-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] npm ci still does not work with overrides correctly #4942
Comments
I just upgraded npm from 8.5.0 to 8.12.1 and I'm getting the same errors. Removing package-lock.json, deleting node_modules, and rerunning
|
Running |
Oh interesting, perhaps this will be solved with #4859 then? 🤔 for now I've just kept using npm 8.5.5 and the package-lock generated with that version, it works with my specific dependencies at least, I'll try out if |
could you elaborate how Still results in vulnerabilities being installed with the 2nd npm install command, which to me indicates that the |
|
I've experienced this with npm v8.11.0 as well |
The issue as I've encountered is when I've tried to pass in a range that I'd like to override. For example: "overrides": {
"got@<11.8.5": "11.8.5",
"got@>=12.0.0 <12.1.0": "12.1.0"
} The above will fail. In looking at the generated "package-json": {
"version": "6.5.0",
"resolved": "<snip>",
"integrity": "<snip>",
"dev": true,
"requires": {
"got": "^9.6.0",
"registry-auth-token": "^4.0.0",
"registry-url": "^5.0.0",
"semver": "^6.2.0"
}
} However, if I do this in the "overrides": {
"[email protected]": {
"got": "11.8.5"
}
} The entry in the "package-json": {
"version": "6.5.0",
"resolved": "<snip>",
"integrity": "<snip>",
"dev": true,
"requires": {
"got": "11.8.5",
"registry-auth-token": "^4.0.0",
"registry-url": "^5.0.0",
"semver": "^6.2.0"
}
}, |
I was using
So, specifying the package but not the version. So I may give this a try |
The second npm install seems to ignore the overrides, so no solution for me |
Do the overrides actually work? Doing an
Still ends up with an install of [email protected] |
Double |
Double |
The problem persists with npm 8.17.0
(1 vulnerability has been introduced since this issue for the repo mentioned in the description of this issue: https://github.com/jchiem/npm-overrides-bug) |
* Make a terrible rxdb implementation * Fix issues with updating patients * Style fixes * Small fixes * Lay groundwork for GraphQL sync * Add push replication * Fix bug with unknown consult entity * Change uid to id, connect RxDB pull * Fix issues with push-replication, DOB field * Fix a few errors * Fix serialization issues * Never lose a patient again * Fix deletedAt * Fix enums... again * !!Fix vulnerabilities (includes run of npm update) * Fix npm CI(?) * roll back node version for CD npm/cli#4942 * whoops wrong version * Fix frontend tests * Refactor for readability * Fix issues * Automatically select first tab where available * Add required fields * Ugly hack to reduce traffic * match project file structure * fix nitpick * match project file structure * Fix error with patient ordering in feed * move usePatients hook Co-authored-by: Jackson Chadfield <[email protected]>
I've ran some more tests regarding this and found that it seems to be specifically when Writing it without the |
Facing similar issue, specifying version without |
is this issue fixed in any latest npm versions ? |
I tested [email protected] and [email protected] today and am still seeing this issue that i'm pretty sure is related to the issues brought up here. |
I believe my team is seeing this in |
i had the same problem, was overrding untill i had to remove on which when i did |
This works for me (npm 9.5.1). Here is how I did:
Do not use "$" dollar sign as a version reference from your dependencies or devDependencies. Currently, |
Switching from legacy yarn back to npm on a large project and getting burned by this one, not particularly sure how to proceed. |
I am dealing with the same issue. My application stopped running on docker in the google cloud build. Using |
Still experiencing this issue with |
Still experiencing this issue with I believe it has to be changes in v8.6.0 release that have caused this regression: |
Experiencing this issue too. |
I had this issue with nodejs 20.11.1 and npm 10.2.4. Had to double |
We are experiencing the same issue. Using |
@petruki What is the purpose of your reply? I ask, because I don't want anyone to be confused by your comment and think there is any type of work around for any OP here because there is not. This issue is actually ridiculous, it is a fundamental failure. When a user declares overrides and runs npm ci, any version of npm > 8.5.5 borks out. |
@Sweetog , oh, sorry my friend, I didn't mean to expose any hack for this issue. I just wanted to share what worked for me and perhaps help someone who cannot wait for a fix. I removed the reply anyway as you may be right. Thanks for the advice. 😉 |
It looks like this issue is over 2 years old. Are there any plans to fix it? |
Is there an existing issue for this?
This issue is related to:
#4684, #4732, #4732
This issue exists in the latest npm version
Current Behavior
The release of
[email protected]
has made a fix for the aforementioned issues, but the same error occurs in my example repository on[email protected]
, and for any version above8.6.0
for that matter, I tested #4732 with 8.7.0 and the error presented in that specific issue is resolved with any newer version of npm.The bug is that if
npm ci
is used with certain dependencies and override combination the following error occurs:This happens with any version of npm above
8.5.5
, if 8.5.5 is used the error does not occur.Furthermore, if you follow the instruction provided in the error to run
npm install
the security vulnerabilities that were originally resolved with the"overrides"
are restored and the package-lock is updated. If you runnpm ci
after that the overrides are still not taken into consideration, so the overrides have been ignored.I've set up a repository where the behavior is described in more detail which is listed under Steps To Reproduce
Expected Behavior
With
npm ci
I expect that the latest version ofnpm
is able to usenpm ci
with the defined"overrides"
without errors.With
npm install
ornpm install --package-lock-only
I expect that the"overrides"
configured are still respected and the package-lock is not updated and ignoring the overrides.Steps To Reproduce
To test this do the following:
npm 8.6.0
or greater installed (bug occurs for any version above 8.5.5)git clone [email protected]:jchiem/npm-overrides-bug.git
npm ci
npm install
ornpm install --package-lock-only
For Step 2 you should get an error like:
For Step 3, it results in no errors, but the package-lock is updated and the node modules installed were done without overrides since security vulnerabilities that should have been resolved using the
"overrides"
inpackage.json
are no longer 0.If you run npm ci at this point, the installed packages retain the vulnerabilities from Step 3's
npm install
and the `"overrides" are ignored.Environment
npm: version above 8.5.5 (for example, 8.6.0 or 8.10.0)
Node.js: 16.14.2
OS Name: mac OS 12.3.1 (Monterey)
System Model Name: MacBook Pro (16-inch, 2019)
npm config:
The text was updated successfully, but these errors were encountered: