Skip to content

[BUG] Installing newer version from git doesn't update package lock nor node modules #3333

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
Goues opened this issue May 29, 2021 · 1 comment
Closed
1 task done

[BUG] Installing newer version from git doesn't update package lock nor node modules #3333

Goues opened this issue May 29, 2021 · 1 comment
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release

Comments

@Goues
Copy link

Goues commented May 29, 2021

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I have a module installed from git with a specific version (git tag), updating that module to a newer version updates only package.json and dependencies in package-lock.json but not the version URL in the package lock, resulting in having an incorrect version in node modules directory.

This is what my package.json looks like before updating:

{
  "dependencies": {
    "internal-package": "git+https://<redacted>@bitbucket.org/<redacted>/internal-package.git#v3.1.7"
  }
}

This is what my package-lock.json looks like before updating:

{
  "@swp/components": {
      "version": "internal-package@git+https://<redacted>@bitbucket.org/<redacted>/internal-package.git#<hash_of_v3.1.7>",
      "from": "internal-package@git+https://<redacted>@bitbucket.org/<redacted>/internal-package.git#v3.1.7"
  }
}

After updating with npm install -S "git+https://<redacted>@bitbucket.org/<redacted>/internal-package.git#v4.0.0", they become:

{
  "dependencies": {
    "internal-package": "git+https://<redacted>@bitbucket.org/<redacted>/internal-package.git#v4.0.0"
  }
}

and

{
  "internal-package": {
      "version": "internal-package@git+https://<redacted>@bitbucket.org/<redacted>/internal-package.git#<hash_of_v3.1.7>",
      "from": "internal-package@git+https://<redacted>@bitbucket.org/<redacted>/internal-package.git#v4.0.0"
  }
}

As you can see here, the hash of the commit tagged as v3.1.7 stayed in version field and that is the version that is in the end installed in node modules.

This setup was fully working on npm6 and only started failing on npm7.

Expected Behavior

Package lock is updated correctly and the right version is installed.

Steps To Reproduce

  1. Have internal packages installed from git
  2. Update them
  3. Observe issue

Environment

  • OS: MacOS 11.4
  • Node: 14.16
  • npm: 7.7.5
@Goues Goues added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels May 29, 2021
This was referenced Feb 20, 2022
Open
Open
@ruyadorno
Copy link
Contributor

ruyadorno commented Mar 2, 2022
edited
Loading

hi @Goues thank you for taking the time to submit this issue, I believe this has been fixed in a past release of the npm cli and it works as expected in the current version (npm@8.5.2 at the time of writing).

I run a quick reproduction and it seems to work as expected:

$ mkdir 3333-git-repo-dep-lockfile-entry-issue && cd 3333-git-repo-dep-lockfile-entry-issue
$ npm init -y
$ npm i git+https://github.com/npm/abbrev-js.git#v1.0.4

Which gives me the following setup:

commit ec64ce6cc0b85025ba13f545e947117c5e9362ff
Author: Ruy Adorno <ruyadorno@hotmail.com>
Date:   Wed Mar 2 14:49:38 2022 -0500

    Initial commit

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..3c3629e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+node_modules
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 0000000..bb662dd
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,27 @@
+{
+  "name": "3333-git-repo-dep-lockfile-entry-issue",
+  "version": "1.0.0",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "name": "3333-git-repo-dep-lockfile-entry-issue",
+      "version": "1.0.0",
+      "license": "MIT",
+      "dependencies": {
+        "abbrev": "github:npm/abbrev-js#v1.0.4"
+      }
+    },
+    "node_modules/abbrev": {
+      "version": "1.0.4",
+      "resolved": "git+ssh://git@github.com/npm/abbrev-js.git#1ce81404a57d87662f1a93be23a389ead514f7a6",
+      "license": "MIT"
+    }
+  },
+  "dependencies": {
+    "abbrev": {
+      "version": "git+ssh://git@github.com/npm/abbrev-js.git#1ce81404a57d87662f1a93be23a389ead514f7a6",
+      "from": "abbrev@git+https://github.com/npm/abbrev-js.git#v1.0.4"
+    }
+  }
+}
diff --git a/package.json b/package.json
new file mode 100644
index 0000000..6129baf
--- /dev/null
+++ b/package.json
@@ -0,0 +1,15 @@
+{
+  "name": "3333-git-repo-dep-lockfile-entry-issue",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo /"Error: no test specified/" && exit 1"
+  },
+  "keywords": [],
+  "author": "Ruy Adorno <ruyadorno@hotmail.com> (https://ruyadorno.com/)",
+  "license": "MIT",
+  "dependencies": {
+    "abbrev": "github:npm/abbrev-js#v1.0.4"
+  }
+}

Once I update the dependency to a different version:

$ npm i git+https://github.com/npm/abbrev-js.git#v1.1.1

You can see the lock file hash was updated as expected:

diff --git a/package-lock.json b/package-lock.json
index bb662dd..c9fc3c6 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -9,19 +9,19 @@
       "version": "1.0.0",
       "license": "MIT",
       "dependencies": {
-        "abbrev": "github:npm/abbrev-js#v1.0.4"
+        "abbrev": "github:npm/abbrev-js#v1.1.1"
       }
     },
     "node_modules/abbrev": {
-      "version": "1.0.4",
-      "resolved": "git+ssh://git@github.com/npm/abbrev-js.git#1ce81404a57d87662f1a93be23a389ead514f7a6",
-      "license": "MIT"
+      "version": "1.1.1",
+      "resolved": "git+ssh://git@github.com/npm/abbrev-js.git#a9ee72ebc8fe3975f1b0c7aeb3a8f2a806a432eb",
+      "license": "ISC"
     }
   },
   "dependencies": {
     "abbrev": {
-      "version": "git+ssh://git@github.com/npm/abbrev-js.git#1ce81404a57d87662f1a93be23a389ead514f7a6",
-      "from": "abbrev@git+https://github.com/npm/abbrev-js.git#v1.0.4"
+      "version": "git+ssh://git@github.com/npm/abbrev-js.git#a9ee72ebc8fe3975f1b0c7aeb3a8f2a806a432eb",
+      "from": "abbrev@git+https://github.com/npm/abbrev-js.git#v1.1.1"
     }
   }
 }
diff --git a/package.json b/package.json
index 6129baf..8f6a90d 100644
--- a/package.json
+++ b/package.json
@@ -10,6 +10,6 @@
   "author": "Ruy Adorno <ruyadorno@hotmail.com> (https://ruyadorno.com/)",
   "license": "MIT",
   "dependencies": {
-    "abbrev": "github:npm/abbrev-js#v1.0.4"
+    "abbrev": "github:npm/abbrev-js#v1.1.1"
   }
 }

I'm going to close this issue as it seems to be working as expected (using npm@8.5.2 the current version of the npm cli at the time of writing, also validated the correct version was installed in node_modules) but please feel free to open a new one in case you still run into this issue. In case you do, using a minimal template such as the example I just provided above helps a lot in order for us to track down the exact root cause.

Thanks again!

@ruyadorno ruyadorno removed the Needs Triage needs review for next steps label Mar 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ruyadorno @Goues