[BUG] npm install includes transitive devDependencies for file: dependencies when install-links=false #6405

kaksmet · 2023-04-28T12:07:53Z

Is there an existing issue for this?

I have searched the existing issues

This issue exists in the latest npm version

I am using the latest npm

Current Behavior

npm install includes transitive devDependencies for file: dependencies when install-links=false.
If install-links=true it does not include the transitive devDependencies.

This behavior started with npm 7, npm 6 and earlier did not include transitive devDependencies for file: dependencies.

Expected Behavior

npm install should not include transitive devDependencies for file: dependencies, regardless of what value install-links has.

Steps To Reproduce

package.json should look like this:

{
    "name": "a",
    "version": "0.0.1",
    "dependencies": {
        "b": "file:b"
    }
}

b/package.json should look like this:

{
    "name": "b",
    "version": "0.0.1",
    "dependencies": {
        "clsx": "*"
    },
    "devDependencies": {
        "typescript": "*"
    }
}

The resulting package-lock.json files will look like this:

npm 9 (install-links=false):

$ npm -v && npm install --package-lock-only --silent && cat package-lock.json
9.6.5
{
    "name": "a",
    "version": "0.0.1",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "a",
            "version": "0.0.1",
            "dependencies": {
                "b": "file:b"
            }
        },
        "b": {
            "version": "0.0.1",
            "dependencies": {
                "clsx": "*"
            },
            "devDependencies": {
                "typescript": "*"
            }
        },
        "node_modules/b": {
            "resolved": "b",
            "link": true
        },
        "node_modules/clsx": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/clsx/-/clsx-1.2.1.tgz",
            "integrity": "sha512-EcR6r5a8bj6pu3ycsa/E/cKVGuTgZJZdsyUYHOksG/UHIiKfjxzRxYJpyVBwYaQeOvghal9fcc4PidlgzugAQg==",
            "engines": {
                "node": ">=6"
            }
        },
        "node_modules/typescript": {
            "version": "5.0.4",
            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.0.4.tgz",
            "integrity": "sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==",
            "dev": true,
            "bin": {
                "tsc": "bin/tsc",
                "tsserver": "bin/tsserver"
            },
            "engines": {
                "node": ">=12.20"
            }
        }
    }
}

npm 9 (install-links=true):

$ npm -v && npm install --package-lock-only --silent --install-links=true && cat package-lock.json
9.6.5
{
    "name": "a",
    "version": "0.0.1",
    "lockfileVersion": 3,
    "requires": true,
    "packages": {
        "": {
            "name": "a",
            "version": "0.0.1",
            "dependencies": {
                "b": "file:b"
            }
        },
        "node_modules/b": {
            "version": "0.0.1",
            "resolved": "file:b",
            "dependencies": {
                "clsx": "*"
            }
        },
        "node_modules/clsx": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/clsx/-/clsx-1.2.1.tgz",
            "integrity": "sha512-EcR6r5a8bj6pu3ycsa/E/cKVGuTgZJZdsyUYHOksG/UHIiKfjxzRxYJpyVBwYaQeOvghal9fcc4PidlgzugAQg==",
            "engines": {
                "node": ">=6"
            }
        }
    }
}

npm 8:

$ npm -v && npm install --package-lock-only --silent && cat package-lock.json
8.19.4
{
    "name": "a",
    "version": "0.0.1",
    "lockfileVersion": 2,
    "requires": true,
    "packages": {
        "": {
            "name": "a",
            "version": "0.0.1",
            "dependencies": {
                "b": "file:b"
            }
        },
        "b": {
            "version": "0.0.1",
            "dependencies": {
                "clsx": "*"
            },
            "devDependencies": {
                "typescript": "*"
            }
        },
        "node_modules/b": {
            "resolved": "b",
            "link": true
        },
        "node_modules/clsx": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/clsx/-/clsx-1.2.1.tgz",
            "integrity": "sha512-EcR6r5a8bj6pu3ycsa/E/cKVGuTgZJZdsyUYHOksG/UHIiKfjxzRxYJpyVBwYaQeOvghal9fcc4PidlgzugAQg==",
            "engines": {
                "node": ">=6"
            }
        },
        "node_modules/typescript": {
            "version": "5.0.4",
            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.0.4.tgz",
            "integrity": "sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==",
            "dev": true,
            "bin": {
                "tsc": "bin/tsc",
                "tsserver": "bin/tsserver"
            },
            "engines": {
                "node": ">=12.20"
            }
        }
    },
    "dependencies": {
        "b": {
            "version": "file:b",
            "requires": {
                "clsx": "*",
                "typescript": "*"
            }
        },
        "clsx": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/clsx/-/clsx-1.2.1.tgz",
            "integrity": "sha512-EcR6r5a8bj6pu3ycsa/E/cKVGuTgZJZdsyUYHOksG/UHIiKfjxzRxYJpyVBwYaQeOvghal9fcc4PidlgzugAQg=="
        },
        "typescript": {
            "version": "5.0.4",
            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.0.4.tgz",
            "integrity": "sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==",
            "dev": true
        }
    }
}

npm 7:

$ npm -v && npm install --package-lock-only --silent && cat package-lock.json
7.24.2
{
    "name": "a",
    "version": "0.0.1",
    "lockfileVersion": 2,
    "requires": true,
    "packages": {
        "": {
            "name": "a",
            "version": "0.0.1",
            "dependencies": {
                "b": "file:b"
            }
        },
        "b": {
            "version": "0.0.1",
            "dependencies": {
                "clsx": "*"
            },
            "devDependencies": {
                "typescript": "*"
            }
        },
        "node_modules/b": {
            "resolved": "b",
            "link": true
        },
        "node_modules/clsx": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/clsx/-/clsx-1.2.1.tgz",
            "integrity": "sha512-EcR6r5a8bj6pu3ycsa/E/cKVGuTgZJZdsyUYHOksG/UHIiKfjxzRxYJpyVBwYaQeOvghal9fcc4PidlgzugAQg==",
            "engines": {
                "node": ">=6"
            }
        },
        "node_modules/typescript": {
            "version": "5.0.4",
            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.0.4.tgz",
            "integrity": "sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==",
            "dev": true,
            "bin": {
                "tsc": "bin/tsc",
                "tsserver": "bin/tsserver"
            },
            "engines": {
                "node": ">=12.20"
            }
        }
    },
    "dependencies": {
        "b": {
            "version": "file:b",
            "requires": {
                "clsx": "*",
                "typescript": "*"
            }
        },
        "clsx": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/clsx/-/clsx-1.2.1.tgz",
            "integrity": "sha512-EcR6r5a8bj6pu3ycsa/E/cKVGuTgZJZdsyUYHOksG/UHIiKfjxzRxYJpyVBwYaQeOvghal9fcc4PidlgzugAQg=="
        },
        "typescript": {
            "version": "5.0.4",
            "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.0.4.tgz",
            "integrity": "sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==",
            "dev": true
        }
    }
}

npm 6:

$ npm -v && npm install --package-lock-only --silent && cat package-lock.json
6.14.18
added 2 packages and audited 2 packages in 0.442s
found 0 vulnerabilities

{
    "name": "a",
    "version": "0.0.1",
    "lockfileVersion": 1,
    "requires": true,
    "dependencies": {
        "b": {
            "version": "file:b",
            "requires": {
                "clsx": "*"
            }
        },
        "clsx": {
            "version": "1.2.1",
            "resolved": "https://registry.npmjs.org/clsx/-/clsx-1.2.1.tgz",
            "integrity": "sha512-EcR6r5a8bj6pu3ycsa/E/cKVGuTgZJZdsyUYHOksG/UHIiKfjxzRxYJpyVBwYaQeOvghal9fcc4PidlgzugAQg=="
        }
    }
}

Environment

npm: 9.6.5
Node.js: 18.16.0
OS Name: macOS 13.3.1
System Model Name: Macbook Air
npm config:

; node bin location = /Users/foobar/.nvm/versions/node/v18.16.0/bin/node
; node version = v18.16.0
; npm local prefix = /Users/foobar/src/npm-link-test
; npm version = 9.6.5
; cwd = /Users/foobar/src/npm-link-test
; HOME = /Users/foobar
; Run `npm config ls -l` to show all defaults.

The text was updated successfully, but these errors were encountered:

kaksmet · 2023-05-09T08:07:57Z

Was the changed behavior in npm 7 intended? I can't find anything about it in the changelog.

Is there anything I can do to prevent b's devDependencies from being included in package-lock.json? (other than using --install-links=true)

kaksmet · 2023-06-09T09:30:22Z

Can I do anything to help move this issue forward?
Do you need more information?
Should I create a repository for reproducing the described behavior?

kaksmet added Bug Needs Triage Release 9.x labels Apr 28, 2023

cascornelissen mentioned this issue Oct 3, 2023

[BUG] Dependencies with local file dependencies result in invalid lockfiles #6860

Open

2 tasks

snyk-io bot mentioned this issue Oct 21, 2024

[Snyk] Fix for 21 vulnerabilities Graysonbarton/cli-3#24

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[BUG] npm install includes transitive devDependencies for file: dependencies when install-links=false #6405

[BUG] npm install includes transitive devDependencies for file: dependencies when install-links=false #6405

kaksmet commented Apr 28, 2023

kaksmet commented May 9, 2023

kaksmet commented Jun 9, 2023

[BUG] npm install includes transitive devDependencies for file: dependencies when install-links=false #6405

[BUG] npm install includes transitive devDependencies for file: dependencies when install-links=false #6405

Comments

kaksmet commented Apr 28, 2023

Is there an existing issue for this?

This issue exists in the latest npm version

Current Behavior

Expected Behavior

Steps To Reproduce

npm 9 (install-links=false):

npm 9 (install-links=true):

npm 8:

npm 7:

npm 6:

Environment

kaksmet commented May 9, 2023

kaksmet commented Jun 9, 2023