-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm ci installs an optional dependency which targets a different os than the host os #558
Comments
I ran into the same problem with fsevents on Windows, when installing two packages that depend on different versions of fsevents.
Latest webpack depends on watchpack which depends on an older chokidar@2.1.8 which depends on an old fsevents@1.2.11. While chokidar latest depends on fsevents@2.1.2 But npm install skipped correctly both versions of fsevents as they are OS-incompatible. However:
And if I look in node_modules, fsevents is there and it shouldn't be. I'm using the Node 12 LTS install, |
Whether So while
|
After updating to latest node and npm have same issue.. all projects where it is fsevent fail to install with
|
@padinko Did you also try the variant with the additional |
so there it is difference, but still compiling fsevents |
@paulmillr @pipobscure My issue (#658) was a duplicate of this ticket. Track this one to stay up to date. |
I can confirm this bug also on Ubuntu. |
@mikemimik or @isaacs, do you have any input on this bug? Yes, |
It looks like the relevant change is that fsevents started using node-pre-gyp to pull a precompiled binary, rather than building it in place, resulting in a npm v7 won't have this problem. (I'm working in the code that'll do this now.) I haven't checked into how involved it'd be to fix this issue for npm v6, but there's a good chance it'll just end up being "upgrade to v7 for the fix". In the meantime, I'd recommend using |
Yes, Also: Would |
Sorry for changing tactics on you. However we lost access to the S3 originally used and it was becoming an increasingly serious security issue. That’s why we went back to build as needed. Especially given that v2.x based on NAPI doesn’t need to build at all for node v8.x+ |
Oh, that's weird. I'd expect
Good question. "Designed for CI environments" does not always mean "best for this particular CI environment, for this particular application". In this case, there are two issues that npm ci is running into.
So, you should use
If you're talking about the fact that the package-lock provides the authoritative integrity and resolution checks, then good news: If you're talking about the check that the package-lock and package.json are in sync with one another, you can add
That is my expectation, yes. But, even if it is LTS, the approach in the past has been to have an LTS version of npm in the LTS version of node, even if that means it changes within the LTS "frozen" time frame, so shipping npm v6 for 4 years would be a profoundly bad idea that I don't think Node will do. And as npm is really something of a separate project, rather than a "dependency" in a way that affects the run-time, this is usually fine. Since npm v7 will have some breaking changes (though we're trying to minimize these as much as possible), it may be an issue if we don't get it there in time, or we may make some concessions to set default configs or do other things so that the npm v7 that ships with node 14 LTS is as close as possible to npm v6. |
Oh, I just checked the node lts schedule and see that I was mistaken about hte timeframe. Node 14's initial release is in 3 months, but it doesn't go LTS until October. So yeah, we should be well in the clear. I expect that the initial release of npm v7 will be available in time for node 14, and more than sufficiently stable by the time v14 hits LTS. (Famous last words and all, but the confidence has been steadily rising as we've gotten closer to doing the integration, and I don't have any reason to think that will change soon.) |
it tries to install deps that don't match the platform: npm/cli#558 https://github.com/wixplosives/test-drive/runs/426433972#step:4:5
I'm surprised this isn't being treated as more important of a bug that it is. This is making it so that we can't use "npm ci" on our build servers in windows. That's a big deal. |
Not just windows, I can't use npm ci on any system |
Wait.. it's been my experience that Has this functionality changed @isaacs ? |
@tommck I think he addresses that with this part:
Guess you can use it as a poor man's implementation of If I'm not mistaken, this has two problems:
So yeah, it's a big issue - luckily in our case we do builds on linux and they still work for our combination of packages... Other people are less lucky. |
@coyoteecd So... assuming the lock file was fine (correct/verified), running "npm install" still might modify the package lock file with new dependencies? |
Incorrect. It will not do that. Running What |
I'd love to see a case where that happens. Unless you're explicitly telling it not to respect the lockfile, or running |
my experiences: when you have node v12, and another developer have v10, full-icu downgrade icu data package for node v10.. when you have lock with everything and no we was using npm ci, because of this 2 issues |
…erent to what the package supports This is a required for npm ci to work. npm/cli#558
…erent to what the package supports This is a required for npm ci to work. npm/cli#558
Adding |
Not installing manually, but updating your dependencies should fix the issue with fsevents as well. |
In the case mentioned, there is a missing dependency, so yes, it will update the tree and modify package-lock.json accordingly to record what it did. (It will do the same for an invalid dependency.) |
npm If your bug is preproducible on If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo Closing: This is an automated message. |
What / Why
npm ci seems to install an optional dependency for the linux os when running on a mac and seems to install the optional dependency for mac when running on linux.
When
click to view output of above command
added 2 packages and audited 4 packages in 1.1s
found 0 vulnerabilities
d@1.0.0 /private/tmp/d
└─┬ oax@0.5.25
├── oax-darwin@0.5.25
├── UNMET OPTIONAL DEPENDENCY oax-linux-64@0.5.25
└── UNMET OPTIONAL DEPENDENCY oax-windows-64@0.5.25
npm WARN prepare removing existing node_modules/ before installation
added 3 packages in 0.722s
d@1.0.0 /private/tmp/d
└─┬ oax@0.5.25
├── oax-darwin@0.5.25
├── oax-linux-64@0.5.25
└── UNMET OPTIONAL DEPENDENCY oax-windows-64@0.5.25
Where
How
Current Behavior
currently it looks like npm ci is broken for optional dependencies which use the os and arch fields of package.json
Steps to Reproduce
You should see that
npm i
works correctly and installs a single optional dependency for oax.You should also see that
npm ci
works incorrectly and installs two of the optional dependencies for oax, this should never happen as each optional dependency is targeting a different operating system and architecture, it should be impossible to have more than one of the optional dependencies installed.Expected Behavior
it should install oax-darwin when running on darwin and should install oax-linux when running on linux
Who
References
The text was updated successfully, but these errors were encountered: