Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] License is missing for all dependencies in package-lock.json #7384

Closed
2 tasks done
cyp-v opened this issue Apr 17, 2024 · 3 comments
Closed
2 tasks done

[BUG] License is missing for all dependencies in package-lock.json #7384

cyp-v opened this issue Apr 17, 2024 · 3 comments
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x

Comments

@cyp-v
Copy link

cyp-v commented Apr 17, 2024

Is there an existing issue for this?

  • I have searched the existing issues

This issue exists in the latest npm version

  • I am using the latest npm

Current Behavior

With any NPM version higher than 10.3.0, all of my project's dependency packages are missing their "licence" property in package-lock.json.

Packages installed with NPM v10.3.0 or below do show their licence type in package-lock.json.

Expected Behavior

The package-lock.json file should state which licence type was chosen for each of my project's dependency packages.

Steps To Reproduce

  • Cloned a Node project where all dependencies had a license type in package-lock.json;
  • Deleted package-lock.json;
  • Deleted the node_modules folder;
  • ran npm cache clean -f;
  • ran npm install

-> All "license" properties had disappeared from the project's package-lock.json.

Environment

  • npm: 10.4.0 or higher (I tried them all)
  • Node.js: 20.12.2 (LTS at this time)
  • OS Name: Windows 10
  • npm config:
; "builtin" config from C:\Users\user\AppData\Roaming\npm\node_modules\npm\npmrc

prefix = "C:\\Users\\cyp-v\\AppData\\Roaming\\npm"

; "user" config from C:\Users\cyp-v\.npmrc

//registry.[company local server]/repository/:_authToken = (protected)
registry = "http://registry.[company local server]/repository/"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v20.12.2
; npm local prefix = C:\Users\cyp-v\git_repos\[project]
; npm version = 10.3.0
; cwd = C:\Users\cyp-v\git_repos\[project]
; HOME = C:\Users\cyp-v
@cyp-v cyp-v added Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x labels Apr 17, 2024
@wraithgar
Copy link
Member

wraithgar commented Apr 26, 2024
edited

I can't reproduce this. The license isn't in the package lock even with npm@10.2.0. I tried with 10.3.0 also.

~/D/n/s/install $ rm -rf package-lock.json node_modules/;npx npm@10.2.0 install

> npx
> npm install


added 3 packages, and audited 4 packages in 653ms

found 0 vulnerabilities
~/D/n/s/install $ cat package.json
{
  "dependencies": {
    "semver": "^7.0.0"
  }
}
~/D/n/s/install $ grep -i license package-lock.json
~/D/n/s/install $ npm view semver license
ISC
~/D/n/s/install $

The license hasn't consistently been in the package lock to the best of my recollection. In fact when we implemented npm query we had to make sure to fetch the manifest because of this, and that was back in npm version 9.

npm 9 also doesn't put the license in the package-lock.

~/D/n/s/install $ rm -rf package-lock.json node_modules/;npx npm@next-9 install

> npx
> npm install


added 3 packages, and audited 4 packages in 3s

found 0 vulnerabilities
~/D/n/s/install $ grep -i license package-lock.json

@cyp-v
Copy link
Author

cyp-v commented May 2, 2024
edited

Thank you for testing this.

I'm not sure this makes a difference but you did not clear your npm cache as I did.

Also, what do you mean by "consistently" in "The license hasn't consistently been in the package lock"? In some versions it is present, in others it is not?

@wraithgar wraithgar mentioned this issue May 4, 2024
Closed
lukekarrys added a commit that referenced this issue May 6, 2024
@lukekarrys
fix: dont omit license from stored manifests
f6e0701 
This has the effect of adding licenses back into the lockfiles.
Based on code in shrinkwrap.js and inventory.js, it appears that
lockfiles are supposed to store the license. It's likely that in
practice this behavior has not been consistent due to fetching
of minifed manifests and packuments.

I also attempted to remove the license code from shrinkwrap but
that caused many more tests to break. Plus I believe this is the
intended behavior, to have licenses in lockfiles based on bug
reports like #7384
@lukekarrys lukekarrys mentioned this issue May 6, 2024
Merged
lukekarrys added a commit that referenced this issue May 6, 2024
@lukekarrys
fix: dont omit license from stored manifests (#7475)
effe910 
This has the effect of adding licenses back into the lockfiles.
Based on code in shrinkwrap.js and inventory.js, it appears that
lockfiles are supposed to store the license. It's likely that in
practice this behavior has not been consistent due to fetching
of minifed manifests and packuments.

I also attempted to remove the license code from shrinkwrap but
that caused many more tests to break. Plus I believe this is the
intended behavior, to have licenses in lockfiles based on bug
reports like #7384
@cyp-v
Copy link
Author

cyp-v commented May 7, 2024

Thanks @lukekarrys for fixing this ! Looking forward to v10.8.0.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 10.x
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@wraithgar @cyp-v