Skip to content

[BUG] npm-shrinkwraps not respected for global installs of local packages? #5325

New issue
New issue
Open
Open
[BUG] npm-shrinkwraps not respected for global installs of local packages?#5325
Labels
Bugthing that needs fixingNeeds Triageneeds review for next stepsRelease 8.xwork is associated with a specific npm 8 release
@edvincent

Description

@edvincent
edvincent
opened on Aug 18, 2022

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

When globally installing a package that contains an npm-shrinkwrap.json file, it's not respected. It's actually always installing the latest version, just as it the shrinkwrap file wasn't there.

This kind of defeats the purpose its serves - as per https://docs.npmjs.com/cli/v8/configuring-npm/npm-shrinkwrap-json: The recommended use-case for npm-shrinkwrap.json is applications deployed through the publishing process on the registry: for example, daemons and command-line tools intended as global installs.

I was actually looking into moving to use that shrinkwrap file exactly for that in coder/code-server#5071 - vending it installed as a global install with deterministic dependencies - because we had issues with latest releases not being compatible. But realized it doesn't actually work at all...

Expected Behavior

As per https://docs.npmjs.com/cli/v8/configuring-npm/npm-shrinkwrap-json, I'd would expect a global install to use the versions from the shrinkwrap file - even when doing a global install...

When doing a non-global install, it works as expected.

Steps To Reproduce

mkdir test
cd test/
npm init # Saying ok to all defaults
npm install lru-cache@7.10.0
npm shrinkwrap
npm pack
npm install -g test-1.0.0.tgz # Attached this tgz to the issue here too

Resulting tgz: test-1.0.0.tgz

One would expect lru-cache@7.10.0 in the dependencies.

But lru-cache@7.14.0 (at the moment of this writing, the latest version) gets installed:

ubuntu@ip-172-26-4-193:~/test$ npm list -g --depth=10
[...]
└─┬ test@1.0.0
  └── lru-cache@7.14.0

More confirmations:

  • /home/ubuntu/.nvm/versions/node/v16.17.0/lib/node_modules/test/npm-shrinkwrap.json shows lru-cache@7.10.0 as expected
  • /home/ubuntu/.nvm/versions/node/v16.17.0/lib/node_modules/test/node_modules/lru-cache/package.json shows "version": "7.14.0"

Environment

  • npm: 8.18.0 (issue as well with 8.15.0)
  • Node.js: v16.17.0
  • OS Name: Ubuntu 20.02
  • System Model Name: AWS Lightstail Instances
  • npm config:
; "user" config from /home/ubuntu/.npmrc

python = "python3"

; node bin location = /home/ubuntu/.nvm/versions/node/v16.17.0/bin/node
; node version = v16.17.0
; npm local prefix = /home/ubuntu
; npm version = 8.18.0
; cwd = /home/ubuntu
; HOME = /home/ubuntu
; Run `npm config ls -l` to show all defaults.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingNeeds Triageneeds review for next stepsRelease 8.xwork is associated with a specific npm 8 release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions