GPR npm optional peerDependencies issue

[zoncrd]

Select Topic Area

Bug

Body

I am writing to report an issue with the GitHub Package Registry. Specifically, I am having trouble installing an npm package that specifies optional peerDependencies.

When attempting to install a package that specifies optional peerDependencies in the package.json via the peerDependenciesMeta attribute from the GitHub Package Registry, optional dependencies are installed anyway.

I have verified that the package installs successfully when installed from other registries such as NPM. Therefore, it seems likely that there is an issue with the GitHub Package Registry that is preventing the installation of packages with optional peer dependencies.

I have found that the problem seems to be caused by a missing property in the abbreviated package metadata response. The missing property is the peerDependenciesMeta field, without which, npm version 7 and above automatically installs peerDependencies.

You can find more details in this sample repository reproducing the issue.

Here is a related thread that led me to understand the problem.

Any help or assistance is appreciated, please let me know if there are any further details or information that I can provide to help diagnose the issue

[naoki-kiryu-lvgs]

I asked GitHub support about this, and they assured me that it's already in their backlog, although they couldn't provide an estimated time of arrival (ETA).

[chriscarpenter12]

I too followed up with a GitHub support ticket and got the same response:

I have added your request to the tracking issue, but also as noted in the community discussion, there is not currently any ETA for when this might be available. When we have any further news to share, we’ll make sure to document it in the GitHub Changelog or the GitHub Blog.

[mwstr]

When I host my private library on github registry it doesn't see peerDependenciesMeta.*.optional: true and installs all peer dependencies bloating node_modules:

when I do the same thing with verdaccio or with local tgz package it works as intended:

Furthermore this breaks my library logic in CJS projects. Becuse I try to optionally load this peer libraries and some of them are ESM. And at the moment Node.js can't load ESM from CJS without additional experimental flag