[BUG] Platform-specific optional dependencies not being included in package-lock.json when reinstalling with node_modules present

[JustinChristensen]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

[user@host:foo] $ npm -v
8.8.0
[user@host:foo] $ node
Welcome to Node.js v16.14.2.
Type ".help" for more information.
> process.arch
'arm64'

I'm working on a team that utilizes a mix of x64-based and m1-based macs, and has CI build processes that uses musl. We're seeing that npm is skipping platform-specific optional dependencies for packages such as @swc/core as a result of the package-lock.json file being generated without all of them included. In our case, this then causes linting to throw an exception, because one of our eslint plugins depends on @swc, which depends on having the platform specific @swc package also installed.

There seems to be at least two stages of cause to this. Firstly, when installing @swc/core from a clean slate working directory npm generates a package-lock.json with all of the optional dependencies for @swc/core listed:

[user@host:foo] $ npm install @swc/core
[user@host:foo] $ grep 'node_modules/@swc/core-*' package-lock.json
    "node_modules/@swc/core": {
    "node_modules/@swc/core-android-arm-eabi": {
    "node_modules/@swc/core-android-arm64": {
    "node_modules/@swc/core-darwin-arm64": {
    "node_modules/@swc/core-darwin-x64": {
    "node_modules/@swc/core-freebsd-x64": {
    "node_modules/@swc/core-linux-arm-gnueabihf": {
    "node_modules/@swc/core-linux-arm64-gnu": {
    "node_modules/@swc/core-linux-arm64-musl": {
    "node_modules/@swc/core-linux-x64-gnu": {
    "node_modules/@swc/core-linux-x64-musl": {
    "node_modules/@swc/core-win32-arm64-msvc": {
    "node_modules/@swc/core-win32-ia32-msvc": {
    "node_modules/@swc/core-win32-x64-msvc": {

And it only installs the platform specific package:

[user@host:foo] $ ls -l node_modules/@swc/
total 0
drwxr-xr-x  22 user  staff  704 Apr 29 15:39 core
drwxr-xr-x   6 user  staff  192 Apr 29 15:39 core-darwin-arm64

If I then remove my package-lock.json, leave my node_modules directory as-is, and then reinstall, I get:

[user@host:foo] $ rm -rf package-lock.json
[user@host:foo] $ npm install
[user@host:foo] $ grep 'node_modules/@swc/core-*' package-lock.json
    "node_modules/@swc/core": {
    "node_modules/@swc/core-darwin-arm64": {

That is, it then generates a package-lock.json with only the platform-specific dependency that was installed on this machine, and not with the other optional dependencies that should also be listed.

If you delete both node_modules AND package-lock.json, and then re-run npm install, it generates the correct lockfile with all of those optional dependencies listed.

The problem is that then, If the package-lock.json with the missing optional platform-specific dependencies gets checked into git and an x64 user pulls it down, or vice-versa, npm fails to detect that your platform's optional dependencies are missing in the lockfile and just silently skips installing the platform-specific dependency. For example, when I've got a package-lock.json that only contains the x64 @swc package because of the above problem (generated by my coworker on his x64 machine):

[user@host:foo] $ node
Welcome to Node.js v16.14.2.
Type ".help" for more information.
> process.arch
'arm64'
>
[user@host:foo] $ grep 'node_modules/@swc/core-*' package-lock.json
    "node_modules/@swc/core": {
    "node_modules/@swc/core-darwin-x64": {
[user@host:foo] $ ls
package-lock.json package.json

And I then install:

[user@host:foo] $ npm install
added 1 package in 341ms

1 package is looking for funding
  run `npm fund` for details
[user@host:foo] $ ls node_modules/@swc/
core

You can see that it fails to install the arm64 dependency or warn me in any way that the package-lock.json is missing my platform's dependency.

So yeah, two problems:

1. npm is generating an inconsistent package-lock.json when node_modules has your platform-specific dependency installed.
2. When installing from this inconsistent package-lock.json, npm fails to try to correct the problem by comparing the optional dependencies to what's listed upstream

Expected Behavior

1. npm should preserve the full set of platform-specific optional deps for a package like @swc when rebuilding package-lock.json from an existing node_modules tree
2. npm install should warn if the package-lock.json becomes inconsistent because of the first case

Steps To Reproduce

See above.

Environment

• npm: 8.8.0
• Node.js:
• OS Name: OSX
• System Model Name: Macbook Pro

[user@host:foo] $ npm -v
8.8.0
[user@host:foo] $ node -v
v16.14.2
[user@host:foo] $ uname -a
Darwin host.foo.com. 21.3.0 Darwin Kernel Version 21.3.0: Wed Jan  5 21:37:58 PST 2022; root:xnu-8019.80.24~20/RELEASE_ARM64_T8101 arm64

[user@host] $ npm config ls
; "user" config from /Users/user/.npmrc
; node bin location = /Users/user/.nvm/versions/node/v16.14.2/bin/node
; node version = v16.14.2
; npm local prefix = /Users/user/Development/foo
; npm version = 8.8.0
; cwd = /Users/user/Development/foo
; HOME = /Users/user
; Run `npm config ls -l` to show all defaults.

[JustinChristensen]

@nlf

Sorry to ping you out of the blue, but this issue has been open for 11 days now without any movement. Is there anyone working on npm right now that might have the bandwidth to at least validate that this is indeed a problem as I've described it?

Just so that when someone does become available to do some development work they know that this is in the queue?

Please and thank you.

[JustinChristensen]

Bump

[RobbieClarken]

I'm also encountering this issue with a Next.js project:

• Deleting package-lock.json and running npm install on an M1 Mac results in a package-lock.json file that is no longer able to build the app on x86.
• This can be fixed by deleting package-lock.json and node_modules and re-running npm install.

Unfortunately developers often don't realise the package-lock.json file is broken because everything continues to run fine on their machine. It is only when the build runs in CI that we learn it is broken.

Here is a reproduction:

$ node --version
v16.13.0
$ npm --version
8.12.1
$ npx create-next-app@latest
What is your project named? … my-app
Creating a new Next.js app in /Users/robbie/demo/my-app.
$ cd my-app/
$ npm install

up to date, audited 223 packages in 480ms

68 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ git status
On branch main
nothing to commit, working tree clean
$ rm package-lock.json
$ npm install

up to date, audited 223 packages in 579ms

68 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ # ************ package-lock.json is now incompatible with x86 ************
$ git diff
diff --git a/package-lock.json b/package-lock.json
index cbbf946..a87c1e5 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -96,36 +96,6 @@
         "glob": "7.1.7"
       }
     },
-    "node_modules/@next/swc-android-arm-eabi": {
-      "version": "12.1.6",
-      "resolved": "https://registry.npmjs.org/@next/swc-android-arm-eabi/-/swc-android-arm-eabi-12.1.6.tgz",
-      "integrity": "sha512-BxBr3QAAAXWgk/K7EedvzxJr2dE014mghBSA9iOEAv0bMgF+MRq4PoASjuHi15M2zfowpcRG8XQhMFtxftCleQ==",
-      "cpu": [
-        "arm"
-      ],
-      "optional": true,
-      "os": [
-        "android"
-      ],
-      "engines": {
-        "node": ">= 10"
-      }
-    },
-    "node_modules/@next/swc-android-arm64": {
-      "version": "12.1.6",
-      "resolved": "https://registry.npmjs.org/@next/swc-android-arm64/-/swc-android-arm64-12.1.6.tgz",
-      "integrity": "sha512-EboEk3ROYY7U6WA2RrMt/cXXMokUTXXfnxe2+CU+DOahvbrO8QSWhlBl9I9ZbFzJx28AGB9Yo3oQHCvph/4Lew==",
-      "cpu": [
-        "arm64"
-      ],
-      "optional": true,
-      "os": [
-        "android"
-      ],
-      "engines": {
-        "node": ">= 10"
-      }
-    },
[...]
$ rm -r package-lock.json node_modules
$ npm install

added 222 packages, and audited 223 packages in 2s

68 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ # ************ package-lock.json is now ok again ************
$ git status
On branch main
nothing to commit, working tree clean

[pete55104]

I am also having this issue. I'm trying to run tests using jest with swc. The test runner is a linux image, but my dev machine is darwin. I can get it to work by either using --force to install the linux dependency, or I can install packages from inside the container... but github CI stands up the docker container in such a way that I can't easily install packages from in there, and that also prevents me from maintaining a cached node modules etc.

[johnculviner]

bump

[nikkhn]

bump - cannot get optional dependencies (namely @swc/core-linux-arm64-gnu) to install on my linux distro

[sgoodluck]

bump

[alcuadrado]

Confirming that this issue is still present. It's particularly important for projects using NAPI modules, as tons of them use platform-specific packages.

[AboldUSER]

Ran into this issue when creating a CI process for a repo where I use a Windows machine and the CI process is using Linux. My quick "fix" for now is to start the CI process by deleting the package-lock.json and running npm install instead of npm ci. I know this is not good practice, so looking forward to a real fix to come through.

[eliotSmithNYC]

bump

[douglassllc]

I am having a similar issue. My project uses @ffmpeg-installer/ffmpeg. While using npm v6 all optional dependencies (arch specific) are installed. After my upgrade to npm v8 the optional dependencies no longer install. Per the npm documentation I attempted using --include=optional, but this did not resolve the issue.

What has changed between v6 and v8 and is there an npm config option that will have v8 work similar to v6 when it comes to optional dependencies?

[AlymbekovAidarFrontend]

same

[based64-eth]

how is this still not fixed

[ivanvaccari]

My current workaround:

• dev machines: win
• deployment: docker linux-x64
• package: @napi-rs/canvas

In package.json, i'm using https://github.com/charlesguse/run-script-os to run platform specific commands in posinstall. These commands explicitly install the packages for the platform it's been executing on.

{
    "scripts": {
        "postinstall": "run-script-os",
        "postinstall:linux": "npm install --no-save --ignore-scripts @napi-rs/[email protected]",
        "postinstall:win32": "npm install --no-save --ignore-scripts @napi-rs/[email protected]"
    },
    "dependencies": {
        "@napi-rs/canvas": "0.1.66",
        "run-script-os": "^1.1.6"
    }
}

[landsman]

wtf

[johnwc]

@reggi @wraithgar, any way this long-standing issue can get some attention?

[DessaugesAntoine]

Same problem here.

[davidnussio]

Same problem. My workaround solution without remove my package-json.lock file

• npm remove dep_name
• rm -rf node_modules
• npm install dep_name --save-dev

[anneleenscholts]

I was advocating within my company to switch (back) to npm but this issue has persuaded me that we need to stick with yarn. How is it that this issue is still not fixed?

[sei-bstein]

Same problem. My workaround solution without remove my package-json.lock file

• npm remove dep_name
• rm -rf node_modules
• npm install dep_name --save-dev

This was handy, thanks. For anyone else struggling, removing the specific dependency wasn't an option for me, but deleting node_modules and package-lock.json and running npm i got me there.

[halchester]

For me, I had to remove the package-json.lock file and node_modules and do a fresh install.

• rm -rf node_modules package-json.lock
• npm install

That did help.

Same problem. My workaround solution without remove my package-json.lock file

• npm remove dep_name
• rm -rf node_modules
• npm install dep_name --save-dev

[ochstobi]

Same problem I'm not able to checking package-lock.json

[johnwc]

Deleting the pakcage-lock.json and running npm install --ignore-platform will produce a package-lock.json that you can commit and build with on different platforms than your local environment's platform.

[ochstobi]

Deleting the pakcage-lock.json and running npm install --ignore-platform will produce a package-lock.json that you can commit and build with on different platforms than your local environment's platform.

Thanks for the hint. But thats still not a valid long term solution if you work in a project with changing team members. You really don't want to remember and remind every single developer for things like this

[johnwc]

Deleting the pakcage-lock.json and running npm install --ignore-platform will produce a package-lock.json that you can commit and build with on different platforms than your local environment's platform.

Thanks for the hint. But thats still not a valid long term solution if you work in a project with changing team members. You really don't want to remember and remind every single developer for things like this

I didn't mean it to be a long term solution, it was a quick workaround to get things moving for others that also run into this. At until they get time to work on this 3 year old issue.

[saiichihashimoto]

1. "This hasn't been solved yet!? What are they doing!?"
2. "My solution is to delete package-lock.json and node_modules and redo npm install"
3. "That's just a workaround, not a longterm solution?"
4. 100 x "Bump" / "I have the same problem"
5. Go back to step 1

I don't want to mute this thread because I want to know when it's actually solved. But I also don't want to be notified by a variation of the same message multiples times a day. Some variation of "but this will let the maintainers know we're serious" would have been reasonable 3 years and 680+ comments ago, now it's clear it's not effective. I get that we're all trying to be helpful but this issue is brutal enough, receiving spam over it is just extra.

Can the maintainers pin the most thorough workaround and lock the thread until they're going to truly make progress?

[johnwc]

@saiichihashimoto You can change your notifications to only get notified when this is closed, aka solved.

[paulrutter]

I agree with your points @saiichihashimoto. Instead of +1 and bumping the issue, we could also try to work together to resolve it instead?
I mean, we're all developers, and it's in the end just a (probably hard?) bug to be solved.

It would help if any of the npm maintainers could at least give some pointers on where the issue lies. From that point on, everyone is able to pitch in to get this resolved (myself included, willing to help where needed).

Maybe @Brooooooklyn can share the approach tried earlier, as inspiration? The branch is no longer there. See discussion in #5282.