statusboard icon indicating copy to clipboard operation
statusboard copied to clipboard
verified publisher icon npm

[BUG] npx needs to stop mixing local, global, and npx contexts

Open wraithgar opened this issue 11 months ago • 3 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Current Behavior

Consider a project that has a local package a. If I run

$ npx -p a -p b --cmd c

It will see that a is installed locally, but not b, and then create an npx cache context for BOTH packages, and install b into that npx cache context.

If I later run that same command in an empty directory, npx will install a into that same npx cache context.

If I go back to my original project and run the command a third time, it will run the command but now we will have a installed in two contexts, and it's unclear which one will end up being seen by the command.

Expected Behavior

npx needs to isolate contexts. If I ask for multiple --package values, they either all need to be available locally, or they all need to be installed from and ran from the npx cache context.

The documentation for npx mentions that packages specified via --package "will be available via $PATH" but I don't think that's sufficient here. It's about more than the $PATH it's about potential peer dependencies that aren't necessarily defined in either package's manifest. It's about being clear about what happens with no surprises.

There is also no way for folks using npx to specify whether they want the local, global, or npx cache context. It would be useful to be able to say something to the effect of npx semver --not-local. Which would always ignore any local copy of a package if it exists.

The isolation of contexts itself is a breaking change, so this issue is being filed for consideration for a future semver major npm release.

wraithgar avatar Jan 28 '25 20:01 wraithgar

they either all need to be available locally, or they all need to be installed from and ran from the npx cache context.

why? it's a very valuable feature imo to be able to use a local package and also install one.

ljharb avatar Jan 28 '25 21:01 ljharb

If your local package needs another package it should be its manifest. Crossing contexts invites bugs and confusion, as outlined in the issue description.

wraithgar avatar Jan 28 '25 21:01 wraithgar

It's not that the local one needs another one - it's that the thing I'm doing with npx - which by design isn't something in the package.json, it's a one-off - needs both packages. npx can also just run arbitrary shell commands, for example.

ljharb avatar Jan 28 '25 21:01 ljharb