Git dependency prepare script running with --package-lock-only

[feelepxyz]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

👋 I've just run into this in dependabot when trying to update discord.js. The following command fails: npm install discord.js@github:discordjs/discord.js#b376f31af9881b9cd3f82ac4a42a468947cce482 --ignore-scripts --package-lock-only with:

npm ERR! code 127
npm ERR! path /Users/feelepxyz/.npm/_cacache/tmp/git-clone-e8ed8817
npm ERR! command failed
npm ERR! command sh -c husky install
npm ERR! sh: husky: command not found

It looks like this prepare script is running with the above install. It passes without --package-lock-only.

There is a similar issue about the projects lifecycle hooks but this seems subtly different as it's about git dependencies: #2787

Expected Behavior

The command npm install discord.js@github:discordjs/discord.js#b376f31af9881b9cd3f82ac4a42a468947cce482 --ignore-scripts --package-lock-only should successfully install.

Steps To Reproduce

1. npm install -g npm@7.14.0
2. npm install discord.js@github:discordjs/discord.js#b376f31af9881b9cd3f82ac4a42a468947cce482 --ignore-scripts --package-lock-only

Environment

• OS: Mac OS Catalina 10.15.7
• Node: v15.6.0
• npm: 7.14

[feelepxyz]

The same bug is reported here: #2920 but would be helpful if it's possible to disable running prepare scripts if --package-lock-only or --ignore-scripts are set. Either would work for dependabot's use case where we care about disabling all life-cycle hooks.

[isaacs]

#2920 is a slightly different bug.

I could see disabling prepares when --ignore-scripts is set, but we do need to run them for the package-lock-only, or else we can't be guaranteed to get the correct results in the package-lock.json file.

Will be fixed when npm/pacote#81 lands.

[wraithgar]

#1422 may also be related