Skip to content

NPM dependency resolution is not accurate  #62

New issue
New issue
Open
Open
NPM dependency resolution is not accurate #62
@sambacha

Description

@sambacha
sambacha
opened on Nov 6, 2021

the NPM dependency resolution only uses package.json, while in reality package-lock.json is actually used (if available of course) to create and resolve dependency issues. Ignoring the changes made to peerDependencies for a moment the correct construction of node_modules is processed and generated during reification.

Note: The current version of npm used is 6.14.4, while latest is ^8.0.0

  diff: Diff | null;
  /**
   * During reification, the `idealTree` is diffed against the actual tree,
   * then the nodes from the ideal tree are extracted onto disk.
   *
   * At the end of `instance.reify()`, the ideal tree is copied to `instance.actualTree`,
   * since then it reflects the actual state of the `node_modules` folder.
   */
  async reify(options: ReifyMethodOptions = {}): Promise<Node>;

Also, without taking into account package-lock.json, it's not possible to correctly resolve packages that may be only available through private npm registries or dependencies that are susceptible to package dependency confusion attacks.

This also can not resolve alt. forms of specifying dependency location, e.g.:

"package-name": "npm:package-name@^1.0.0"
"package-name": "git+https://github.com/github_org/package-name/#COMMIT_REF"

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions