[BUG] Package dependencies won't be installed if the package is installed via git URL

[lucendio]

What / Why

When installing a package by referring to a git URL (e.g. git+https://github.com/hakimel/reveal.js.git#semver:^4.0.2) its dependencies won't be installed. It appears that this applies to various cases:

• if the package dependencies are defined as devDependencies
• npm behaves differently depending on where the URL is defined (CLI parameter vs package.json)
• whether the URL ends with a #$COMMIT_HASH or #semver:$VERSION

For more details, please see the section Steps to Reproduce

When

• n/a

Where

• npm install

How

Current Behavior

• please see below

Steps to Reproduce

(1) devDependencies vs. dependencies

# does not install dependencies, only places repository content under `./node_modules/reveal.js` as is
npm install 'git+https://github.com/hakimel/reveal.js.git#semver:^4.0.2'

# does install dependencies (see [diff](https://github.com/hakimel/reveal.js/compare/4.0.2...lucendio:4.0.3))
npm install 'git+https://github.com/lucendio/reveal.js.git#semver:^4.0.3'

(2) CLI vs package.json

{
    "dependencies": {
        "reveal.js": "git+https://github.com/lucendio/reveal.js.git#semver:^4.0.3"
    }
}

# does not install dependencies
npm install

# does install dependencies
npm install 'git+https://github.com/lucendio/reveal.js.git#semver:^4.0.3'

(3) $GIT_URL#semver:$VERSION vs $GIT_URL#$COMMIT_HASH in package.son

{
    "dependencies": {
        "reveal.js": "git+https://github.com/lucendiio/reveal.js.git#semver:^4.0.3"
    }
}

# does not install dependencies and does not even place repository content under `./node_modules/reveal.js`
npm install

{
    "dependencies": {
        "reveal.js": "git+https://github.com/lucendiio/reveal.js.git#93b22ec67753506f55bc7cb8fed6a62d07c89141"
    }
}

# does install dependencies
npm install

Remarks

• $GIT_URL#semver:$VERSION in package.json has worked until npm@v6.8.0
• git URL + devDependencies in package.json never seem to have worked (tested v5.0.0 and multiple v6.x.0)
• reveal.js solely functions as an example and seems to have nothing to do with the behaviour described above
• the existence of a ^ does not change anything in the behaviour described above
• used node@v12.18.2 and npm@6.14.6

Expected Behavior

• dependencies - regardless of where defined: *dependencies - are being installed when package is installed via git URL
• both version specifications - commit ID and tag - are supported
• npm consolidates/optimizes dependency tree installed under node_modules as expected compared to when installing from npmjs.org

Who

• n/a

References

• possibly related to [BUG] Installing dependencies from git+ssh is broken in 6.14.0 #948

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.