Anonymous packages (given by URL) are not checked for consistency package.json <> node_modules

[laurentsigal]

Here is the scenario:

• Build a private package and tarball it at a specific location http://some_package-1.2.3.tgz
• install with npm install --save http://some_package-1.2.3.tgz
• update package.json with entry "some_package": "http://some_package-1.2.4.tgz"

In this scenario, npm run shrinkwrap will not fail. However, in node_modules/some_package/package.json it shows "_from": "http://some_package-1.2.3.tgz" which conflicts with the definition in package.json

[Raynos]

The implementation relies on npm ls to verify between package.json & node_modules.

This works for all npm registry dependencies.

For git dependencies we have extra verification between package.json & node_modules by parsing the version tag out of the git dependency url. This allows us to verify against the version field in node_modules/{name}/package.json

Verifying an arbitrary HTTP URL against node_modules would require a rule for how to read the version number out of the HTTP URL. This is not implemented yet.

[laurentsigal]

Hi Raynos, thanks for the answer.

I don't think there is a need to extract the version from the HTTP URL, matching the URL declared in package.json with the one declared in node_modules/some_package/package.json inside the "_from" section seems that it would be sufficient.

[Raynos]

@laurentsigal Keen observation, for http links checking the _from reference should be valid.

I believe checking _from for git references didnt work so a different strategy was taken.