Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

issue 10999 #2

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

issue 10999 #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
8ec3075
Issue #10999.
tolmasky Jan 1, 2016
33453ec
Add link.
tolmasky Jan 1, 2016
acb9cf3
Linkify.
tolmasky Jan 1, 2016
a1aff0f
Add edit.
tolmasky Jan 1, 2016
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
43 changes: 43 additions & 0 deletions npm3/10999/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,43 @@
# npm3 - #10999 - Npm v3 non-determinism does actually result in different code (not just tree structure)

Original bug can be found here: [#10999](https://github.com/npm/npm/issues/10999).
With npm 3, for the first time other packages can influence each other's dependencies.

## Up and Running

```
$ npm install test-b --save
$ npm install test-a --save
$ node index.js
```

This will print:

```
1.0.0
1.0.1
```

Now let's try the opposite order:

```
$ rm -rf node_modules # just restore things to their previous state
$ git checkout package.json # just restore things to their previous state
$ npm install test-a --save
$ npm install test-b --save
$ node index.js
```

This will print:

```
1.0.0
```

# Explanation

As you can see, install order actually affects the bits that will be run. The key here is that test-a has an *absolute dependency* on test-c 1.0.0, while test-b has a semver range dependency on test-c ^1.0.0. That means if test-b is installed first, it correctly picks up 1.0.1, then a will of course want 1.0.0. However, if a installs first, then 1.0.0 will be installed, which satisfies b, and thus both get 1.0.0.

The important thing here is that anyone *ELSE* that has an absolute dependency (and is alphabetically before you), effectively sabotages YOUR package. The only remedy is then on the *end user* to manually fiddle with thier shrinkwrap. As a package author, you can't actually do anything, other than explain to your users the subtle effects *other packages* have on your package, then try to walk them through their each time unique shrinkwrap solution.

Edit: I'd like to quickly point out that I'm not making a claim to the require-cache. I could have had it print "good" and "bad" instead of "1.0.0" and "1.0.1". I am aware that there is no guarantee of getting two 1.0.0's or just 1 depending on the tree structure.
3 changes: 3 additions & 0 deletions npm3/10999/index.js
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@

require("test-a");
require("test-b");
11 changes: 11 additions & 0 deletions npm3/10999/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
{
"name": "10999",
"version": "1.0.0",
"description": "With npm 3, for the first time other packages can influence each other's dependencies.",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "",
"license": "ISC"
}