-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] Some packages can no longer be installed with npm v7 #1734
Comments
Hi, This issue is due to a bug in const spec = args[0] +
- (args[1] === undefined || args[1] === null ? `@${args[1]}` : '')
+ (args[1] === undefined || args[1] === null ? '' : `@${args[1]}`) I would be happy to submit a PR fixing the issue ;) |
note: I can still reproduce the issue in |
Hi @ruyadorno, I made a mistake, my PR fixed a bug with I took the time to debug what happened here and it looks like In this case, the tag name verification made by I don't think this is really a bug since a non valid semver constraint was probably not officially supported with npm < 7, but the error message can probably be improved :) |
I disagree. Again, I believe the error is valid but it shouldn't be improved, it should be removed altogether. Packages that were installable with NPM v6 are no longer installable with NPM v7. This means upgrading NPM may break projects. This might have been fine if there were a clear migration procedure, but in this case there is none. There may be packages whose latest version contains an invalid semver specifier, so the developer cannot upgrade its dependency to a higher version that fixes the problem. |
So, the handling of this broken semver range is not actually a breaking change. What changed is that we handle peerDependencies at all, so any broken garbage in a peerDependencies set would have been overlooked in npm v6, and no longer is. Observe:
A more extreme example:
I'm tempted to say that this is working as designed. If you want npm v7 to work when peerDependencies contain invalid data, you can use the The only alternative here would be to catch any invalid data in peerDependencies (but only in peerDependencies), and ignore those peer deps. So then we'd be in a situation where the contract that we install peerDeps is violated. Another alternative would be that we figure out what Yes, packages using this dependency will break, but in this case, I don't really know if the alternatives are reasonable. Hopefully the users of react-tooltip can update to the fixed version swiftly. |
Could the error message be improved to offer a suggestion on where to look? The error message is displayed without context. One would assume that the error is in the package.json of the current project, not in a dependency because it doesn't say it's in a dependency. If it told you which dependency, it would be helpful. |
@mcqj agreed, and I had the exact same issue and nearly drove me on the wall. Luckily it looks like you can search what it complains in the |
Current Behavior:
Some packages can no longer be installed with NPM v7 (in my case, it's
react-tooltip@3.11.6
)To me, the install fails for a pretty legitimate reason. Yet, this behavior is not backward compatible.
Here is the relevant log
Expected Behavior:
npm install
works flawlesslySteps To Reproduce:
The text was updated successfully, but these errors were encountered: