Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Inconsistency between npm install and npm audit fix for name in package-lock.json #4608

Open
2 tasks done
Marcono1234 opened this issue Mar 23, 2022 · 1 comment
Open
2 tasks done

[BUG] Inconsistency between npm install and npm audit fix for name in package-lock.json #4608

Marcono1234 opened this issue Mar 23, 2022 · 1 comment
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 8.x work is associated with a specific npm 8 release

Comments

@Marcono1234
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

npm install and npm audit fix make inconsistent changes to the package-lock.json, causing unnecessary differences for that file.

  • npm install does not include a name for the "" packages entry
  • npm audit includes a name

This means that running npm audit adds a name property, and a subsequent npm install run removes it again.

Expected Behavior

npm install and npm audit fix should behave consistently. Either both should create a name property, or neither of them should create it.

Steps To Reproduce

ℹ️ indicates observed behavior.
❌ indicates unexpected observed behavior.

  1. Create a folder npm-audit-test
  2. Create a package.json file with the following content: 
    {
  "private": true,
  "devDependencies": {
    "minimist": "1.2.5"
  }
}
  3. In that folder run npm install
  4. Inspect the package-lock.json file
    ℹ️ It has the following content: 
    {
  "name": "npm-audit-test",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "devDependencies": {
        "minimist": "1.2.5"
      }
    },
    ...
}
  5. Run npm audit fix --force
  6. Inspect the package-lock.json file
    ❌ It has the following content; note the extra name property for the "" packages entry 
    {
  "name": "npm-audit-test",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "npm-audit-test",
      "devDependencies": {
        "minimist": "^1.2.6"
      }
    },
    ...
}
  7. Run npm install again
  8. Inspect the package-lock.json file
    ❌ The name property was removed again

Environment

  • npm: 8.5.0
  • Node.js: v16.14.2
  • OS Name: Microsoft Windows [Version 10.0.19043.1586]
  • System Model Name:
  • npm config:
; "builtin" config from C:\Program Files\nodejs\node_modules\npm\npmrc

prefix = "C:\\Users\\<redacted>\\AppData\\Roaming\\npm"

; node bin location = C:\Program Files\nodejs\node.exe
; cwd = C:\Users\<redacted>\Downloads\npm-audit-test
; HOME = C:\Users\<redacted>
; Run `npm config ls -l` to show all defaults.
@Marcono1234 Marcono1234 added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Mar 23, 2022
@fritzy
Copy link
Contributor

fritzy commented Mar 30, 2022

It's unusual to not specify in a name in the package.json file. npm init -y will automatically fill one in. If you specify a package.json name, this does not happen. Since name is not required, this is probably still a bug.

@fritzy fritzy added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels Mar 30, 2022
@romainmenke romainmenke mentioned this issue Sep 5, 2022
Open
2 tasks
This was referenced Jan 5, 2025
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Priority 2 secondary priority issue Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fritzy @Marcono1234