node triggers "npm WARN config global --global, --local ..." on every invocation of npm

[ehoogeveen-medweb]

Version

16.15.1

Platform

Microsoft Windows NT 10.0.19044.0 x64

Subsystem

No response

What steps will reproduce the bug?

Invoke npm, for example with npm --version.

How often does it reproduce? Is there a required condition?

Every invocation of npm.

What is the expected behavior?

No warning.

What do you see instead?

npm WARN config global --global, --local are deprecated. Use --location=global instead.

Additional information

1. The warning triggers regardless of the installed version of npm - it even triggers after downgrading to npm 8.10.0 (which precedes the deprecation warning) or upgrading to npm 8.12.1 (which undeprecates --local and --global).
2. I don't see the warning on Linux.
3. In the npm cli repo [BUG] npm v 8.11.0 - writes to STDERR - "npm WARN config global --global, --local ..." breaking our nightly build process. npm/cli#4989 was filed about this issue, but as (1) indicates, this is not something that comes directly from npm.

So I think node 16.15.1 includes some component responsible for invoking npm on Windows that triggers the warning, and this module does not get updated if you run npm install -g npm@latest. I suspect that this also caused npm/cli#4945 where I found that package.json scripts did not support the new --location parameter on Windows while using node v16.15.0.

To fix this bug it should be enough to just update the npm-related bundles that node includes, but it would be nice if npm install -g npm@latest also updated the module responsible for this issue on Windows.

[mscdex]

Upgrade to npm 8.12.1, which removes the deprecations. There's already a PR to pull this version in.

[ehoogeveen-medweb]

Updating locally with npm install --global npm@latest doesn't work. The warning still triggers even though the installed version of npm no longer contains it.

[mscdex]

Does npm -v reflect 8.12.1 (or higher)?

[ehoogeveen-medweb]

Yes

[mscdex]

Must be something wrong with your environment. I extracted tarballs for both npm 8.12.0 and 8.12.1. Executing node bin/npm-cli.js -g -v with 8.12.0 gives the warning and executing the same command for 8.12.1 does not show the warning.

EDIT: I also tried with the 8.12.1 tarball directly from the npm package repo and it works the same as the github release (no warning)

[ehoogeveen-medweb]

Okay, I figured it out.

1. Node.js for Windows installs to C:\Program Files\nodejs.
2. When you run npm it runs C:\Program Files\nodejs\npm.cmd.
3. That calls node "C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js" prefix -g to get the base directory for the 'global' version of npm (in my case the result is C:\Users\Emanuel\AppData\Roaming\npm).
4. Calling npm install -g npm@latest doesn't actually update C:\Program Files\nodejs\node_modules\npm, so it's stuck on whatever version of npm the currently installed version of Node.js ships with (8.11.0 in this case).

So as a workaround, I can open a command window with elevated privileges in C:\Program Files\nodejs and run npm install --no-save npm@latest (note: no -g). That updates the bundled version of npm and the warning is no longer printed.

Edit: That workaround probably isn't a good idea because it seems that npm.cmd and npx.cmd are also replaced as a consequence of updating npm, and they lose the global prefix check. I posted a better workaround in npm/cli#4989.

[ehoogeveen-medweb]

I'm going to close this because

1. There's already a pull request to update to npm 8.12.1.
2. The version of npm in the installation directory is only used for the prefix check, so even if it's outdated it seems unlikely to break anything else. If the developers of npm ever decide to deprecate -g again then the patched versions of npm.cmd and npx.cmd shipped with Node.js for Windows will need to be updated to use -L=global or similar.

[lxhlxh520]

Okay, I figured it out.

1. Node.js for Windows installs to C:\Program Files\nodejs.
2. When you run npm it runs C:\Program Files\nodejs\npm.cmd.
3. That calls node "C:\Program Files\nodejs\node_modules\npm\bin\npm-cli.js" prefix -g to get the base directory for the 'global' version of npm (in my case the result is C:\Users\Emanuel\AppData\Roaming\npm).
4. Calling npm install -g npm@latest doesn't actually update C:\Program Files\nodejs\node_modules\npm, so it's stuck on whatever version of npm the currently installed version of Node.js ships with (8.11.0 in this case).

So as a workaround, I can open a command window with elevated privileges in C:\Program Files\nodejs and run npm install --no-save npm@latest (note: no -g). That updates the bundled version of npm and the warning is no longer printed.

Edit: That workaround probably isn't a good idea because it seems that npm.cmd and npx.cmd are also replaced as a consequence of updating npm, and they lose the global prefix check. I posted a better workaround in npm/cli#4989.

thanks, address this issue