[BUG] Packages from private repository added with version '*'

[Lehks]

Current Behavior:

The packages are beeing added to the dependencies in package.json's with the version *.

This worked in npm version 7.6.3. Also, my Nexus Version is not the latest (OSS 3.17.0-01), so I do not expect it to support the latest npm features. However, I would still consider this a bug in npm, since it worked in the previous version and a minor version update should not break backwards-compatiblity (according to SemVer).

Expected Behavior:

The packages should be added with a concrete version e.g. ^1.0.0.

Steps To Reproduce:

• npm install my-package (my-package is hosted in a private Sonar Nexus)
• The dependency is now added to package.json with verison *.

Environment:

• OS: Ubuntu (WSL 2)
• Node: v14.16.0
• npm: 7.7.0

[wraithgar]

With no config this is not reproduceable. Can you share your npm config by typing npm config list?

There may be a bug with how save-prefix and/or save-exact are interacting, but will need to see your config to be sure.

Also please be sure you are using the latest npm (there have been a few bug releases since 7.7.0)

[Lehks]

The output of npm config list is the following:

; "user" config from /home/lehks/.npmrc

//172.16.102.123:8182/repository/npm-private/:_authToken = "NpmToken.<token>"
//172.16.102.123:8182/repository/npm/:_authToken = "NpmToken.<token>"
registry = "http://172.16.102.123:8182/repository/npm/"

; node bin location = /usr/bin/node
; cwd = /home/lehks/repos/hello-nodejs
; HOME = /home/lehks
; Run `npm config ls -l` to show all defaults.

Also I've just tested again with npm 7.7.4 and the problem still exists.

[wraithgar]

I still can't reproduce this w/ the info given. Can you try making a net new project (i.e. npm init -y) and see if installing it there has the same issue?

Are you installing by running npm install itself or are there other flags? Are there any environment variables you have set (i.e. from npm_config_*)

[Lehks]

I have tried setting up a new project and the problems still persist. The commands I executed were:

npm init -y
npm install my-package
npm install express

As before, my-package is from my private registry (express is the regular Express package - I also installed this to test a package from the public Package Registry). my-package is still beeing installed with version * and express is beeing installed properly.

There are no other environment variables that affect npm.

[Lehks]

I have also tried doing the same thing on my regular Windows (not inside WSL) and the problem is the same there.

[wraithgar]

How is npm being told to pull your package from your registry instead of the npm registry?

[Lehks]

The output of npm config list is the following:

; "user" config from /home/lehks/.npmrc

//172.16.102.123:8182/repository/npm-private/:_authToken = "NpmToken.<token>"
//172.16.102.123:8182/repository/npm/:_authToken = "NpmToken.<token>"
registry = "http://172.16.102.123:8182/repository/npm/"

; node bin location = /usr/bin/node
; cwd = /home/lehks/repos/hello-nodejs
; HOME = /home/lehks
; Run `npm config ls -l` to show all defaults.

Also I've just tested again with npm 7.7.4 and the problem still exists.

It is being told through the config parameter

registry = "http://172.16.102.123:8182/repository/npm/"

in the quoted comment.

[wraithgar]

May be related to #2844

[domiSchenk]

@wraithgar this also happens if the last or only version is a beta.RC candidate
like with the current Tauri beta release:
npm install @tauri-apps/api

[wraithgar]

@domiSchenk Thank you! That unlocked the solution for us, being able to reproduce it. The bug is actually in arborist.reify when it chooses to write the spec back to the package.json, was seeing if what ended up on disk intersected w/ the spec you asked for (which is * if none is given). But, because there was a semver-prefix range in play, that test was returning false.

We have a fix in flight now and this should be fixed soon and will go out hopefully w/ the next npm cli release.