Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[BUG] fullMetadata vs. local packages vs. cache #307

Closed
1 task done
HeikoStudt opened this issue Aug 29, 2023 · 2 comments
Closed
1 task done

[BUG] fullMetadata vs. local packages vs. cache #307

HeikoStudt opened this issue Aug 29, 2023 · 2 comments
Labels
Bug thing that needs fixing Needs Triage needs an initial review

Comments

@HeikoStudt
Copy link

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

Using the defaults (i.e. npm install without options) and resulting into a registry lookup, pacote downloads the absolute minimum of metadata (i.e. corgi v1) from npmjs.com. This behavior can be modified via the options fullMetadata or before with only the latter passed by npmcli currently.
i.e.: pacote manifest luxon vs pacote manifest luxon --fullMetadata

Anyways, if the package.json was found locally in the node_modules folder (type file, directory, git, ...), pacote results into the full set of metadata (but without any resolve-information ("resolved", "integrity")).
i.e.: pacote manifest file:node_modules/luxon

Why does this all matter?
Reference: npm/cli#5532
a) Npmcli is storing result of pacote into its package-lock.json and will not resolve the metadata again
b) the "license" metadata is not included in v1 corgi
c) internally, npmcli regards the "license" field to be worthy for the package-lock file and does not know that it was filtered
d) the external tooling is trying to get the license field from the package-lock.json
e) To make matters worse, if one is removing the two existing package-lock files without removing the node_modules folder with its package.json files, the resulting package-lock file will differ. It will not contain resolved/integrity information but the license data.
f) Even more confusing: if I try to resolve into a version of a date (utilizing --before), pacote will download the full metadata and therefore the package-lock file will include the license information including resolved and integrity information.

I can imagine that pacote wants to reduce the load of npmjs.com and therefore reduces the amount to download as much as possible. Utilizing the modern package-lock within npmcli, node_modules folder and cacache, this is probably not the best default anymore.

Expected Behavior

In pacote: reducing to minimum set of metadata also for locally found packages.
Perhaps it should include the resolved/integrity information regardless.
Perhaps minimize the metadata even for --before (however, this is documented).

Either in pacote or npmcli:
Always download the full metadata by default, so that e.g. the license-field is populated within package-lock.json
I am not sure whether this behavioral change should be done in npmcli or pacote as npmcli could simply add the fullMetadata opt.
This reduces the confusion and will result into correct and fully populated package-lock files.

Steps To Reproduce

Pacote

  1. Simple package.json file (does not matter)
  2. Run npm install luxon
  3. pacote manifest luxon results into metadata without "license" for luxon
  4. pacote manifest luxon --fullMetadata results into full metadata including "license" for luxon
  5. pacote manifest file:node_modules/luxon results into full metadata including "license" for luxon without integrity + resolved

NPM

  1. Simple package.json file (does not matter)
  2. Run npm install luxon
  3. package-lock.json contains NO "license" information, contains also integrity + resolved
  4. rm package-lock.json node_modules/.package-lock.json
  5. npm install
  6. package-lock.json contains "license" information, contains NO integrity + resolved
  7. rm -r package-lock.json node_modules/
  8. npm install --before=2050-01-01
  9. package-lock.json contains "license" information, containss also integrity + resolved

Environment

  • npm: 9.2.0
  • Node: v18.13.0
  • OS: Debian Bookworm
  • platform: x86
@HeikoStudt HeikoStudt added Bug thing that needs fixing Needs Triage needs an initial review labels Aug 29, 2023
@mbtools
Copy link
Contributor

mbtools commented Nov 22, 2024

Since 10.8.0, the license is included in package-lock.json (npm/cli#7475).

Close?

@wraithgar
Copy link
Member

npm always downloads the full metadata now, due to the minified packuments missing the libc field.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Bug thing that needs fixing Needs Triage needs an initial review
Projects
None yet
Development

No branches or pull requests

3 participants