[BUG] Deep dependency in workspace missing

[kumavis]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

• mono repo with multiple workspaces
• one workspace includes browserify@17.0.0
• after non-failing npm install, missing at least one deep normal dependency (dep path is all non-dev non-bundled dep)
• dep path: workspace(browserify) > browserify@17.0.0 > util@0.12.3 > (missing) is-generator-function@^1.0.7

package-lock.json includes 2 references, showing that it recognizes its a dependency

   ...
    "packages/browserify/node_modules/util": {
      "version": "0.12.4",
      ...
      "dependencies": {
        ...
        "is-generator-function": "^1.0.7",
        ...
      }
    },

        "util": {
          "version": "0.12.4",
          "dev": true,
          "requires": {
            ...
            "is-generator-function": "^1.0.7",
            ...
          }
        }

but does not include any entry for is-generator-function

Expected Behavior

it should install the full tree of non-dev deep deps

Steps To Reproduce

1. this repo and branch https://github.com/lavamoat/lavamoat/tree/npm-hell

➜ node -v
v14.17.6
➜ npm -v
8.5.2

2. npm install from root
3. npm ls util confirm parent deep dep is installed (as expected)

➜ npm ls util      
lavamoat@ /home/user/Development/LavaMoat
├─┬ lavamoat-browserify@14.1.0 -> ./packages/browserify
│ └─┬ browserify@17.0.0
│   ├─┬ assert@1.5.0
│   │ └── util@0.10.3
│   └── util@0.12.4
├─┬ lavamoat-perf@0.0.0 -> ./packages/perf
│ └─┬ browserify@16.5.2
│   └── util@0.10.4
└─┬ lavamoat-viz@6.0.9 -> ./packages/viz
  └─┬ webpack@4.37.0
    └─┬ node-libs-browser@2.2.1
      └── util@0.11.1

4. npm ls is-generator-function confirm deep dep is NOT installed (bug!)

➜ npm ls is-generator-function
lavamoat@ /home/user/Development/LavaMoat
└── (empty)

Environment

• npm: 8.5.2
• Node.js: 14.17.6
• OS Name: pop-os
• System Model Name: system76
• npm config:

 "user" config from /home/user/.npmrc

//registry.npmjs.org/:_authToken = (protected) 

; "project" config from /home/user/Development/LavaMoat/.npmrc

ignore-scripts = true 

; node bin location = /home/user/.nvm/versions/node/v14.17.6/bin/node
; cwd = /home/user/Development/LavaMoat
; HOME = /home/user
; Run `npm config ls -l` to show all defaults.

[kumavis]

( pardon the branch name 💀 )

[nlf]

whoa, this is an interesting one. you're absolutely right, we're totally failing to install that dependency despite it being a requirement of util@0.12.4. even worse, npm ls doesn't even identify that there's a missing dependency.

( pardon the branch name 💀 )

i find it to be accurate lol

[bcdxn]

I am running into the same problem (If i'm understanding the OP correctly).

package-a
   +- @aws-sdk/client-sts^3.67.0
       +- fast-xml-parser@3.19
package-b
  +- fast-xml-parser^4.0.7
    +- strnum^1.0.5

• package-a requires @aws-sdk/client-sts^3.67.0 which in turn requires fast-xml-parser@3.19 which has no strnum dependency
• package-b requires fast-xml-parser^4.07 which in turn requires strnum^1.0.5

Ultimately after running npm i or npm ci (with workspaces enabled) I get the following folder structure:

root/
|
+- node_modules/
  +- @aws-sdk/
    +- client-sts/
  +- fast-xml-parser@3.19
|
+- package-a/
  +- package.json
+- package-b/
  +- package.json
  +- node_modules/
    +- fast-xml-parser@4.0.7
|
+- package.json
+- package-lock.json

Note that the strnum dependency is not installed in the root node_modules nor in the nested-workspace node_modules directory for package-b. It does appear that the root package-lock.json file is updated correctly; it's just that the module is never installed:

// root/package-lock.json
// ...
    "packages/package-b/node_modules/fast-xml-parser": {
      "version": "4.0.7",
      "license": "MIT",
      "dependencies": {
        "strnum": "^1.0.5"
      },
      "bin": {
        "fxparser": "src/cli/cli.js"
      },
      "funding": {
        "type": "paypal",
        "url": "https://paypal.me/naturalintelligence"
      }
    },
// ...

Environment

npm: 8.7.0
Node.js: 16.14.2
OS Name: macOS 12.2.1

[aasen]

I'm struggling with the same now, has this issue gone totally cold?

[angfal]

Had the same problem recently. Delete package-lock.js + delete node_modules + npm install helped me

[edolix]

I have the same issue. Node v19.6.0 - NPM 9.4.1 - MacOS 13.2.1 (22D68)

[char0n]

Same issue here: Now using node v20.3.0 (npm v9.6.7)

[chlorophant]

Issue is still present

[podlomar]

This is a dealbreaker for me. NPM is not usable in my project as it just does not install some of the dependencies no matter what I do. Yarn works fine in this situation, so I am switching to Yarn.

[mondaychen]

I had this issue with node v20 and npm 10
I fixed it after upgrade to node v22 + removed node_modules (all of them, including the ones in workspaces) + remove lock file + re-run npm install.

[podlomar]

Glad to hear that. Is there some issue or report from NPM stating that this has been resolved? I would much like to switich back to NPM from Yarn, but I need to be sure this is working. We had so many problems with workspaces that my teammates are gonna kill me if it stops working again.

[kumavis]

original issue author.
just for fun, tried to reproduce this issue.
can confirm, this is still broken.

LavaMoat on  npm-hell via  v22.13.0 took 22s 
❯ node -v
v22.13.0

LavaMoat on  npm-hell via  v22.13.0 
❯ npm -v
10.9.2

LavaMoat on  npm-hell via  v22.13.0 
❯ npm i
[...]

LavaMoat on  npm-hell via  v22.13.0 took 1m24s 
❯ npm ls util
lavamoat@ /Users/xyz/Development/LavaMoat
├─┬ lavamoat-browserify@14.1.0 -> ./packages/browserify
│ └─┬ browserify@17.0.0
│   ├─┬ assert@1.5.0
│   │ └── util@0.10.3
│   └── util@0.12.4
├─┬ lavamoat-perf@0.0.0 -> ./packages/perf
│ └─┬ browserify@16.5.2
│   └── util@0.10.4
└─┬ lavamoat-viz@6.0.9 -> ./packages/viz
  └─┬ webpack@4.37.0
    └─┬ node-libs-browser@2.2.1
      └── util@0.11.1


LavaMoat on  npm-hell via  v22.13.0 
❯ npm ls is-generator-function
lavamoat@ /Users/xyz/Development/LavaMoat
└── (empty)

[kumavis]

however: deleting node_modules, removing the package-lock.json, and again running npm install does resolve the issue in the versions i tested:
node v23.6.0 + npm 11.0.0