pacote icon indicating copy to clipboard operation
pacote copied to clipboard
verified publisher icon npm

[BUG] fullMetadata vs. local packages vs. cache

Open HeikoStudt opened this issue 2 years ago • 0 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

Using the defaults (i.e. npm install without options) and resulting into a registry lookup, pacote downloads the absolute minimum of metadata (i.e. corgi v1) from npmjs.com. This behavior can be modified via the options fullMetadata or before with only the latter passed by npmcli currently. i.e.: pacote manifest luxon vs pacote manifest luxon --fullMetadata

Anyways, if the package.json was found locally in the node_modules folder (type file, directory, git, ...), pacote results into the full set of metadata (but without any resolve-information ("resolved", "integrity")). i.e.: pacote manifest file:node_modules/luxon

Why does this all matter? Reference: https://github.com/npm/cli/issues/5532 a) Npmcli is storing result of pacote into its package-lock.json and will not resolve the metadata again b) the "license" metadata is not included in v1 corgi c) internally, npmcli regards the "license" field to be worthy for the package-lock file and does not know that it was filtered d) the external tooling is trying to get the license field from the package-lock.json e) To make matters worse, if one is removing the two existing package-lock files without removing the node_modules folder with its package.json files, the resulting package-lock file will differ. It will not contain resolved/integrity information but the license data. f) Even more confusing: if I try to resolve into a version of a date (utilizing --before), pacote will download the full metadata and therefore the package-lock file will include the license information including resolved and integrity information.

I can imagine that pacote wants to reduce the load of npmjs.com and therefore reduces the amount to download as much as possible. Utilizing the modern package-lock within npmcli, node_modules folder and cacache, this is probably not the best default anymore.

Expected Behavior

In pacote: reducing to minimum set of metadata also for locally found packages. Perhaps it should include the resolved/integrity information regardless. Perhaps minimize the metadata even for --before (however, this is documented).

Either in pacote or npmcli: Always download the full metadata by default, so that e.g. the license-field is populated within package-lock.json I am not sure whether this behavioral change should be done in npmcli or pacote as npmcli could simply add the fullMetadata opt. This reduces the confusion and will result into correct and fully populated package-lock files.

Steps To Reproduce

Pacote

  1. Simple package.json file (does not matter)
  2. Run npm install luxon
  3. pacote manifest luxon results into metadata without "license" for luxon
  4. pacote manifest luxon --fullMetadata results into full metadata including "license" for luxon
  5. pacote manifest file:node_modules/luxon results into full metadata including "license" for luxon without integrity + resolved

NPM

  1. Simple package.json file (does not matter)
  2. Run npm install luxon
  3. package-lock.json contains NO "license" information, contains also integrity + resolved
  4. rm package-lock.json node_modules/.package-lock.json
  5. npm install
  6. package-lock.json contains "license" information, contains NO integrity + resolved
  7. rm -r package-lock.json node_modules/
  8. npm install --before=2050-01-01
  9. package-lock.json contains "license" information, containss also integrity + resolved

Environment

  • npm: 9.2.0
  • Node: v18.13.0
  • OS: Debian Bookworm
  • platform: x86

HeikoStudt avatar Aug 29 '23 08:08 HeikoStudt