Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm audit fix command is deleting npm sections from package.json #1690

Closed
alvarocamillont opened this issue Aug 18, 2020 · 5 comments
Closed

[BUG] npm audit fix command is deleting npm sections from package.json #1690

alvarocamillont opened this issue Aug 18, 2020 · 5 comments
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release

Comments

@alvarocamillont
Copy link

Current Behavior:

When I run npm audit fix on my project, it is deleting sessions of my package.json file such as "description" and "scripts"

Expected Behavior:

I expect the command only change my dependencies.

Steps To Reproduce:

  1. clone this repo https://github.com/po-ui/po-angular.git
  2. Run npm i
  3. Run npm audit fix
  4. See package.json

Environment:

  • OS: Ubuntu 20.04
  • Node: v12.18.2
  • NPM: 7.0.0-beta.5
@alvarocamillont alvarocamillont added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Aug 18, 2020
@alvarocamillont alvarocamillont changed the title [BUG] npm audit fix command is deleting npm scripts from package.json [BUG] npm audit fix command is deleting npm sessions from package.json Aug 18, 2020
@ruyadorno
Copy link
Contributor

Minimal reproduction steps:

BEFORE

$ cat package-lock.json
{
  "name": "test-npm-audit-messing-up-package-json",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "dot-prop": "^4.2.0"
      }
    },
    "node_modules/dot-prop": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
      "dependencies": {
        "is-obj": "^1.0.0"
      },
      "engines": {
        "node": ">=4"
      }
    },
    "node_modules/is-obj": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-1.0.1.tgz",
      "integrity": "sha1-PkcprB9f3gJc19g6iW2rn09n2w8=",
      "engines": {
        "node": ">=0.10.0"
      }
    }
  },
  "dependencies": {
    "dot-prop": {
      "version": "4.2.0",
      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
      "requires": {
        "is-obj": "^1.0.0"
      }
    },
    "is-obj": {
      "version": "1.0.1",
      "resolved": "https://registry.npmjs.org/is-obj/-/is-obj-1.0.1.tgz",
      "integrity": "sha1-PkcprB9f3gJc19g6iW2rn09n2w8="
    }
  }
}

$ cat package.json
{
  "name": "test-npm-audit-messing-up-package-json",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "repository": "ruyadorno/test-npm-audit-messing-up-package-json",
  "scripts": {
    "hello": "echo \"Hello\"",
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "dependencies": {
    "dot-prop": "^4.2.0"
  }
}

AFTER

$ npm audit fix
$ git diff
diff --git a/package-lock.json b/package-lock.json
index 8f79ef5..cbe450e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -12,9 +12,9 @@
       }
     },
     "node_modules/dot-prop": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
-      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.1.tgz",
+      "integrity": "sha512-l0p4+mIuJIua0mhxGoh4a+iNL9bmeK5DvnSVQa6T0OhrVmaEa1XScX5Etc673FePCJOArq/4Pa2cLGODUWTPOQ==",
       "dependencies": {
         "is-obj": "^1.0.0"
       },
@@ -33,9 +33,9 @@
   },
   "dependencies": {
     "dot-prop": {
-      "version": "4.2.0",
-      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.0.tgz",
-      "integrity": "sha512-tUMXrxlExSW6U2EXiiKGSBVdYgtV8qlHL+C10TsW4PURY/ic+eaysnSkwB4kA/mBlCyy/IKDJ+Lc3wbWeaXtuQ==",
+      "version": "4.2.1",
+      "resolved": "https://registry.npmjs.org/dot-prop/-/dot-prop-4.2.1.tgz",
+      "integrity": "sha512-l0p4+mIuJIua0mhxGoh4a+iNL9bmeK5DvnSVQa6T0OhrVmaEa1XScX5Etc673FePCJOArq/4Pa2cLGODUWTPOQ==",
       "requires": {
         "is-obj": "^1.0.0"
       }
diff --git a/package.json b/package.json
index 72be34c..608c9ff 100644
--- a/package.json
+++ b/package.json
@@ -1,17 +1,8 @@
 {
-  "name": "test-npm-audit-messing-up-package-json",
   "version": "1.0.0",
-  "description": "",
-  "main": "index.js",
-  "repository": "ruyadorno/test-npm-audit-messing-up-package-json",
-  "scripts": {
-    "hello": "echo \"Hello\"",
-    "test": "echo \"Error: no test specified\" && exit 1"
-  },
-  "keywords": [],
-  "author": "",
   "license": "ISC",
   "dependencies": {
     "dot-prop": "^4.2.0"
-  }
+  },
+  "name": "test-npm-audit-messing-up-package-json"
 }

@ruyadorno
Copy link
Contributor

It happens only on npm audit fix, tried it with npm install dot-prop@legacy and can't reproduce the problem.

@ruyadorno ruyadorno changed the title [BUG] npm audit fix command is deleting npm sessions from package.json [BUG] npm audit fix command is deleting npm sections from package.json Aug 18, 2020
@darcyclarke darcyclarke removed the Needs Triage needs review for next steps label Aug 19, 2020
@snypelife
Copy link

snypelife commented Aug 19, 2020
edited
Loading

I have also experienced this with npm ci. Perhaps I should open another issue for this?

@isaacs
Copy link
Contributor

isaacs commented Aug 19, 2020

@snypelife Nah, one is fine. I'm thinking it's the same core issue in Arborist anyway.

@isaacs isaacs mentioned this issue Aug 20, 2020
Closed
isaacs added a commit that referenced this issue Aug 20, 2020
@isaacs
@npmcli/arborist@0.0.17
b44768a 
- Load root project `package.json` when running loadVirtual.
  Fix: #1690
  Fix: #1693

- Fetch metadata from registry when loading tree from outdated
  package-lock.json file.  This avoids a situation where a lockfile or
  shrinkwrap from npm v5 would result in deleting dependencies on
  install.

- Preserve `package.json` and `package-lock.json` formatting in all
  places where these files are written.
  Fix: #1662
@isaacs
Copy link
Contributor

isaacs commented Aug 23, 2020

Fixed in latest v7 beta. Thanks!

@isaacs isaacs closed this as completed Aug 23, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@isaacs @ruyadorno @darcyclarke @snypelife @alvarocamillont