Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
My team sometimes deletes nodes from package-lock.json as specific package versions are deleted from our internal registry. Our expectation is that npm install should then install the latest version of that package that satisfies the requirements in package.json, without changing indirect dependencies unnecessarily.
However, we're seeing an issue where npm install sometimes deletes an indirect dependency of the deleted node, even as it replaces that node. We have to run npm install a second time in order to restore the indirect dependency.
This issue only seems to occur when there's a different version of the indirect dependency installed.
Expected Behavior
We expect package-lock.json to always be in a consistent state after an npm install, with all dependencies satisfied.
Steps To Reproduce
I've created a CodeSandbox: https://codesandbox.io/p/devbox/quirky-rain-rv9lkl You can create a new project in the same state by running npm install [email protected] && npm install [email protected] && npm install [email protected].
Once you have that project set up, the steps to replicate the bug are:
- Delete the
"node_modules/mocha" node from package-lock.json.
- Run
npm install.
- Check the diff and see that npm restored the
"node_modules/mocha" node, but removed the "node_modules/mocha/node_modules/brace-expansion" node. That directory has also been deleted from node_modules. This means that mocha's indirect dependency on brace-expansion@^2.0.1 (by way of its dependency on minimatch@^5.1.6) is unsatisfied; mocha would instead use [email protected], which is installed at the root of node_modules.
- Run
npm install again and observe that "node_modules/mocha/node_modules/brace-expansion" has been restored in both package-lock.json and node_modules.
Environment
I've observed this issue in npm v8, v9, and v10.
- npm: 10.8.2
- Node.js: 20.16.0
- OS Name: macOS 14.6.1
- System Model Name: M1 MacBook Pro
- npm config:
; node bin location = /Users/trevorburnham/.asdf/installs/nodejs/20.16.0/bin/node
; node version = v20.16.0
; npm local prefix = /Users/trevorburnham/Code/lockfile-with-missing-parent-testcase
; npm version = 10.8.2
; cwd = /Users/trevorburnham/Code/lockfile-with-missing-parent-testcase
; HOME = /Users/trevorburnham
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
My team sometimes deletes nodes from
package-lock.jsonas specific package versions are deleted from our internal registry. Our expectation is thatnpm installshould then install the latest version of that package that satisfies the requirements inpackage.json, without changing indirect dependencies unnecessarily.However, we're seeing an issue where
npm installsometimes deletes an indirect dependency of the deleted node, even as it replaces that node. We have to runnpm installa second time in order to restore the indirect dependency.This issue only seems to occur when there's a different version of the indirect dependency installed.
Expected Behavior
We expect
package-lock.jsonto always be in a consistent state after annpm install, with all dependencies satisfied.Steps To Reproduce
I've created a CodeSandbox: https://codesandbox.io/p/devbox/quirky-rain-rv9lkl You can create a new project in the same state by running
npm install [email protected] && npm install [email protected] && npm install [email protected].Once you have that project set up, the steps to replicate the bug are:
"node_modules/mocha"node frompackage-lock.json.npm install."node_modules/mocha"node, but removed the"node_modules/mocha/node_modules/brace-expansion"node. That directory has also been deleted fromnode_modules. This means that mocha's indirect dependency onbrace-expansion@^2.0.1(by way of its dependency onminimatch@^5.1.6) is unsatisfied; mocha would instead use[email protected], which is installed at the root ofnode_modules.npm installagain and observe that"node_modules/mocha/node_modules/brace-expansion"has been restored in bothpackage-lock.jsonandnode_modules.Environment
I've observed this issue in npm v8, v9, and v10.