npx unexpectedly uses npm from dependencies #127
Comments
|
Oh interesting. I'd say this is working exactly as designed: I'd argue that this isn't an issue with npx itself, as much as it is an issue with the way npm itself links binaries: the fact that your toplevel In fact, I know other folks have brought up this issue with me before. I'm gonna /cc @iarna 'cause we've definitely talked about dealing with the bin linking in npm, and this seems like, if it's a breaking change, would be a welcome one to have in |
I know that
npxis designed to use binaries from the localnode_modules/.binfolder.Today I stumbled across something where this behavior leaves the user with totally unexpected (or dangerous even) results.
For example restify accidentally added a dev tool called
unleashas a dependency and published that to the registry. Version 6.2.0 of restify now had npm@2 in it's dependency tree, via unleash. (Fixed via restify/node-restify#1522)This caused every script executed by
npxthat uses npm to use npm@2. (Same is true fornpm runapparently: npm/npm#18874)For example calling
npx npm-check -uended up trying to install packages with npm@2, which failed.The same happened for
greenkeeper-lockfileif used through npx: This commandnpx -p greenkeeper-lockfile@1 greenkeeper-lockfile-updatepicked up npm@2 under the hood, and started failing.I imagine similar, or worse, accidents will happen if somehow npm.im/node starts showing up in the dependency tree.
I know this is kind of a hard problem to solve, by the design of
npx, but maybe there should be an additional "opt-in". Would it be possible to changenpxso that it will pick up only top-level dependencies' binaries, or the ones passed via-pcli flag? (At least for npm and node).The text was updated successfully, but these errors were encountered: