[BUG] "npm uninstall" do not remove all files

[buhtz]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

I was redirected from: npm/documentation#1072

Using "npm" from Debian stable. I am not familiar with npm and its universe.

I installed an application via

$ npm i https://github.com/vweevers/hallmark

First problem is that this command did create a new folder (node_modules) and two files (package-lock.json and package.json) direct in my current working folder. This is behavior I do not expect from a package manager. From my users perspective this is a bug. I would expect to get the application installed into the system (like pip(x) does it in the Python universe).

Second problem is that even after installing the "hallmark" command is not available in my PATH. Don't know how to execute it. What is it what "npm" does when not installing it?

Third problem is that $ npm uninstall hallmark did not remove the three objects from the file system I mention in the first problem.

Expected Behavior

• Not creating any folder in current working dir by default.
• Make the package available in PATH by default or warn about it if it is not possible for some reason.
• Uninstall everything that was installed or created via installation.

Steps To Reproduce

1. $ npm i https://github.com/vweevers/hallmark
2. $ npm u hallmark
3. $ ls -l

Environment

; "builtin" config from /usr/share/nodejs/npm/npmrc

globalignorefile = "/etc/npmignore"
prefix = "/usr/local"

; node bin location = /usr/bin/node
; node version = v18.19.0
; npm local prefix = /home/user
; npm version = 9.2.0
; cwd = /home/user
; HOME = /home/user
; Run `npm config ls -l` to show all defaults.

[ljharb]

There's a few things to note:

• npm should come with node, and not be installed with apt (node also should not be installed with apt)
• you're installing from a URL, instead of from a registry - for this one, you want npm i hallmark
• npm i installs something locally. local things are not available on your PATH. if you want that, use npm i -g - but global installs are an antipattern, and instead, try npx hallmark

[buhtz]

• npm should come with node, and not be installed with apt (node also should not be installed with apt)

As upstream you really recommend not to install from the GNU/Linux distros package repository? This confuses me. Then why doing the Debian maintainers investing resources to bring your package into their repo. Installing from upstream (if available via apt) is not the way it goes at Debian.

• you're installing from a URL, instead of from a registry - for this one, you want npm i hallmark

That is correct and on purpose. Not using 3rd party repositories for security reasons. I do use upstream (if not in Debian) or the Debian repo.

• npm i installs something locally. local things are not available on your PATH. if you want that, use npm i -g - but global installs are an antipattern, and instead, try npx hallmark

Isn't there an "entry point" for npm packages like python (pip(x)) create them? npx is the npm-shell/-interpreter like python3?

[ljharb]

I understand the way Debian wants to do things; in practice, it doesn't work out very well. Software should only be installed from distribution mechanisms endorsed by the software's maintainers. Virtually no upstreams in the JS ecosystem will recommend, support, or endorse installing from anything but the npm registry.

If you're using github, you're getting much less security than using the npm registry.

npx $package will install the package in a temp dir, and then invoke its binary if it contains one.

[wraithgar]

Please fill out Steps To Reproduce otherwise we have no way of reproducing this.

[wraithgar]

I am using the latest npm You are using npm 9 and node 18. Neither of those are the latest.

[wraithgar]

First problem is that this command did create a new folder (node_modules) and two files (package-lock.json and package.json) direct in my current working folder. This is behavior I do not expect from a package manager. From my users perspective this is a bug

Based on this it seems this is not a bug, but a general issue w/ your expectations of npm versus reality. npm install in an empty directory will create a manifest and lockfile by default. This is the package.json and package-lock.json. You told it to install that package in the local folder, not globally.

As Jordan suggested, npx may be what you need, or you can install the package globally with npm i -g You are highly encouraged to install the package from the npm registry too and not from a git repo.

Closing this as it does not seem there's a bug. If you would like more general discussion around npm and what it does you can check out https://github.com/npm/feedback/discussions

[buhtz]

The issue is less about the behavior of npm but about its verbosity.
If you modify somehow the current working dir you should warn the users about it. Not every user expect it.

About Microsoft GitHub / upstream install vs. 3rd party repository install: Do you have evidence about it? Just for learning.