Allow to set a custom npm version with npm_version option

[robertsLando]

Is there a way to setup the action to use npm 7?

What about npm_version: 7 like actually it's done for node_version?

[maxim-lobanov]

Hello!
npm is integrated to Node.JS.
NPM 7.x is integrated to Node.JS 15.x. If you specify Node.JS 15.x, NPM 7 will be selected. See details on https://nodejs.org/en/download/releases/

If you need npm 7 for previous versions of Node.JS, please consider upgrading it in runtime via npm install -g npm@latest

[robertsLando]

@maxim-lobanov Would it be possible to make it configurable like I suggested by using an option? It would allow to easily use matrix too

[smorimoto]

Is it not enough to add npm_version to the matrix and manipulate the workflow? I don't think it's a good idea to add more input than necessary.

[mendrik]

npm publish doesn't work with node 15.x in github actions:

npm ERR! code ENEEDAUTH
npm ERR! need auth This command requires you to be logged in.
npm ERR! need auth You need to authorize this machine using `npm adduser`

when I downgrade to node 12 it works again

[dmitry-shibanov]

Hello @mendrik , the issue with publishing is caused by updating npm to 7th version in node 15. The first minor and patch version of npm 7th had the issue with _auth. It was fixed in next versions. You can use npm with node 12th or upgrade npm to the latest one npm install -g npm@latest

[Fryuni]

It seems setting node-version: 15 now gets a release with the proper fix. It is working without having to update npm

[vinayakkulkarni]

Just like we have an option to use node versions, we should also have an option to choose npm versions

[fcastilloec]

Using npm install -g npm@latest with Github Actions gives errors regarding write-access permissions. Installing locally npm i npm@latest will change the repository and mess up any actions that depend on a clean git repo. Any ideas on how to fix this? How can I use npm@7 with node@14? Using node@15 is not an option, sorry...

[smorimoto]

What about doing with sudo?

[fcastilloec]

@smorimoto I don't know why I didn't think about it! So, running sudo i -g npm@latest after setup-node action does nothing...
Here's part of the log (can't provide a link to the full log because it's a private repo):

2021-03-10T18:20:25.6852244Z ##[group]Run sudo npm i -g npm@latest
2021-03-10T18:20:25.6852862Z sudo npm i -g npm@latest
2021-03-10T18:20:25.6906055Z shell: /usr/bin/bash -e {0}
2021-03-10T18:20:25.6906509Z env:
2021-03-10T18:20:25.6906931Z   node-version: 14
2021-03-10T18:20:25.6907390Z ##[endgroup]
2021-03-10T18:20:37.6677894Z /usr/local/bin/npm -> /usr/local/lib/node_modules/npm/bin/npm-cli.js
2021-03-10T18:20:37.6683622Z /usr/local/bin/npx -> /usr/local/lib/node_modules/npm/bin/npx-cli.js
2021-03-10T18:20:37.7550998Z + npm@7.6.2
2021-03-10T18:20:37.7552906Z added 59 packages from 24 contributors, removed 241 packages and updated 194 packages in 10.209s
2021-03-10T18:20:37.7743170Z ##[group]Run echo npm version "$(npm --version)"
2021-03-10T18:20:37.7743827Z echo npm version "$(npm --version)"
2021-03-10T18:20:37.7744307Z echo node version "$(node --version)"
2021-03-10T18:20:37.7790961Z shell: /usr/bin/bash -e {0}
2021-03-10T18:20:37.7791313Z env:
2021-03-10T18:20:37.7791661Z   node-version: 14
2021-03-10T18:20:37.7792014Z ##[endgroup]
2021-03-10T18:20:38.3912711Z npm version 6.14.11
2021-03-10T18:20:38.3966163Z node version v14.16.0

You can see that after updating npm to version 7, GitHub Actions still uses version 6. Any ideas what to do?

I've never had to use sudo before when working with nvm. I'm wondering if updating npm with sudo did it for the system installed version and not the one used by nvm? In order to update the nvm one, we might need to run the command without sudo but that gives us errors about writing permissions...

SOLUTION: After some trial and error, I figure it out. Updating npm before using this action requires sudo but updating it after using this action doesn't require sudo. As I suspected, when running the command with sudo the system version gets updated, not the one use by this action. So for anybody having the same problem as me, make sure you update npm AFTER running this action and without using sudo

[smorimoto]

I suspect that the path priority is wrong. The following command should tell you the order, but it probably shows the one installed by the action at the top.

which --all npm

If it's true, you need to change the priority, but it can be a little tricky. For example, create a new directory, create a symbolic link to npm, and add it to the path through the Actions command.

[smorimoto]

SOLUTION: After some trial and error, I figure it out. Updating npm before using this action requires sudo but updating it after using this action doesn't require sudo. As I suspected, when running the command with sudo the system version gets updated, not the one use by this action. So for anybody having the same problem as me, make sure you update npm AFTER running this action and without using sudo

Oh, it's good.

[stereobooster]

Run npm install -g npm@7.11.2
npm ERR! code E404
npm ERR! 404 Not Found - GET https://npm-proxy.fury.io/***/***/npm - bad_request
npm ERR! 404 
npm ERR! 404  'npm@7.11.2' is not in the npm registry.

Solution

    - name: npm 7
      run: npm i -g npm@7 --registry=https://registry.npmjs.org

[ssbarnea]

I hope to soon see an option to pass npm-version: latest to address this and avoid having to add extra steps to our already complex pipelines. An option like this makes sense, especially as npm is included with node but can be safely upgraded without breaking node. Some recent changes to npm makes the need to upgrade it.... quite likely.

[dcousineau-godaddy]

With the most recent addition of setting up caching automatically in setup-node I'm rethinking my position of managing npm, especially since the cache should be variable to the version of npm

We've recently hit this issue. The npm i -g npm@8 run on one major branch/pr was being picked up by subsequent runs of unrelated branches expecting npm@6 due to the cache, so definitely some stateful leakage across runs. While I understand why, it was bit of a tripping hazard. We will likely roll out npm i -g npm@x across all workflows and all branches as an extra guard layer, but including npm_version at least as a cache-key bust would be a nice value add. Now to see if we have the time/resources to contribute 🤔

[abdulghani]

thanks @fcastilloec
as the time writing this. using ubuntu-latest to update npm to latest, require to update without sudo and calling it after setting up node actions/setup-node@v2. the full sample script is like so

  install_dependencies:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      - uses: actions/setup-node@v2
        with:
          node-version: 14.x
      - name: cache node_modules
        uses: actions/cache@v2
        with:
          key: ${{ runner.os }}-${{ hashFiles('**/package-lock.json') }}
          path: |
            node_modules
      - name: install latest npm
        run: |
          npm install -g npm &&
          npm --version &&
          npm list -g --depth 0
      - name: install dependencies
        run: |
          npm ci

output

Run npm install -g npm &&
  npm install -g npm &&
  npm --version &&
  npm list -g --depth 0
  shell: /bin/bash -e {0}
/Users/runner/hostedtoolcache/node/14.18.3/x64/bin/npm -> /Users/runner/hostedtoolcache/node/14.18.3/x64/lib/node_modules/npm/bin/npm-cli.js
/Users/runner/hostedtoolcache/node/14.18.3/x64/bin/npx -> /Users/runner/hostedtoolcache/node/14.18.3/x64/lib/node_modules/npm/bin/npx-cli.js
+ npm@8.3.2
added 67 packages from 17 contributors, removed 290 packages and updated 147 packages in 11.682s
8.3.2
/Users/runner/hostedtoolcache/node/14.18.3/x64/lib
└── npm@8.3.2

[ThisIsMissEm]

I'm also noticing that potentially our npm installs in CI are passing but in local checkouts failing due to differences in peerDep algorithms between npm 8 and prior versions which shipped with LTS versions of node. I'd definitely be in favour of a npm_version: latest | bundled which if latest does an npm install -g npm@latest or similar.

[fregante]

Can this issue be renamed to drop the mention of npm 7 specifically? Otherwise it looks outdated at a first look since we're on npm 10 now.

[robertsLando]

@fregante Done

[nickmccurdy]

Note that Node is considering removing npm and having corepack install it, which would make this unnecessary if corepack was implemented.