New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm 8 allows incorrect peer dependencies when upgrading a v1 lockfile to v2. #5051
Comments
I think this block needs to be repeated (or delayed) till after the lockfile is inflated. There is no edge from ts-node to typescript when we first check for invalid edges in _initTree. https://github.com/npm/cli/blob/latest/workspaces/arborist/lib/arborist/build-ideal-tree.js#L361-L375 |
Having tested upgrades from |
TL;DR: The behavior being observed here is actually expected because in that step (installing v10 on a v6 lockfile), the lockfile is still old (v1) and is only just being upgraded. npm actually tells you it is a v1 lockfile and is being upgraded. A subsequent install will behave correctly. Following the steps to reproduce, it's clear why npm cannot produce the desired output. Follow along ... Step 1Create an npm package with incorrect peer dependencies. {
"dependencies": {
"typescript": "1.8.0",
"ts-node": "9.1.1"
}
} Step 2Run npm 6 install to create a v1 lockfile.
Step 3Run npm 10 (10.2.5 at time of writing) to update to a v2 lockfile.
Important This is actually expected because in this step, the lockfile is still old and is only just being upgraded. A subsequent install will behave correctly. Since npm actually warns you of an old lockfile, this shouldn't be considered a bug but just how npm works. Instead, the warning should inform you that v1 lockfile will not capture incorrect dependancies and you need to do a second npm install with the new lockfile. Something like:
|
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
When npm 8 installs from a v1 lockfile it does not error on incorrect peer dependencies. It doesn't print any peer dependency warnings and exits successfully.
Expected Behavior
I expect npm 8 to error on invalid peer dependencies.
Steps To Reproduce
This is unexpected. I expect npm 8 to error on incorrect peer dependencies. A subsequent install will error
Environment
The text was updated successfully, but these errors were encountered: