Hapi: `npm-shrinkwrap.json` not included in published `hapi` package
So I was poking around inside the distributed version of hapi for various reasons and noticed the npm-shrinkwrap.json had gone missing. You can see that it's missing by installing it and looking in node_modules or by fetching down https://registry.npmjs.org/hapi/-/hapi-15.0.3.tgz and looking inside the tarball.
hapi has a pretty atypical shrinkwrap so I've often used it as a very basic canary for shrinkwrap changes.
The reason it's not being packaged is the .npmignore that was added in https://github.com/hapijs/hapi/commit/84288ece555da34164799e4cd9e1dd10f8153497. From the commit I can't tell if this was intentional.
Now... don't get me wrong, I would actually be quite pleased to see fewer unusual shrinkwraps on the registry. So if removing it was intentional, don't put it back on my account! But if it wasn't, I figured you all would want to be aware that it had gone missing.
iarna
All 11 comments
Wow! I feel sure this was just an oversight. Thanks very much for letting us know. :)
devinivy
on 7 Sep 2016
@iarna just out of curiosity what is so special about hapi's shrinkwrap?
AdriVanHoudt
on 7 Sep 2016
@AdriVanHoudt It's incompleteβ it does not include all the modules necessary to use Hapi, so npm has to fill those in from the package.jsons.
(It also only provides versions, which is unusual, but isn't a corner case the way an incomplete shrinkwrap is.)
iarna
on 8 Sep 2016
If I flip off the bit in npm that makes it fill in gaps in npm-shrinkwrap.json I get a tree that looks like this:
π rebecca@Caldina:~/code/npmtest/hapitest$ npm ls
[email protected] /Users/rebecca/code/npmtest/hapitest
βββ¬ [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
βββ¬ [email protected]
β βββ UNMET DEPENDENCY [email protected]
β βββ¬ [email protected]
β β βββ UNMET DEPENDENCY [email protected]
β βββ¬ [email protected]
β β βββ [email protected]
β β βββ UNMET DEPENDENCY [email protected]
β β βββ¬ [email protected]
β β βββ [email protected]
β βββ¬ [email protected] invalid
β βββ UNMET DEPENDENCY [email protected]
βββ [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! invalid: [email protected] /Users/rebecca/code/npmtest/hapitest/node_modules/hapi/node_modules/subtext/node_modules/wreck
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
npm ERR! missing: [email protected], required by [email protected]
Looking over this again, at this point the weirdness is more specific. And actually I don't think your shrinkwrap is doing what you want. You seem to be trying to do things with it that we unfortunately do not support.
So the boom errors are happening because your deps require boom@3 but you forced boom@4 to be installed at the top level. When npm@3 goes to install hapi it's going to give each of those modules its own copy of boom@3 to fulfill that requirement. There is no way to force the subdeps to use boom@4 short of including it in the shrinkwrap under each of them. (Or, you know, updating the subdeps package.json's to permit boom@4)
The [email protected] error is happening because you're forcing v9, but the package.json wants v8. While v9 will be initially installed in node_modules/subtext/node_modules/wreck, subsequent runs of npm will switch it to something matching your package.json.
This is definitely a bugβthe current intended behavior (I believe!) is that the package.json defines validity and npm install should never produce invalid installs, so it should be forcing v8 even if you tried to pin it to v9 in your npm-shrinkwrap.json.
iarna
on 8 Sep 2016
The "corrected" tree after running npm install a second time ends up looking like this:
_This is a physical tree, what you see from npm ls in npm@2._
[email protected] /Users/rebecca/code/npmtest/hapitest
βββ¬ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ [email protected]
βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
βββ¬ [email protected]
β βββ [email protected]
β βββ [email protected]
β βββ¬ [email protected]
β β βββ [email protected]
β β βββ¬ [email protected]
β β βββ [email protected]
β βββ [email protected]
βββ [email protected]
So a few things.
The fact that wreck is in the shrinkwrap means @hueniverse generates it with the --dev flag right?
Does this mean that when I npm i hapi --production it will also install wreck? Seems unnecessary.
The corrected tree in your last comment, @iarna, does not even include wreck at the top level for hapi how's that?
@hueniverse what is the reason the hapi shrinkwrap looks this way? aka includes dev deps and is "not complete"
Btw I am asking these questions out of pure curiosity, thanks @iarna for the explanation!
AdriVanHoudt
on 8 Sep 2016
It was generated with an older version of npm and has been manually updated since.
hueniverse
on 8 Sep 2016
@AdriVanHoudt Because wreck is a dev dependency of hapi but a _regular_ dependency of subtext which is in turn a regular dependency of hapi. And the wreck in the shrinkwrap is explicitly nested under subtext. This tree is from me installing hapi as a dependency, so hapi's dev deps aren't installed.
If I were running npm install from a hapi clone then there'd be a second copy of wreck installed directly below hapi.
iarna
on 6 Oct 2016
@iarna ah I see, thanks! Should hapi update its shrinkwrap?
AdriVanHoudt
on 6 Oct 2016
@AdriVanHoudt If it's at all possible for hapi to switch to a fresh (and _complete_) shrinkwrap I would strongly encourage it. Go ahead and edit out resolved URLs, but make sure there's an entry for every package in the tree.
This will quickly become urgent in light of the soon-to-be changing shrinkwrap behavior (see #3360).
iarna
on 6 Oct 2016
Related issues
jeffbski
Β·
5Comments
leore
Β·
4Comments
leore
Β·
3Comments
RohovDmytro
Β·
4Comments
hueniverse
Β·
4Comments
Most helpful comment
@iarna just out of curiosity what is so special about hapi's shrinkwrap?