Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] --lockfile-version is not respected when using shrinkwrap and hidden lockfile #3962

Closed
1 task done
dominykas opened this issue Oct 29, 2021 · 14 comments · Fixed by #3978
Closed
1 task done

[BUG] --lockfile-version is not respected when using shrinkwrap and hidden lockfile #3962

dominykas opened this issue Oct 29, 2021 · 14 comments · Fixed by #3978
Assignees
@lukekarrys
Labels
Bug thing that needs fixing Priority 1 high priority issue Release 8.x work is associated with a specific npm 8 release

Comments

@dominykas
Copy link

dominykas commented Oct 29, 2021
edited

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

$ npm shrinkwrap --lockfile-version=2 produces a v3 lockfile.

v8.1.1 used to print a warning, but #3949 changed that.

v8.1.2 just produces a v3 lockfile without any warnings.

Expected Behavior

lockfile-version param/config should be respected.

Steps To Reproduce

  1. $ rm -rf npm-shrinkwrap.json (if the shrinkwrap exists - it seems to work OK)
  2. $ npm shrinkwrap --lockfile-version=2
  3. $ cat npm-shrinkwrap.json | jq .lockfileVersion

Actual: 3
Expected: 2

Environment

  • OS: macOS 11.6
  • Node: 14.18.1
  • npm: 8.1.2
@dominykas dominykas added Bug thing that needs fixing Needs Triage needs review for next steps Release 8.x work is associated with a specific npm 8 release labels Oct 29, 2021
@dominykas dominykas mentioned this issue Oct 29, 2021
Merged
@dominykas
Copy link
Author

dominykas commented Oct 29, 2021
edited

(removed - this didn't actually work as I described it)

@lukekarrys lukekarrys added Awaiting Information further information is requested and removed Needs Triage needs review for next steps labels Oct 29, 2021
@lukekarrys
Copy link
Member

@dominykas I can't reproduce this. Here's what I'm seeing:

❯ cat package.json
{
  "name": "3962",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "volta": {
    "node": "14.18.1",
    "npm": "8.1.2"
  }
}

❯ npm --version
node 8.1.2

❯ node --version
v14.18.1

❯ ls -lha
total 4.0K
drwxr-xr-x  3 lukekarrys staff   96 Oct 29 11:16 .
drwxr-xr-x 45 lukekarrys staff 1.5K Oct 29 11:13 ..
-rw-r--r--  1 lukekarrys staff  278 Oct 29 11:13 package.json

❯ npm shrinkwrap --lockfile-version=2
npm notice created a lockfile as npm-shrinkwrap.json

❯ cat npm-shrinkwrap.json| json .lockfileVersion
2

❯ ls -lha
total 8.0K
drwxr-xr-x  4 lukekarrys staff  128 Oct 29 11:14 .
drwxr-xr-x 45 lukekarrys staff 1.5K Oct 29 11:13 ..
-rw-r--r--  1 lukekarrys staff  195 Oct 29 11:14 npm-shrinkwrap.json
-rw-r--r--  1 lukekarrys staff  278 Oct 29 11:13 package.json

@ljharb
Copy link
Collaborator

ljharb commented Oct 29, 2021

@lukekarrys off topic, but what is json? Typically jq is what’s used there; I’ve never seen that one before.

@lukekarrys
Copy link
Member

what is json

It's this package from the registry: https://www.npmjs.com/package/json. It does less than jq but I tend to use it for simple npm examples since it's easier to install.

@ljharb
Copy link
Collaborator

ljharb commented Oct 29, 2021

Gotcha; that seems unwise since most people already have jq available and know what it is :-) (that package is not highly used) maybe if the examples used npx it’d be clearer?

@lukekarrys
Copy link
Member

maybe if the examples used npx it’d be clearer?

I agree that it should be made clearer and thanks for the reminder since this already come up in our docs: npm/documentation#45

I'm still leaning towards npx json over jq since I want to have as few prerequisites as possible. But we can discuss more over there :)

@lukekarrys lukekarrys removed the Bug thing that needs fixing label Oct 30, 2021
@dominykas
Copy link
Author

Are you sure you had no lockfile to start with?

@lukekarrys
Copy link
Member

lukekarrys commented Oct 30, 2021
edited

Are you sure you had no lockfile to start with?

Yes, that's why I showed the output from the initial ls -lha to confirm that. Can you check your .npmrc files? npm config get lockfile-version should show if you have that set somewhere.

@dominykas
Copy link
Author

dominykas commented Oct 31, 2021
edited

Oh, yeah, sorry, I missed the ls.

I experimented a little more. I was able to see the behavior you're seeing on an empty folder, however when I ran npm i before the npm shrinkwrap, I got the version 3.

I'm not 100% sure I was able to repro that consistently, so I'll try a little more. Upd: able to repro consistently, I think:

✔ ~/devel/experiments/shrinkwrap 
10:27 $ npm --version
8.1.2

✔ ~/devel/experiments/shrinkwrap 
10:27 $ node --version
v14.18.1

✔ ~/devel/experiments/shrinkwrap 
10:27 $ npm config get lockfile-version
null

✔ ~/devel/experiments/shrinkwrap 
10:27 $ ls -al
total 8
drwxr-xr-x   3 dominykas  staff   96 31 Oct 10:27 .
drwxr-xr-x  10 dominykas  staff  320 31 Oct 10:24 ..
-rw-r--r--   1 dominykas  staff  237 31 Oct 10:27 package.json

✔ ~/devel/experiments/shrinkwrap 
10:27 $ cat package.json 
{
  "name": "3962",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC",
  "private": true
}

✔ ~/devel/experiments/shrinkwrap 
10:27 $ npm shrinkwrap --lockfile-version=2
npm notice created a lockfile as npm-shrinkwrap.json

✔ ~/devel/experiments/shrinkwrap 
10:27 $ cat npm-shrinkwrap.json | jq .lockfileVersion
2

✔ ~/devel/experiments/shrinkwrap 
10:28 $ rm npm-shrinkwrap.json 

✔ ~/devel/experiments/shrinkwrap 
10:28 $ npm i lodash

added 1 package, and audited 2 packages in 884ms

found 0 vulnerabilities

✔ ~/devel/experiments/shrinkwrap [0] 
10:28 $ npm shrinkwrap --lockfile-version=2
npm notice created a lockfile as npm-shrinkwrap.json

✔ ~/devel/experiments/shrinkwrap [0] 
10:28 $ cat npm-shrinkwrap.json | jq .lockfileVersion
3

✔ ~/devel/experiments/shrinkwrap [0] 
10:28 $ cat node_modules/.package-lock.json | jq .lockfileVersion
2

(that last one I find a bit interesting)

@lukekarrys lukekarrys self-assigned this Nov 1, 2021
@lukekarrys lukekarrys added Bug thing that needs fixing Priority 1 high priority issue and removed Awaiting Information further information is requested labels Nov 1, 2021
@lukekarrys
Copy link
Member

Do you have package-lock=false set anywhere? I can only replicate your results if I do npm i lodash --package=lock=false. I think this is still a bug, but I'm trying to nail down the exact scenario.

Here's my full results (without package-lock=false):

❯ ls -al
total 4
drwxr-xr-x  3 lukekarrys staff   96 Nov  1 13:04 .
drwxr-xr-x 45 lukekarrys staff 1440 Oct 29 11:13 ..
-rw-r--r--  1 lukekarrys staff  218 Nov  1 13:04 package.json

❯ cat package.json
{
  "name": "3962",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "keywords": [],
  "author": "",
  "license": "ISC"
}

❯ npm i lodash

added 1 package, and audited 2 packages in 1s

found 0 vulnerabilities

❯ npm shrinkwrap --lockfile-version=2
npm notice package-lock.json has been renamed to npm-shrinkwrap.json

❯ cat npm-shrinkwrap.json | npx json .lockfileVersion
2

❯ cat node_modules/.package-lock.json | npx json .lockfileVersion
2

And if I do --package-lock=false:

❯ npm i lodash --package-lock=false

added 1 package, and audited 2 packages in 1s

found 0 vulnerabilities

❯ npm shrinkwrap --lockfile-version=2
npm notice created a lockfile as npm-shrinkwrap.json

❯ cat npm-shrinkwrap.json | npx json .lockfileVersion
3

❯ cat node_modules/.package-lock.json | npx json .lockfileVersion
2

@dominykas
Copy link
Author

Yes, I do have it set globally.

@lukekarrys lukekarrys changed the title [BUG] --lockfile-version is not respected [BUG] --lockfile-version is not respected when using shrinkwrap and hidden lockfile Nov 1, 2021
@lukekarrys
Copy link
Member

Thanks! I updated the issue title to more accurately reflect what's happening and can confirm this is a bug that we should fix.

@lukekarrys
Copy link
Member

I also found that when update a shrinkwrap file, we sometimes show a message with the incorrect lockfile version, even if the file did get updated correctly.

❯ ls -lha
total 12K
drwxr-xr-x  5 lukekarrys staff  160 Nov  2 07:47 .
drwxr-xr-x 46 lukekarrys staff 1.5K Nov  2 01:37 ..
-rw-r--r--  1 lukekarrys staff  648 Nov  2 07:47 package-lock.json
-rw-r--r--  1 lukekarrys staff  266 Nov  2 07:45 package.json

❯ cat package-lock.json | npx json .lockfileVersion
2

❯ npm shrinkwrap --lockfile-version=3
npm notice package-lock.json has been renamed to npm-shrinkwrap.json

❯ npm shrinkwrap --lockfile-version=3
npm notice npm-shrinkwrap.json updated to version 2

❯ cat npm-shrinkwrap.json | npx json .lockfileVersion
3

lukekarrys added a commit that referenced this issue Nov 3, 2021
@lukekarrys
fix: shrinkwrap setting incorrect lockfileVersion
3f8ca9d 
Fix: #3962

When created from a hidden lockfile, shrinkwrap was always setting the
lockfileVersion to 3. The shrinkwrap command also needed to be updated
to log the correct message based on the lockfileVersion config instead
of the static lockfileVersion.

With these fixes, it was possible to log a better message whenever we
are changing the lockfileVersion, either from a config or any existing
lockfile.

Lastly, the tests for shrinkwrap were completely refactored to use the
real npm and test all conceivable scenarios, as well as removing usage
of `util.promisify` in favor of `fs.promises` now that we've dropped
support for Node 10.
@lukekarrys lukekarrys mentioned this issue Nov 3, 2021
Merged
lukekarrys added a commit that referenced this issue Nov 3, 2021
@lukekarrys
fix: shrinkwrap setting incorrect lockfileVersion
93336cf 
Fix: #3962

When created from a hidden lockfile, shrinkwrap was always setting the
lockfileVersion to 3. The shrinkwrap command also needed to be updated
to log the correct message based on the lockfileVersion config instead
of the static lockfileVersion.

With these fixes, it was possible to log a better message whenever we
are changing the lockfileVersion, either from a config or any existing
lockfile.

Lastly, the tests for shrinkwrap were completely refactored to use the
real npm and test all conceivable scenarios, as well as removing usage
of `util.promisify` in favor of `fs.promises` now that we've dropped
support for Node 10.
lukekarrys added a commit that referenced this issue Nov 3, 2021
@lukekarrys
fix: shrinkwrap setting incorrect lockfileVersion
e9e548c 
Fix: #3962

When created from a hidden lockfile, shrinkwrap was always setting the
lockfileVersion to 3. The shrinkwrap command also needed to be updated
to log the correct message based on the lockfileVersion config instead
of the static lockfileVersion.

With these fixes, it was possible to log a better message whenever we
are changing the lockfileVersion, either from a config or any existing
lockfile.

Lastly, the tests for shrinkwrap were completely refactored to use the
real npm and test all conceivable scenarios, as well as removing usage
of `util.promisify` in favor of `fs.promises` now that we've dropped
support for Node 10.
@dominykas
Copy link
Author

🙇

@lukekarrys lukekarrys mentioned this issue Apr 12, 2022
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@lukekarrys lukekarrys

Labels
Bug thing that needs fixing Priority 1 high priority issue Release 8.x work is associated with a specific npm 8 release
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: shrinkwrap setting incorrect lockfileVersion npm/cli
3 participants
@ljharb @dominykas @lukekarrys