10.0.1 || ^11.0.1" from packages/collector/node_modules/typeorm └── [email protected]

v10.9.4

$ npm ls mssql @instana/root@ /project ├─┬ @instana/[email protected] -> ./packages/collector │ └─┬ [email protected] │ └── [email protected] └── [email protected]

typeorm 0.3.27 has a dependency for mssql ^v11. Suddenly with v11.6.4 the deduping is broken.

Should I open a new issue? Please assist.

Edit: Corrected NPM version to 11.6.4

kirrg001 avatar Nov 26 '25 12:11 kirrg001

I think (haven't verified with the repro above) this may have been fixed by https://github.com/npm/cli/pull/8645 (which was in [email protected]).

trentm avatar Dec 04 '25 22:12 trentm

cc @liamcmitchell https://github.com/npm/cli/issues/8628#issuecomment-3581170541 Could you please let me know if I should raise a new issue?

kirrg001 avatar Dec 16 '25 12:12 kirrg001