Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] npm install delivers different package-lock second time run with overrides #4939

Open
2 tasks done
miWatch10 opened this issue May 25, 2022 · 3 comments
Open
2 tasks done

[BUG] npm install delivers different package-lock second time run with overrides #4939

miWatch10 opened this issue May 25, 2022 · 3 comments
Labels
Bug thing that needs fixing config:overrides Issues dealing with the overrides feature Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release

Comments

@miWatch10
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

Recreating your package-lock.json (rm -rf node_modules package-lock.json; npm i) then follow it with an npm i on a package.json with npm overrides set (https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides) gives you different package-lock.json output (causing git churn for any one else in your repository)

Same thing happens with running npm update on a repository with npm overrides, followed by npm i

For examples, see the commits at https://github.com/miWatch10/renovate-overrides/pull/4/commits

There are 4 listed:

  • rm -rf node_modules package-lock.json; npm i
  • npm i
  • npm update
  • npm i

Each of which churn the package-lock.json back and forth. I would expect them to all have the same results (since there was no packages actually changed)

Expected Behavior

Running npm i after a rebuild of package-lock.json or after an npm update would not change/churn the package-lock.json --- instead would be consistent.

Steps To Reproduce

  1. In a clean repository
  2. Have a package.json using an overrides
  3. run rm -rf node_modules package-lock.json; npm i
  4. do a git add and commit
  5. run npm i
  6. do a git add and commit
  7. Notice the package-lock.json has changed in step 5

Or

  1. In a clean repository
  2. Have a package.json using an overrides
  3. run npm update
  4. do a git add and commit
  5. run npm i
  6. do a git add and commit
  7. Notice the package-lock.json has changed in step 5

Environment

  • npm: 8.10.0
  • Node.js: v16.15.0
  • OS Name: Mac
  • System Model Name: Macbook Pro
@miWatch10 miWatch10 added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels May 25, 2022
Closed
2 tasks
@miWatch10
Copy link
Author

@nlf at one point someone thought this was related to #4889. Will your PR for that address this one?

Doesn't look like it per the PR (which is about shrinkwrapped), but wanted to confirm --- in this case, running npm i clean doesn't do overrides, but a second run does.
@nlf
Copy link
Contributor

nlf commented May 31, 2022

i don't think that will be related to your issue here. i'll be looking into this one soon, though
@KrayzeeKev
Copy link

I'm seeing the same thing:

  "overrides": {
    "ejs@2.5.5": "^3.0.0"
  }

npm install gives me ejs@3.1.8. npm update doesn't change anything. Subsequent npm install gives me ejs@2.5.5, and it toggles each time you run npm install
(Node V16.14, npm 8.11)
@darcyclarke darcyclarke added the config:overrides Issues dealing with the overrides feature label Jul 11, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing config:overrides Issues dealing with the overrides feature Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release
4 participants
@nlf @darcyclarke @KrayzeeKev @miWatch10