Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
If I publish a package that contains npm-shrinkwrap.json to an NPM registry that does not define the _hasShrinkwrap property in its package metadata, then npm install ignores the shrinkwrap file when I install that package.
Registries that do not define the _hasShrinkwrap property in their package metadata include Artifactory 7.34.4 and Verdaccio 5.8.0.
Expected Behavior
If _hasShrinkwrap is undefined then npm should fall back to checking for the presence of npm-shrinkwrap.json.
This was the behavior in npm@6, and is the expected behavior according to the npm registry docs:
_hasShrinkwrap:trueif this version is known to have a shrinkwrap that must be used to install it;falseif this version is known not to have a shrinkwrap. If this field is undefined, the client must determine through other means if a shrinkwrap exists.
Steps To Reproduce
- Create an npm project:
npm init -y - Install a package that meets the criteria above, for example:
npm install @zowe/cli@6.37.8 --@zowe:registry=https://zowe.jfrog.io/zowe/api/npm/npm-release/
(zowe.jfrog.io is a public Artifactory registry and this package uses shrinkwrap) - See evidence that shrinkwrap was ignored:
- The dependency tree is flattened inside node_modules
- Installed package versions are not locked down (e.g.,
flatted@3.2.5instead of3.2.4)
Environment
- npm: 8.5.4 (updated from 8.3.1)
- Node.js: 16.14.0
- OS Name: Debian 10 (buster)
- System Model Name: docker.io/node:lts