Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm package-spec aliases are not handled correctly #859

Open
sjd78 opened this issue May 25, 2023 · 3 comments
Open

npm package-spec aliases are not handled correctly #859

sjd78 opened this issue May 25, 2023 · 3 comments

Comments

@sjd78
Copy link

sjd78 commented May 25, 2023

npm package-spec allows for aliases: https://docs.npmjs.com/cli/v9/using-npm/package-spec?v=true#aliases

This allows a dependency block to look like:

  "dependencies": {
    "string-width": "^5.1.2",
    "string-width-cjs": "npm:string-width@^4.2.0",
  },

The corresponding package-lock.json will then look like:

    "node_modules/@isaacs/cliui": {
      "version": "8.0.2",
      "resolved": "https://registry.npmjs.org/@isaacs/cliui/-/cliui-8.0.2.tgz",
      "integrity": "sha512-O8jcjabXaleOG9DQ0+ARXWZBTfnP4WNAqzuiJK7ll44AmxGKv/J2M4TPjxjY3znBCfvBXFzucm1twdyFybFqEA==",
      "dev": true,
      "dependencies": {
        "string-width": "^5.1.2",
        "string-width-cjs": "npm:string-width@^4.2.0",
      },
      "engines": {
        "node": ">=12"
      }
    },

and the reference then looks like:

    "node_modules/string-width-cjs": {
      "name": "string-width",
      "version": "4.2.3",
      "resolved": "https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz",
      "integrity": "sha512-wKyQRQpjJ0sIp62ErSZdGsjMJWsap5oRNihHhu6G7JVO/9jIB6UyevL+tXuOqrng8j/cxKTWyWUwvSTriiZz/g==",
      "dev": true,
      "dependencies": {
        "emoji-regex": "^8.0.0",
        "is-fullwidth-code-point": "^3.0.0",
        "strip-ansi": "^6.0.1"
      },
      "engines": {
        "node": ">=8"
      }
    },

but cachito is attempting to download string-width-cjs@npm:string-width-4.2.3.tgz which will not exist in npmjs.

Cachito should follow the alias before downloading.
sjd78 added a commit to sjd78/tackle2-ui that referenced this issue May 25, 2023
@sjd78
downgrade rimraf to @^4.x for downstream builds
c5301cc 
Downstream builds use an npmjs package caching system called
cachito[1].  It currently does not support dependencies that use
a package-spec alias[2][3].  Downgrading `rimraf` to version `^4.x`
removed any aliases from our `package-lock.json` and should allow
downstream builds to work again.

[1] - https://github.com/containerbuildsystem/cachito
[2] - https://docs.npmjs.com/cli/v9/using-npm/package-spec?v=true#aliases
[3] - containerbuildsystem/cachito#859

Signed-off-by: Scott J Dickerson <sdickers@redhat.com>
@sjd78 sjd78 mentioned this issue May 25, 2023
Merged
sjd78 added a commit to sjd78/tackle2-ui that referenced this issue May 25, 2023
@sjd78
downgrade rimraf to @^4.x for downstream builds
62bf6c0 
Downstream builds use an npmjs package caching system called
cachito[1].  It currently does not support dependencies that use
a package-spec alias[2][3].  Downgrading `rimraf` to version `^4.x`
removed any aliases from our `package-lock.json` and should allow
downstream builds to work again.

[1] - https://github.com/containerbuildsystem/cachito
[2] - https://docs.npmjs.com/cli/v9/using-npm/package-spec?v=true#aliases
[3] - containerbuildsystem/cachito#859

Signed-off-by: Scott J Dickerson <sdickers@redhat.com>
@sjd78 sjd78 mentioned this issue May 25, 2023
Merged
ibolton336 pushed a commit to konveyor/tackle2-ui that referenced this issue May 25, 2023
@sjd78
🌱 [backport release-0.2] downgrade rimraf to @^4.x for downstream…
ddab817 
… builds (#937)

Downstream builds use an npmjs package caching system called cachito[1].
It currently does not support dependencies that use a package-spec
alias[2][3]. Downgrading `rimraf` to version `^4.x` removed any aliases
from our `package-lock.json` and should allow downstream builds to work
again.

[1] - https://github.com/containerbuildsystem/cachito
[2] -
https://docs.npmjs.com/cli/v9/using-npm/package-spec?v=true#aliases
[3] - containerbuildsystem/cachito#859

Signed-off-by: Scott J Dickerson <sdickers@redhat.com>
ibolton336 pushed a commit to konveyor/tackle2-ui that referenced this issue May 25, 2023
@sjd78
🌱 downgrade rimraf to @^4.x for downstream builds (#936)
bb7d615 
Downstream builds use an npmjs package caching system called cachito[1].
It currently does not support dependencies that use a package-spec
alias[2][3]. Downgrading `rimraf` to version `^4.x` removed any aliases
from our `package-lock.json` and should allow downstream builds to work
again.

[1] - https://github.com/containerbuildsystem/cachito
[2] -
https://docs.npmjs.com/cli/v9/using-npm/package-spec?v=true#aliases
[3] - containerbuildsystem/cachito#859

Signed-off-by: Scott J Dickerson <sdickers@redhat.com>
ibolton336 pushed a commit to ibolton336/tackle2-ui that referenced this issue May 26, 2023
@sjd78 @ibolton336
🌱 downgrade rimraf to @^4.x for downstream builds (konveyor#936)
5da28b5 
Downstream builds use an npmjs package caching system called cachito[1].
It currently does not support dependencies that use a package-spec
alias[2][3]. Downgrading `rimraf` to version `^4.x` removed any aliases
from our `package-lock.json` and should allow downstream builds to work
again.

[1] - https://github.com/containerbuildsystem/cachito
[2] -
https://docs.npmjs.com/cli/v9/using-npm/package-spec?v=true#aliases
[3] - containerbuildsystem/cachito#859

Signed-off-by: Scott J Dickerson <sdickers@redhat.com>
@chmeliik
Copy link
Contributor

Hello and thanks for the bug report

@taylormadore is currently working on a major refactoring to support v3 package-lock.json: #857. I think this issue will be resolved as part of that, but we'll need to verify.

@sjd78
Copy link
Author

sjd78 commented Jun 9, 2023

FWIW, depending on rimraf@^5.x will get the aliases included in its dependencies.

@chmeliik
Copy link
Contributor

Npm v9 support has been released. Aliases are now handled properly in lockfile versions 2 and 3 (npm 7+), but still break in lockfile version 1.

Since your lockfile is version 2, aliases should work now 🎉

ibolton336 pushed a commit to ibolton336/tackle2-ui that referenced this issue Jun 12, 2023
@sjd78 @ibolton336
🌱 downgrade rimraf to @^4.x for downstream builds (konveyor#936)
0284537 
Downstream builds use an npmjs package caching system called cachito[1].
It currently does not support dependencies that use a package-spec
alias[2][3]. Downgrading `rimraf` to version `^4.x` removed any aliases
from our `package-lock.json` and should allow downstream builds to work
again.

[1] - https://github.com/containerbuildsystem/cachito
[2] -
https://docs.npmjs.com/cli/v9/using-npm/package-spec?v=true#aliases
[3] - containerbuildsystem/cachito#859

Signed-off-by: Scott J Dickerson <sdickers@redhat.com>
Signed-off-by: ibolton336 <ibolton@redhat.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sjd78 @chmeliik