Description
Is there an existing issue for this?
- I have searched the existing issues
I've seen a similar issues in #5349 and #5325 but they seem to be about installing local tarballs only, and one of them even mentions, that it works if installing from remote. But that't not the case for me. May also be related to #4583 as I'm not using npmjs.org as registry but github.
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
I have a package @myorg/shrinkwraptest (which is published and installable via github). The published package includes a npm-shrinkwrap.json file which looks like this
{
"name": "@myorg/shrinkwraptest",
"version": "1.0.0",
"lockfileVersion": 3,
"requires": true,
"packages": {
"": {
"name": "@myorg/shrinkwraptest",
"version": "1.0.0",
"license": "ISC",
"dependencies": {
"mogoose": "^8.1"
},
...
"node_modules/mongodb": {
"version": "6.3.0",
"resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.3.0.tgz",
"integrity": "sha512-tt0KuGjGtLUhLoU263+xvQmPHEGTw5LbcNC73EoFRYgSHwZt5tsoJC110hDyO1kjQzpgNrpdcSza9PknWN4LrA==",
"dependencies": {
"@mongodb-js/saslprep": "^1.1.0",
"bson": "^6.2.0",
"mongodb-connection-string-url": "^3.0.0"
},
"engines": {
"node": ">=16.20.1"
},
},
...
"node_modules/mongoose": {
"version": "8.1.3",
"resolved": "https://registry.npmjs.org/mongoose/-/mongoose-8.1.3.tgz",
"integrity": "sha512-a5MajZSDJiQgy0iQcR+MIpFe7zehGJI4doJ6Dh1MvnGh8/HNNhr5pn07RPA86KCTjP2vuKdffpFmvXxcHiUOjw==",
"dependencies": {
"bson": "^6.2.0",
"kareem": "2.5.1",
"mongodb": "6.3.0",
"mpath": "0.9.0",
"mquery": "5.0.0",
"ms": "2.1.3",
"sift": "16.0.1"
},
"engines": {
"node": ">=16.20.1"
},
"funding": {
"type": "opencollective",
"url": "https://opencollective.com/mongoose"
}
}
...
}
}
When I then do npm i @myorg/shrinkwraptest.json in a new empty folder and then inspect the node_modules folder I see, that the mongoose package is installed in version 8.8.4 and the mongodb package is installed in version 6.10.0 (which are the respective latest versions at the time I'm creating this issue)
This is the (relevant) output of npm ls --depth 3
/test # npm ls --depth 3
test@ /test
`-- @myorg/shrinkwrap@1.0.0
`-- mongoose@8.8.4
...
+-- mongodb@6.10.0
...
Expected Behavior
Reading the docs, I'd expect when I do an
npm i @myorg/shrinkwraptest
this contained npm-shrinkwrap.json should be respected and mongoose@8.1.3 and mongodb@6.3 should be installed.
Steps To Reproduce
- Install a package from a remote repository which has a
npm-shrinkwrap.jsonbundled with it - Compare the versions the contained npm-shrinkwrap.json with the version of the acutally installed packages
Environment
Environment
- npm: 10.9.2
- Node.js: 23.4.0
- OS Name: FROM node:23.4-alpine3.20
- npm config:
; "user" config from /root/.npmrc
@myorg:registry = "https://npm.pkg.github.com/"
//npm.pkg.github.com/:_authToken = ...
; node bin location = /usr/local/bin/node
; node version = v23.4.0
; npm local prefix = /test
; npm version = 10.9.2
; cwd = /test
; HOME = /root