Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

npm ci validates package-lock.json and could fail to resolve #5113

Closed
fritzy opened this issue Jun 30, 2022 · 0 comments
Closed

npm ci validates package-lock.json and could fail to resolve #5113

fritzy opened this issue Jun 30, 2022 · 0 comments

Comments

@fritzy
Copy link
Contributor

fritzy commented Jun 30, 2022
edited

What and Why

Starting in npm@8.6.0, the npm ci command validates that the package-lock.json is consistent with the developer defined package.json. Previously, npm ci would blindly install whatever was in the lock file. We implemented this bugfix for several reasons.

  • overrides defined in the package.json could be ignored
  • invalid trees, including unresolvable peer dependencies would be installed
  • developer configuration options were ignored
  • an attacker could make subtle changes to package-lock.json

Implementing this fix resolves an entire class of bugs where invalid dependency trees are installed. As a result, a number of CI workflows started producing errors rather than install invalid dependency trees. This has been a controversial fix.

Ways That npm ci Validation Can Fail

  • different configuration between npm install and npm ci like --legacy-peer-deps or --force
  • manually edited package-lock.json files
  • edits to the package.json like changed deps and overrrides without generating a new package-lock.json with npm install
  • an npm install bug that produced an incorrect tree or incorrect package-lock.json in a previous version

Resolving Your Project

In some cases, simply generating a new package-lock.json with npm install will fix the issue, depending the reason the package-lock.json is out of sync with your package.json.

If you're using --legacy-peer-deps with npm install, make sure you also use it with npm ci, perhaps by setting it in your .npmrc.

More complicated cases involve incorrectly resolved peer dependencies. This is common when using React 18, as many packages have semver ranges not including react@18, but still happen to mostly work. This is best resolved through package.json overrides.

Discussions and References

Next Steps

If you find a bug related to npm ci validation of package-locks.json beyond what is covered above, please file a bug report.

If you would like to suggest changes, please use our RFC process. You can create an RRFC, or participate in discussions on that repo.
@npm npm locked as resolved and limited conversation to collaborators Jun 30, 2022
@fritzy fritzy pinned this issue Jun 30, 2022
@fritzy fritzy closed this as completed Jun 30, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@fritzy