cli icon indicating copy to clipboard operation
cli copied to clipboard
verified publisher icon npm

[BUG] npm install delivers different package-lock second time run with overrides

Open miWatch10 opened this issue 3 years ago • 3 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

Recreating your package-lock.json (rm -rf node_modules package-lock.json; npm i) then follow it with an npm i on a package.json with npm overrides set (https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides) gives you different package-lock.json output (causing git churn for any one else in your repository)

Same thing happens with running npm update on a repository with npm overrides, followed by npm i

For examples, see the commits at https://github.com/miWatch10/renovate-overrides/pull/4/commits

There are 4 listed:

  • rm -rf node_modules package-lock.json; npm i
  • npm i
  • npm update
  • npm i

Each of which churn the package-lock.json back and forth. I would expect them to all have the same results (since there was no packages actually changed)

Expected Behavior

Running npm i after a rebuild of package-lock.json or after an npm update would not change/churn the package-lock.json --- instead would be consistent.

Steps To Reproduce

  1. In a clean repository
  2. Have a package.json using an overrides
  3. run rm -rf node_modules package-lock.json; npm i
  4. do a git add and commit
  5. run npm i
  6. do a git add and commit
  7. Notice the package-lock.json has changed in step 5

Or

  1. In a clean repository
  2. Have a package.json using an overrides
  3. run npm update
  4. do a git add and commit
  5. run npm i
  6. do a git add and commit
  7. Notice the package-lock.json has changed in step 5

Environment

  • npm: 8.10.0
  • Node.js: v16.15.0
  • OS Name: Mac
  • System Model Name: Macbook Pro

miWatch10 avatar May 25 '22 12:05 miWatch10

@nlf at one point someone thought this was related to https://github.com/npm/cli/issues/4889. Will your PR for that address this one?

Doesn't look like it per the PR (which is about shrinkwrapped), but wanted to confirm --- in this case, running npm i clean doesn't do overrides, but a second run does.

miWatch10 avatar May 31 '22 20:05 miWatch10

i don't think that will be related to your issue here. i'll be looking into this one soon, though

nlf avatar May 31 '22 20:05 nlf

I'm seeing the same thing:

  "overrides": {
    "[email protected]": "^3.0.0"
  }

npm install gives me [email protected]. npm update doesn't change anything. Subsequent npm install gives me [email protected], and it toggles each time you run npm install (Node V16.14, npm 8.11)

KrayzeeKev avatar Jun 06 '22 05:06 KrayzeeKev