7

Ocassionally, when installing an (unrelated) dependency, I lose the resolved values from each of my private nexus repository dependencies, meaning that when my build server runs npm ci it falls back to attempting to install these from the npm repository, which obviously fails.

I am using npm 8.5.5/node 16.15

I am using NPM's workspaces feature to construct a monorepo, meaning that I have several project package.json files as well as a root package.json

My .npmrc (at root level) looks like this:

engine-strict=true
@foo:registry=http://prod-nexus.foo.com/repository/bar/
always-auth=true

After an (unrelated, random) install my package-lock.json will have this change:

    "@foo": {
        "version": "1.2.3",
-       "resolved": "http://prod-nexus.foo.com/repository/bar/@foo/-/lib-1.2.3.tgz,
-       "integrity": "sha...",
+       "license": "MIT",
        "dependencies": { ....

Note that the resolved and integrity fields have disappeared and the license has been added.

I have run into this problem several times, each time I have solved it by rolling back and some manual editing and eventually it goes away, but I really need to understand what is going on.

What is causing this, why is it random, what can I do to defend against it?

tallpaul
  • 1,220
  • 2
  • 13
  • 35
  • I just noticed this exact same issue today too! Not sure what changed. `npm` version `8.19.2` and `node` version `v18.12.1` – aarowman Jan 24 '23 at 17:55

1 Answers1

5

This could be related to the issue https://github.com/npm/cli/issues/4263

  1. clean the npm cache npm cache clean -f
  2. run npm install again

If that doesn't work, try it again while deleting more:

  1. clean the npm cache npm cache clean -f
  2. remove node_modules in project folder
  3. remove package-lock.json file
  4. run npm install again
aarowman
  • 153
  • 1
  • 8
  • 1
    Certainly does look like a similar issue. Because our monorepo is relatively complicated we do have scripts that allow the dev to delete node_modules folders at each level, plus some caches, and lock files. Perhaps the key is in npm cache clean -f – tallpaul Jan 27 '23 at 15:29
  • Your first solution almost certainly won't address the linked issue. Your second solution probably gives you back your `resolved` / `integrity` fields, but will update to newer (in-spec) versions of deps that allow for any kind of version range. There still doesn't seem to be a way to populate these fields without changing the current (locked) version of all your deps. – Coderer Apr 24 '23 at 17:38
  • @Coderer yes, that's why there's an open github issue on it to do the exact desired behavior :) . The second suggestion to repopulate everything will get the newer versions, which is usually fine for most people, but if someone truly needs an exact version, they should likely change the `package.json` to call out an exact version. – aarowman Apr 25 '23 at 15:46