Bug Report: Explicit dependency on npm? about npm HOT 10 CLOSED

we had many issues opened by people using an outdated version

If you move npm from dependencies list to the peerDependencies in package.json, you can enforce npm versions with that. Consumers will then get a message requiring them to use the correct npm version.

or who didn't had npm installed at all.

😕 You can't install this package without npm.

from npm.

The objective of having a dependency to npm:

• Avoid issues related to an older version of npm being installed on the CI (for example an user encounter an issue where prepack was not run, which was due to an outdated npm version on their CI)
• Allows us to be more consistent and predictable: we test with the same version of npm that users are going to use, so if there is a bug with a npm feature we use in the plugin then we'll now right away, without having the issue happening for any user
• Allow to test each new version of npm with GreenKeeper so we are sure a new release don't break the plugin
• Do not force Yarn (or other package manager) users to have npm installed

I tried to reproduce the problem you mentioned with npm ci but everything works fine for me.
Here is what I did:

npm install semantic-release -D
npm install
rm -rf node_modules
npm ci

Everything is installed as expected and I have no error message. I'm using npm 6.3.0.

Do you have more details about the issue you experience with npm ci? Did you open a bug report with npm?

from npm.

not sure if this would fit your preferred context, but i've started not depending on semantic-release directly, but instead running it with npx. that way it doesn't impact my package.json or package-lock.json. might be something to consider if it could simplify the problem away for you.

from npm.

Closing as no response was provided in almost 2 weeks.

from npm.

Sorry this fell through the cracks.... Ok to close for now.

@travi that's a great idea. Will try!

from npm.

Instead of starting a totally new issue that duplicates this, can we reopen this? I'm getting an error when running npm ci when using node v10.16.0 (npm v6.9.0):

23:40:11 + npm ci
23:40:19 npm ERR! code ETARGET
23:40:19 npm ERR! notarget No matching version found for [email protected]
23:40:19 npm ERR! notarget In most cases you or one of your dependencies are requesting
23:40:19 npm ERR! notarget a package version that doesn't exist.

Looks like this happens because i'm using the latest stable version of npm (6.9.0), which this package should work with. npm 6.9.1 what is installed when I run npm i, which is not yet released as a stable npm version.

To fix this, this package needs to have npm as a peerDependency instead of a dependency so that the consumer's npm version is used and there are no conflicts.

from npm.

v6.9.1 was published as latest, but has apparently been unpublished. this is the kind of thing that happens when a version of anything is unpublished and a major reason why i personally think the registry should be fully immutable and never allow unpublishing.

find more details here: https://npm.community/t/release-npm-6-9-1/8435/3

it looks like latest is now v6.9.2. i would recommend opening a new issue or a PR to update the npm dependency

from npm.

this is the kind of thing that happens when a version of anything is unpublished and a major reason why i personally think the registry should be fully immutable and never allow unpublishing.

Yeah but this wouldn't even be an issue if the maintainers of this package just remove npm from its dependencies list entirely. There doesn't seem to be a reason to even have it there. Once its removed, whatever npm does wouldn't matter. :)

from npm.

We added npm as a dependency because we had many issues opened by people using an outdated version of npm or who didn't had npm installed at all.

from npm.

we had many issues opened by people using an outdated version

If you move npm from dependencies list to the peerDependencies in package.json, you can enforce npm versions with that. Consumers will then get a message requiring them to use the correct npm version.

or who didn't had npm installed at all.

😕 You can't install this package without npm.

Technically there is always the yarn users... 😉

But we are also running into npm ci failures (on a dockerized linux jenkins instance) on npm 6.11.3 (node 12.11.1).

Like @mkay581 my suggestion to fix it would be to use peer dependencies.

But then again, using npx to run semantic-release is actually a nice idea, too - I don't need to have semantic-release as a dependency then anyway. Thanks for that!

from npm.