Skip to content
This repository has been archived by the owner on Apr 6, 2023. It is now read-only.

Can no longer be installed due to npm-shrinkwrap 5.4.0 dependency #22

Closed
Mr0grog opened this issue Mar 24, 2016 · 10 comments
Closed

Can no longer be installed due to npm-shrinkwrap 5.4.0 dependency #22

Mr0grog opened this issue Mar 24, 2016 · 10 comments

Comments

@Mr0grog
Copy link

Mr0grog commented Mar 24, 2016

I’ve just started working on a project that uses metalsmith-concat and can’t seem to install it because of the dependency on npm-shrinkwrap 5.4.0. That version of shrinkwrap depends on an older version of read-json that is no longer available (not sure if any relation to Azer Koçulu unpublishing of a bunch of modules yesterday, read-json among them).

At any rate, npm-shrinkwrap 5.4.1 appears to no longer depend on read-json and is installable for me. So I think the issue would be resolved by simply bumping the dependency up to 5.4.1 in package.json.

@Mr0grog
Copy link
Author

Mr0grog commented Mar 24, 2016

I guess you’d also have to update in npm-shrinkwrap.json, too. (As a side note, why are the dev dependencies shrinkwrapped?)

Mr0grog added a commit to stellar-deprecated/developers that referenced this issue Mar 24, 2016
This isn't great, but is necessary because of metalsmith-concat dependency problem (aymericbeaumet/metalsmith-concat#22). Hopefully it will be fixed and we can remove the note.
@askogrand
Copy link

Installing with --no-shrinkwrap is the safest, quickest way around this. Otherwise, yes, this library is currently broken.

Mr0grog added a commit to Mr0grog/metalsmith-concat that referenced this issue Mar 28, 2016
…uild shrinkwrap file.

NPM 2 has been shipping with Node.js since v0.11.14 in late 2014, so it seems save to move up to shrinkwrap 200.x, which is for NPM 2+.
Fixes aymericbeaumet#22.
@aymericbeaumet
Copy link
Owner

thanks for the heads-up, should now be fixed, reopen if needed!

@Mr0grog
Copy link
Author

Mr0grog commented Mar 28, 2016

@aymericbeaumet Thanks!

I know it’s slightly out-of-scope for this issue, but can I ask why all the dev dependencies are shrinkwrapped? There are only 4 dependencies for a consumer of the library, but the shrinkwrap file lists 267 dependencies, which is a lot more to pull down when someone tries to npm install an app that uses this.

@aymericbeaumet
Copy link
Owner

i don't think the dev dependencies are being included in the shrinkwrap

$ npm shrinkwrap
npm WARN shrinkwrap Excluding devDependency: [email protected] { minimatch: '3.0.0' }
npm WARN shrinkwrap Excluding devDependency: [email protected] { minimatch: '3.0.0' }
npm WARN shrinkwrap Excluding devDependency: [email protected] { minimatch: '3.0.0' }
npm WARN shrinkwrap Excluding devDependency: [email protected] { minimatch: '3.0.0' }
npm WARN shrinkwrap Excluding devDependency: [email protected] { minimatch: '3.0.0' }
wrote npm-shrinkwrap.json

the file lists 267 dependencies because it includes all the dependencies (recursively, down to the last one)

$ npm shrinkwrap --dev
$ git diff | wc -l
     548

@Mr0grog
Copy link
Author

Mr0grog commented Mar 29, 2016

Well, just looking at: https://github.com/aymericbeaumet/metalsmith-concat/blob/master/npm-shrinkwrap.json

And if you look into minimatch, the only non-dev dependency, it only has one dependency: https://github.com/isaacs/minimatch/blob/v3.0.0/package.json
Which is brace-expansion, which has two dependencies: https://github.com/juliangruber/brace-expansion/blob/v1.1.3/package.json
Which are balanced-match and concat-map, each of which have no dependecies:
https://github.com/juliangruber/balanced-match/blob/v0.3.0/package.json
https://github.com/substack/node-concat-map/blob/0.0.1/package.json

…so there should only be 4 modules in npm-shrinkwrap.json if it doesn’t include any dev dependencies.

There are clearly a lot more things than that listed in the file.

@Mr0grog
Copy link
Author

Mr0grog commented Mar 29, 2016

npm-remote-ls is also a helpful tool for this kind of stuff:

npm-remote-ls [email protected] --development false

@Mr0grog
Copy link
Author

Mr0grog commented Mar 29, 2016

Also, I’d venture a guess that you’re tripping over the same problem I was when I tried to do this in my PR—it’s easiest if you blow away your shrinkwrap file before regenerating; it can screw up the generation of a new one. That’s why I had a second commit that modified the shrinkwrap file again: f0ce590

@aymericbeaumet
Copy link
Owner

i see, npm install --production && npm shrinkwrap solved the issue. thanks for noticing!

@Mr0grog
Copy link
Author

Mr0grog commented Mar 30, 2016

No problem :)

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants