Skip to content

[BUG] npm ci installs nested dev dependency #3604

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
1 task done
Ketler13 opened this issue Aug 3, 2021 · 1 comment
Closed
1 task done

[BUG] npm ci installs nested dev dependency #3604

Ketler13 opened this issue Aug 3, 2021 · 1 comment
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release

Comments

@Ketler13
Copy link

Ketler13 commented Aug 3, 2021

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I have a project with following package.json:

{
  "name": "test",
  "version": "1.0.0",
  "dependencies": {
    "@apollo/client": "^3.3.21",
    "@fortawesome/fontawesome-svg-core": "^1.2.17",
    "@fortawesome/free-solid-svg-icons": "^5.8.1",
    "@fortawesome/react-fontawesome": "^0.1.4",
    "apollo-upload-client": "^10.0.1",
    "axios": "^0.21.1",
    "bluebird": "^3.5.5",
    "body-parser": "^1.19.0",
    "bootstrap": "^4.2.1",
    "chart.js": "^2.9.4",
    "classnames": "^2.2.6",
    "compression": "^1.7.4",
    "cookie-parser": "^1.4.4",
    "core-js": "^3.6.5",
    "cross-env": "^5.2.0",
    "dotenv": "^8.1.0",
    "dotenv-webpack": "^1.8.0",
    "draft-js": "^0.11.7",
    "ejs": "^3.1.5",
    "enzyme": "^3.10.0",
    "enzyme-adapter-react-16": "^1.14.0",
    "enzyme-to-json": "^3.3.5",
    "express": "^4.17.1",
    "firebase": "^8.8.0",
    "graphql": "^14.5.4",
    "graphql-tag": "^2.10.1",
    "i18next": "^20.3.5",
    "isomorphic-unfetch": "^3.0.0",
    "jest-styled-components": "7.0.0-beta.2",
    "js-cookie": "^2.2.1",
    "lodash.clonedeep": "^4.5.0",
    "lodash.compose": "^2.4.1",
    "lodash.concat": "^4.5.0",
    "lodash.cond": "^4.5.2",
    "lodash.constant": "^3.0.0",
    "lodash.debounce": "^4.0.8",
    "lodash.find": "^4.6.0",
    "lodash.findindex": "^4.6.0",
    "lodash.get": "^4.4.2",
    "lodash.isempty": "^4.4.0",
    "lodash.isfunction": "^3.0.9",
    "lodash.mergewith": "^4.6.2",
    "lodash.omit": "^4.5.0",
    "lodash.orderby": "^4.6.0",
    "lodash.partial": "^4.2.1",
    "lodash.partialright": "^4.2.1",
    "lodash.pick": "^4.4.0",
    "lodash.reject": "^4.6.0",
    "lodash.stubtrue": "^4.13.0",
    "lodash.without": "^4.4.0",
    "md5": "^2.2.1",
    "moment": "^2.27.0",
    "mongoose": "^5.12.3",
    "next": "^10.1.3",
    "next-build-id": "^3.0.0",
    "next-compose-plugins": "^2.2.0",
    "next-images": "^1.1.2",
    "polished": "^3.4.1",
    "prop-types": "^15.6.2",
    "react": "^16.13.1",
    "react-datepicker": "^2.8.0",
    "react-dom": "^16.13.1",
    "react-ga": "^2.7.0",
    "react-google-recaptcha": "^1.0.5",
    "react-i18next": "^11.11.4",
    "react-number-format": "^4.0.8",
    "react-router-dom": "^4.3.1",
    "react-select": "^2.4.2",
    "react-swipe": "^6.0.4",
    "react-table": "^7.6.3",
    "react-toastify": "^5.2.1",
    "react-uid": "^2.2.0",
    "reactstrap": "^8.9.0",
    "rgba-convert": "^0.3.0",
    "rxjs": "^6.5.3",
    "styled-components": "^5.2.3",
    "ua-parser-js": "^0.7.28",
    "webpack": "^4.46.0",
    "winston": "^3.3.3"
  },
  "scripts": {},
  "devDependencies": {
    "@storybook/preset-create-react-app": "^3.2.0",
    "@storybook/react": "^6.3.6",
    "@testing-library/jest-dom": "^5.11.10",
    "@testing-library/react": "^11.2.6",
    "babel-eslint": "^10.0.3",
    "babel-plugin-styled-components": "^1.12.0",
    "depcheck": "^1.4.0",
    "eslint": "^7.24.0",
    "eslint-config-airbnb": "^18.2.1",
    "eslint-config-prettier": "^8.2.0",
    "eslint-plugin-graphql": "^4.0.0",
    "eslint-plugin-import": "^2.22.1",
    "eslint-plugin-jest": "^24.3.5",
    "eslint-plugin-json": "^2.1.2",
    "eslint-plugin-jsx-a11y": "^6.4.1",
    "eslint-plugin-prettier": "^3.4.0",
    "eslint-plugin-react": "^7.23.2",
    "eslint-plugin-react-hooks": "^4.2.0",
    "handlebars": "^4.5.3",
    "husky": "^6.0.0",
    "ignore-loader": "^0.1.2",
    "lint-staged": "^11.1.1",
    "npm-run-all": "^4.1.5",
    "prettier": "^2.2.1",
    "react-scripts": "^4.0.3",
    "react-test-renderer": "^16.8.6"
  }
}

When I run npm install it creates package-lock.json. The module I'm interested in is ssri. Searching by string "ssri" within package-lock.json gives 12 matches. This module is referenced from both react-scripts and @storybook. In some places it has dev: true and in some - no.

And then if I rm -rf node_modules and run NODE_ENV=production npm ci --only=production node_modules will be created with ssri folder in it.

Is it something with npm or my understanding is no clear?

Expected Behavior

ssri folder will not appear in node_modules

Steps To Reproduce

  1. Copy package.json file from above.
  2. Run npm install to generate lock file.
  3. Remove node_modules.
  4. Run NODE_ENV=production npm ci --only=production.
  5. Check node_modules/ssri.

Environment

  • OS: MacOS BigSur 11.5.1
  • Node: 14.16.1
  • npm: 7.20.3
@Ketler13 Ketler13 added Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release labels Aug 3, 2021
@Ketler13 Ketler13 closed this as completed Aug 3, 2021
@Ketler13
Copy link
Author

Ketler13 commented Aug 3, 2021

Looks like the problem is in other deps where ssri must be a dependency, not the dev one.

@snyk-io snyk-io bot mentioned this issue Oct 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug thing that needs fixing Needs Triage needs review for next steps Release 7.x work is associated with a specific npm 7 release
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Ketler13