Skip to content

[BUG] npm-shrinkwrap.json published within package is ignored during npm i somepackage #7977

Closed
Closed
[BUG] npm-shrinkwrap.json published within package is ignored during npm i somepackage#7977
Labels
Bugthing that needs fixingPriority 2secondary priority issue
@wiggisser

Description

@wiggisser
wiggisser
opened on Dec 12, 2024

Is there an existing issue for this?

  • I have searched the existing issues

I've seen a similar issues in #5349 and #5325 but they seem to be about installing local tarballs only, and one of them even mentions, that it works if installing from remote. But that't not the case for me. May also be related to #4583 as I'm not using npmjs.org as registry but github.

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

I have a package @myorg/shrinkwraptest (which is published and installable via github). The published package includes a npm-shrinkwrap.json file which looks like this

{
  "name": "@myorg/shrinkwraptest",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "@myorg/shrinkwraptest",
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "mogoose": "^8.1"
      },
...
    "node_modules/mongodb": {
      "version": "6.3.0",
      "resolved": "https://registry.npmjs.org/mongodb/-/mongodb-6.3.0.tgz",
      "integrity": "sha512-tt0KuGjGtLUhLoU263+xvQmPHEGTw5LbcNC73EoFRYgSHwZt5tsoJC110hDyO1kjQzpgNrpdcSza9PknWN4LrA==",
      "dependencies": {
        "@mongodb-js/saslprep": "^1.1.0",
        "bson": "^6.2.0",
        "mongodb-connection-string-url": "^3.0.0"
      },
      "engines": {
        "node": ">=16.20.1"
      },
    },
    ...
    "node_modules/mongoose": {
      "version": "8.1.3",
      "resolved": "https://registry.npmjs.org/mongoose/-/mongoose-8.1.3.tgz",
      "integrity": "sha512-a5MajZSDJiQgy0iQcR+MIpFe7zehGJI4doJ6Dh1MvnGh8/HNNhr5pn07RPA86KCTjP2vuKdffpFmvXxcHiUOjw==",
      "dependencies": {
        "bson": "^6.2.0",
        "kareem": "2.5.1",
        "mongodb": "6.3.0",
        "mpath": "0.9.0",
        "mquery": "5.0.0",
        "ms": "2.1.3",
        "sift": "16.0.1"
      },
      "engines": {
        "node": ">=16.20.1"
      },
      "funding": {
        "type": "opencollective",
        "url": "https://opencollective.com/mongoose"
      }
    }
    ...
  }
}

When I then do npm i @myorg/shrinkwraptest.json in a new empty folder and then inspect the node_modules folder I see, that the mongoose package is installed in version 8.8.4 and the mongodb package is installed in version 6.10.0 (which are the respective latest versions at the time I'm creating this issue)

This is the (relevant) output of npm ls --depth 3

/test # npm ls --depth 3
test@ /test
`-- @myorg/shrinkwrap@1.0.0
  `-- mongoose@8.8.4
    ...
    +-- mongodb@6.10.0
   ...

Expected Behavior

Reading the docs, I'd expect when I do an

npm i @myorg/shrinkwraptest

this contained npm-shrinkwrap.json should be respected and mongoose@8.1.3 and mongodb@6.3 should be installed.

Steps To Reproduce

  1. Install a package from a remote repository which has a npm-shrinkwrap.json bundled with it
  2. Compare the versions the contained npm-shrinkwrap.json with the version of the acutally installed packages

Environment

Environment

  • npm: 10.9.2
  • Node.js: 23.4.0
  • OS Name: FROM node:23.4-alpine3.20
  • npm config:

; "user" config from /root/.npmrc

@myorg:registry = "https://npm.pkg.github.com/"
//npm.pkg.github.com/:_authToken = ...

; node bin location = /usr/local/bin/node
; node version = v23.4.0
; npm local prefix = /test
; npm version = 10.9.2
; cwd = /test
; HOME = /root

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingPriority 2secondary priority issue

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions