[BUG] npm 8 installs the wrong dependency.

[Raynos]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

when I run npm install it installs the wrong version.

Expected Behavior

I expected it to install the correct version.

Steps To Reproduce

~/optoolco/_base on master
$ cat package.json | grep opkit-node
    "@optoolco/opkit-node": "github:optoolco/opkit-node#v1.2.7",

Use git dependencies with github: and tags. It installed v1.2.5 when it clearly wanted v1.2.7.

Or more specifically, it did not update v1.2.5 to v1.2.7 when I installed a new verison of _base

Environment

• OS: Linux
• Node:
• npm: 8

[ais-one]

could it be related to #708 ?

[Raynos]

Doubt it. My issue was I ran npm install and it didnt install the correct nested version of opkit-node.

[Raynos]

Npm install with git+ssh dependencies is kind of horribly broken and I cant think of any good solution other then rage downgrading to npm@2 which is the last known working npm cli version.

[ThePletch]

@Raynos This is still definitely a bug, but my team encountered this as well. The issue seems to be related to package-lock.json updating the specification for the dependency in question, but not updating the entry under "node_modules/my_dependency/here": ..., which is how it knows what to actually install.

We were able to get it to update that record by directly calling npm update "my-dependency-name".

[joebnb]

same issue ,and i try delete package-lock.json it will only success at first time

% npm i            
npm ERR! Invalid Version: ^1.13.1

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/never/.npm/_logs/2021-11-17T06_18_46_836Z-debug.log

0 verbose cli [ '/usr/local/bin/node', '/usr/local/bin/npm', 'i' ]
1 info using [email protected]
2 info using [email protected]
3 timing npm:load:whichnode Completed in 0ms
4 timing config:load:defaults Completed in 1ms
5 timing config:load:file:/usr/local/lib/node_modules/npm/npmrc Completed in 1ms
6 timing config:load:builtin Completed in 1ms
7 timing config:load:cli Completed in 1ms
8 timing config:load:env Completed in 1ms
9 timing config:load:file:/Users/never/Documents/workSpace/ces-a1-console/webapp/.npmrc Completed in 1ms
10 timing config:load:project Completed in 1ms
11 timing config:load:file:/Users/never/.npmrc Completed in 1ms
12 timing config:load:user Completed in 1ms
13 timing config:load:file:/usr/local/etc/npmrc Completed in 0ms
14 timing config:load:global Completed in 0ms
15 timing config:load:validate Completed in 2ms
16 timing config:load:credentials Completed in 0ms
17 timing config:load:setEnvs Completed in 1ms
18 timing config:load Completed in 9ms
19 timing npm:load:configload Completed in 9ms
20 timing npm:load:setTitle Completed in 13ms
21 timing npm:load:setupLog Completed in 1ms
22 timing config:load:flatten Completed in 2ms
23 timing npm:load:cleanupLog Completed in 1ms
24 timing npm:load:configScope Completed in 0ms
25 timing npm:load:projectScope Completed in 1ms
26 timing npm:load Completed in 29ms
27 timing arborist:ctor Completed in 0ms
28 timing idealTree:init Completed in 446ms
29 timing idealTree:userRequests Completed in 0ms
30 silly idealTree buildDeps
31 silly fetch manifest underscore@^1.13.0
32 timing arborist:ctor Completed in 0ms
33 http fetch GET 200 http://ei.com/artifactory/api/npm/cbu-npm-public/underscore 717ms (cache revalidated)
34 timing idealTree Completed in 1170ms
35 timing command:i Completed in 1185ms
36 verbose stack TypeError: Invalid Version: ^1.13.1
36 verbose stack     at new SemVer (/usr/local/lib/node_modules/npm/node_modules/semver/classes/semver.js:38:13)
36 verbose stack     at compare (/usr/local/lib/node_modules/npm/node_modules/semver/functions/compare.js:3:32)
36 verbose stack     at Object.gte (/usr/local/lib/node_modules/npm/node_modules/semver/functions/gte.js:2:30)
36 verbose stack     at CanPlaceDep.checkCanPlaceCurrent (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/can-place-dep.js:173:51)
36 verbose stack     at CanPlaceDep.checkCanPlace (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/can-place-dep.js:157:27)
36 verbose stack     at new CanPlaceDep (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/can-place-dep.js:114:26)
36 verbose stack     at PlaceDep.place (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:121:19)
36 verbose stack     at new PlaceDep (/usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/place-dep.js:71:10)
36 verbose stack     at /usr/local/lib/node_modules/npm/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js:944:31
36 verbose stack     at Array.map (<anonymous>)
37 verbose cwd /Users/never/Documents/workSpace/ces-a1-console/webapp
38 verbose Darwin 21.1.0
39 verbose argv "/usr/local/bin/node" "/usr/local/bin/npm" "i"
40 verbose node v16.13.0
41 verbose npm  v8.1.3
42 error Invalid Version: ^1.13.1
43 verbose exit 1

[jwbrandon]

We are also seeing this so for the now we wrote a prepare script that verifies that the version installed is what was asked for in package.json and it will cause npm install to fail if it isn't. The only reliable way that I have gotten git+ssh packages to update is to remove node_modules and package-lock.json and then do a reinstall.

[wraithgar]

The way to install new versions of dependencies that are referenced by git tag is with npm install <dependency>. See this comment for an explanation: #3755 (comment)

[Raynos]

That's absolutely horrible.

When i install a dependency I run npm install socketsupply/foobar#tag

When any of my coworkers install the dependency they run git pull && npm install.

Forcing my coworkers to loop over every expression in the package.json and run npm install thing#foo is frustrating.

[Raynos]

In all fairness i have worked around this and started doing npm i foo/bar#fullcommitsha because tags & branches have a bad UX.

[ljharb]

I agree; I would expect a bare npm install to always fetch the latest git dep; if i didn't want that, i'd use npm ci.

[Raynos]

I got to the repo and run git show HEAD | head to grab the full commit sha, then I can install that :D