installing extraneous dependencies

Question

installing extraneous dependencies

travi opened this issue 5 years ago · 20 comments

i noticed some peer dependency warnings about semantic-release and got curious why my non-package project had semantic-release installed at all. it looks like your dev dependencies are getting installed for some reason.

Expected Behavior

installing is-website-vulnerable should only install it and its production dependencies

Current Behavior

even though semantic-release and its plugins are only listed as dev-dependencies, at least some of the dependencies are getting installed in my project:

$ npm ls @semantic-release/github
matt.travi.org@ /path/to/my/project/matt.travi.org
└─┬ is-website-vulnerable@1.9.3
  └── @semantic-release/github@5.5.5  extraneous

Possible Solution

i havent used shrinkwrap much, but that is my best guess as to why this is happening. is it possible to only shrinkwrap prod dependencies?

Steps to Reproduce (for bugs)

npm install is-website-vulnerable --save-dev
npm ls @semantic-release/github (or another dev-dependency)

Context

i'm seeing peer-dependency warnings for dev-dependencies of this project that shouldnt have an impact on my project. i normally also enforce that npm ls exits with zero, which this would make fail. this particular does not fully enforce that yet, so this issue slipped through unnoticed originally

Your Environment

Library Version used: https://github.com/travi-org/matt.travi.org/blob/be7fa9cb6d70ca8ffee31df38bed187f706d88b2/package.json#L55
Node.js version (e.g. Node.js 5.4): https://github.com/travi-org/matt.travi.org/blob/be7fa9cb6d70ca8ffee31df38bed187f706d88b2/.nvmrc#L1 (currently 10.17.2)
Operating System and version (desktop or mobile): macOS catalina 10.15.2

Answer 1 · 2019-12-16T01:03:43.000Z

ahh, good catch, it is due to the shrinkwrap. will take a look at fixing this, thanks!

Answer 2 · 2019-12-16T01:24:07.000Z

@travi which npm cli version are you running?

Answer 3 · 2019-12-16T01:32:30.000Z

I'm just using the version installed with the version of node mentioned above. I'm afk atm, but can confirm in a bit

Answer 4 · 2019-12-16T02:00:44.000Z

Regardless of whether dev dependencies should be installed or not, the warnings i see after they do get installed in my project highlight that your peer dependencies aren't compatible ;)

It looks like you're using the beta of semantic-release, but latest of the plugins. You should be using the pre-releases of those too. npm ls should help identify a compatible combination

Answer 5 · 2019-12-16T02:03:06.000Z

So if those were resolved, it would at least prevent warnings on my side. While i agree that it's odd that shrinkwrap installs the dev dependencies, i don't necessarily mind if it doesn't cause errors

Answer 6 · 2019-12-16T02:06:39.000Z

yep, I see those now too.
let's figure out first the shrinkwrap issue as I'd need to update that with any change regardless.

Answer 7 · 2019-12-16T02:20:54.000Z

@travi can you try with the latest stable Node.js, or npm version 6.12.1 ?
I don't get peer dependency issues with it

Answer 8 · 2019-12-16T02:21:52.000Z

Nevermind, I do see it. The npm CLI is weird as it skipped those in the first install but running another install after everything is installed they will show up 🤷‍♂

Answer 9 · 2019-12-16T03:17:14.000Z

🎉 This issue has been resolved in version 1.9.4 🎉

The release is available on:

Your semantic-release bot 📦🚀

Answer 10 · 2019-12-16T03:19:09.000Z

@travi can you check now if you're still getting peer deps issues?

Answer 11 · 2019-12-16T04:19:30.000Z

so, unfortunately, it doesn't seem to be available yet:

$ npm dist-tags ls is-website-vulnerable
latest: 1.9.3

i had a package publish earlier today that is still not available either. i sent a note to support earlier today, but the status page doesnt note any issues.

Answer 12 · 2019-12-16T14:20:15.000Z

at least i wasnt crazy: https://status.npmjs.org/incidents/lg9535dl2ff3

i'll keep an eye on the incident and test once it gets resolved

Answer 13 · 2019-12-16T16:29:19.000Z

now that i could install the new version, i was able to confirm that the peer-dependency issues look good, but npm ls does still complain about the extraneous dev-dependencies, and therefore exits with 1 instead of 0

Answer 14 · 2019-12-18T02:28:21.000Z

Yep, will see about fixing that.

Answer 15 · 2020-04-22T19:31:02.000Z

been a while since i've looked into this, so trying to remember where this landed. did we end up figuring out a way to sort out the shrinkwrap issues, or are we stuck in the state where devDependencies are getting wrapped until npm v7 is available?

Answer 16 · 2020-04-22T19:43:16.000Z

in case it helps us with context, figured it could help keeping this thread tied to this issue

Answer 17 · 2020-04-23T15:34:18.000Z

Indeed still need to work on this. Let me get to review this again.

Answer 18 · 2020-04-25T16:59:43.000Z

🎉 This issue has been resolved in version 1.14.1 🎉

The release is available on:

Your semantic-release bot 📦🚀

Answer 19 · 2020-04-25T17:00:51.000Z

@travi is-website-vulnerable@1.14.1 fixes the issue now thanks to lockfile-prune

Answer 20 · 2020-04-26T00:47:41.000Z

Great work! Looks like that did it. Thanks a lot!