fix(arborist): omit failed optional dependencies from installed deps #8184
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
owlstronaut
changed the title
owlstronaut
commented
Mar 28, 2025
owlstronaut
commented
Mar 28, 2025
owlstronaut
commented
Mar 28, 2025
Contributor
Author
|
@zkat I did what I could here. Had a couple of comments/lack of my own clarity in things I changed - see above. |
Member
|
Other than the comment we really really should re-use the exceptional description from #8177, either by copying it into this issue now or when we merge. Probably easier to do now. I'll do it now. |
zkat
reviewed
Mar 31, 2025
| const set = optionalSet(node) | ||
| for (const node of set) { | ||
| node.parent = null | ||
| node.ideallyInert = true |
Contributor
There was a problem hiding this comment.
I've been thinking about this, and maybe it's better to just call it inert instead of ideallyInert. I think putting the ideally in there is probably a bit too much clever inside baseball and it's more verbose to boot. :)
Some other name would be good, too, as long as it communicates that this is in the tree, but we don't physically install it.
|
Thanks for pulling this work forward, much appreciated @zkat @owlstronaut @wraithgar. |
… but keep them 'in the tree' Fixes: #4828 Fixes: #7961 Replaces: #8127 Replaces: #8077 When optional dependencies fail, we don't want to install them, for whatever reason. The way this "uninstallation" is done right now is by simply removing the dependencies from the ideal tree during reification. Unfortunately, this means that what gets saved to the "hidden lockfile" is the edited ideal tree as well, and when NPM runs next, it'll use that when regenerating the "real" package-lock. This PR tags failed optional deps such that they're still added to the "trash list" (and thus have their directories cleaned up by the reifier), but prevents Arborist from removing them altogether from the ideal tree (which is usually done by setting their parent to `null`, making them unreachable, and letting them get GC'd).
owlstronaut
force-pushed
the
owlstronaut/optionals-in-tree
branch
from
f635c97 to
68a8d05
Compare
wraithgar
approved these changes
Apr 3, 2025
|
Amazing, I'm so excited for this to be fixed. Thank you @zkat @owlstronaut @wraithgar 🎉 |
2 tasks
This was referenced Apr 9, 2025
2 tasks
|
@jakebailey Can this be back ported into old versions? |
Member
|
This is not going to be backported. |
Andrew-Chen-Wang
added a commit
to Andrew-Chen-Wang/template-nextjs
that referenced
this pull request
Apr 22, 2025
npm version 11.3.0 includes a fix (see: npm/cli#8184) that was pointed out in tailwindlabs/tailwindcss#15806 (comment) where it should resolve properly. See this thread for my own investigation parcel-bundler/lightningcss#956 (comment)
14 tasks
pro-odoo
added a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. Task: 0 X-original-commit: 6cc703f
pro-odoo
added a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. Task: 0 X-original-commit: 6cc703f
robodoo
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. closes #7151 Task: 0 X-original-commit: 6cc703f Signed-off-by: Lucas Lefèvre (lul) <[email protected]> Signed-off-by: Pierre Rousseau (pro) <[email protected]>
fw-bot
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. Task: 0 X-original-commit: 724f762
14 tasks
pro-odoo
added a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. Task: 0 X-original-commit: 724f762
robodoo
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. closes #7153 Task: 0 X-original-commit: 724f762 Signed-off-by: Lucas Lefèvre (lul) <[email protected]> Signed-off-by: Pierre Rousseau (pro) <[email protected]>
fw-bot
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. Task: 0 X-original-commit: b1dc674
14 tasks
fw-bot
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. Task: 0 X-original-commit: b1dc674
14 tasks
fw-bot
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. Task: 0 X-original-commit: b1dc674
14 tasks
fw-bot
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. Task: 0 X-original-commit: b1dc674
14 tasks
robodoo
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. closes #7157 Task: 0 X-original-commit: b1dc674 Signed-off-by: Lucas Lefèvre (lul) <[email protected]> Signed-off-by: Pierre Rousseau (pro) <[email protected]>
robodoo
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. closes #7156 Task: 0 X-original-commit: b1dc674 Signed-off-by: Lucas Lefèvre (lul) <[email protected]> Signed-off-by: Pierre Rousseau (pro) <[email protected]>
robodoo
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. closes #7155 Task: 0 X-original-commit: b1dc674 Signed-off-by: Lucas Lefèvre (lul) <[email protected]> Signed-off-by: Pierre Rousseau (pro) <[email protected]>
robodoo
pushed a commit
to odoo/o-spreadsheet
that referenced
this pull request
Sep 17, 2025
Release commit 8c68f3d has been done with Node.js v22.19.0 and NPM v10.9.3. But in the meantime, NPM had an issue that affected the package-lock.json by pruning OS optional dependencies (See npm/cli#7961). The issue has been fixed (npm/cli#8184) in NPM v11.3 but not backported. During the release process, we ran `npm install`, and so the package-lock.json was updated to remove the optional dependencies for swc binaries. Which caused issues for users each time they run `npm install` as they were not present anymore in the package-lock.json. This commit adds the swc binaries to the optional dependencies of this project to avoid them being pruned again in the future. closes #7154 Task: 0 X-original-commit: b1dc674 Signed-off-by: Lucas Lefèvre (lul) <[email protected]> Signed-off-by: Pierre Rousseau (pro) <[email protected]>
9 tasks
wraithgar
pushed a commit
that referenced
this pull request
Sep 30, 2025
Discovered while investigating #8535 (comment) Similar to #8566, relates to #8184 Moves `inert` (uninstallable optional) calculation into `buildIdealTree` so it can be used in diff. Also removes most of #8184 in favor of a [simpler fix](https://github.com/npm/cli/pull/8602/files#diff-02626074e1a4a170693607e4a3a69dfc08ee52067734717833b22cf162923e07R354), see PR comments for the journey. Improvements: * we don't see uninstallable packages as "installed" in CLI output * `createSparseTree` no longer creates dirs that will only be cleaned later For the example in the linked issue, it changes output from `added 156 packages` to `added 12 packages` and combined with #8537 it changes to `added 6 packages`, the expected result.
Closed
1 task
21 tasks
richardkmichael
added a commit
to richardkmichael/inspector
that referenced
this pull request
Dec 5, 2025
The `--no-package-lock` workaround was added due to npm bug #4828, where npm < 11.3.0 generates incomplete lockfiles for packages with optional platform dependencies (esbuild, rollup). Optional cross-platform dependencies were restored to `package-lock.json` in 358f276, so npm will be able to install from the lock file in the GitHub Actions. Also, fixed in npm 11.3.0 (Apr 2025), but Node v22 ships npm v10 and will remain affected out-of-the-box. Investigation notes follow. What happened? -------------- 1. Switch from yarn to npm: `package-lock.json` added, `yarn.lock` removed - modelcontextprotocol@702f827 Presumably: - run `npm install` to generate a `package-lock.json` from the yarn-managed `node_modules`, on macos - bug #4828: npm omitted optional cross-platform dependencies from the lock file 2. Pull 47, tries `npm ci`, and reverts, on 11 Nov 2024 modelcontextprotocol@3789ef9 - "Try restoring npm ci" --> testing the new node release for the bug? - ran against `setup-node`, `node-version: 18`, likely: 18.20.5 (released nov 11, 2024; ~same day) - git show 3789ef9:.github/workflows/main.yml - Failed action, and logs have expired - https://github.com/modelcontextprotocol/inspector/actions/runs/11782443393/job/32817472448 - https://nodejs.org/en/download/archive/v18.20.5 - uses npm 10.8.2 - Re-tried in inspector fork - workflow run at 3789ef9 - change `node-version: 18` to `18.20.5` (exact node / npm on commit date) - Fails due to missing `linux-x64-gnu` platform dep (rollup, would similarly affect esbuild) 3. Cross-platform dependencies restored to lockfile on 1 May 2025 modelcontextprotocol#372 - modelcontextprotocol@358f276 - worked because `package-lock.json` and `node_modules` were both removed - i.e., not the bug conditions -> even npm < 11.3.0 generates correct lockfile - At that point, `--no-package-lock` could've been removed from CI, Dockerfile, etc. NPM --- npm (aborist) fixed #4828 npm/cli#8184 - npm/cli#4828 --> frequent http 500, due to many comments - npm/cli@a96d8f6 - will not be backported Released in 11.3.0 on 8 Apr npm/cli#8150 - https://github.com/npm/cli/releases/tag/v11.3.0 - arborist 9.0.2 - https://github.com/npm/cli/releases/tag/arborist-v9.0.2 - npm v11.3.0 ships with node v24.2.0, on 6 May 2025 - https://nodejs.org/en/download/archive/v24 Node v22 ships npm v10 - https://nodejs.org/en/download/archive/v22 - will always be affected, no backport coming
richardkmichael
added a commit
to richardkmichael/inspector
that referenced
this pull request
Dec 6, 2025
The `--no-package-lock` workaround was added due to npm bug #4828, where npm < 11.3.0 generates incomplete lockfiles for packages with optional platform dependencies (esbuild, rollup). Optional cross-platform dependencies were restored to `package-lock.json` in 358f276, so npm will be able to install from the lock file in the GitHub Actions. Also, fixed in npm 11.3.0 (Apr 2025), but Node v22 ships npm v10 and will remain affected out-of-the-box. Investigation notes follow. What happened? -------------- 1. Switch from yarn to npm: `package-lock.json` added, `yarn.lock` removed - modelcontextprotocol@702f827 Presumably: - run `npm install` to generate a `package-lock.json` from the yarn-managed `node_modules`, on macos - bug #4828: npm omitted optional cross-platform dependencies from the lock file npm can't easily fix this. `npm install [email protected]` could write a resolved dependency, but at the exact version so `foo` would be pinned, and semver operator twiddling would be required to restore it as-was. The fix would be to "manually" re-add the missing metadata. 2. Pull 47, tries `npm ci`, and reverts, on 11 Nov 2024 modelcontextprotocol@3789ef9 - "Try restoring npm ci" --> testing the new node release for the bug? - ran against `setup-node`, `node-version: 18`, likely: 18.20.5 (released nov 11, 2024; ~same day) - git show 3789ef9:.github/workflows/main.yml - Failed action, and logs have expired - https://github.com/modelcontextprotocol/inspector/actions/runs/11782443393/job/32817472448 - https://nodejs.org/en/download/archive/v18.20.5 - uses npm 10.8.2 - Re-tried in inspector fork - workflow run at 3789ef9 - change `node-version: 18` to `18.20.5` (exact node / npm on commit date) - Fails due to missing `linux-x64-gnu` platform dep (rollup, would similarly affect esbuild) 3. Cross-platform dependencies restored to lockfile on 1 May 2025 modelcontextprotocol#372 - modelcontextprotocol@358f276 - worked because `package-lock.json` and `node_modules` were both removed - i.e., not the bug conditions -> even npm < 11.3.0 generates correct lockfile - At that point, `--no-package-lock` could've been removed from CI, Dockerfile, etc. NPM --- npm (aborist) fixed #4828 npm/cli#8184 - npm/cli#4828 --> frequent http 500, due to many comments - npm/cli@a96d8f6 - will not be backported Released in 11.3.0 on 8 Apr npm/cli#8150 - https://github.com/npm/cli/releases/tag/v11.3.0 - arborist 9.0.2 - https://github.com/npm/cli/releases/tag/arborist-v9.0.2 - npm v11.3.0 ships with node v24.2.0, on 6 May 2025 - https://nodejs.org/en/download/archive/v24 Node v22 ships npm v10 - https://nodejs.org/en/download/archive/v22 - will always be affected, no backport coming
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
7 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
… but keep them 'in the tree'
This PR was authored by @zkat
Fixes: #4828
Fixes: #7961
Replaces: #8127
Replaces: #8077
When optional dependencies fail, we don't want to install them, for whatever reason. The way this "uninstallation" is done right now is by simply removing the dependencies from the ideal tree during reification.
Unfortunately, this means that what gets saved to the "hidden lockfile" is the edited ideal tree as well, and when npm runs next, it'll use that when regenerating the "real" package-lock.
This PR tags failed optional deps such that they're still added to the "trash list" (and thus have their directories cleaned up by the reifier), but prevents Arborist from removing them altogether from the ideal tree (which is usually done by setting their parent to
null, making them unreachable, and letting them get GC'd).PS: It's Friday, this is what I managed to get done together. I'm making this a draft PR for now so folks can look at it, but I want to make sure both reifiers work well, fix some messaging issues, and clean stuff up (I'm pretty sure I'm guarding
ideallyInertin more places than I need to, because I was trying to find the right spot). Still, feel free to talk about the approach. I'll get back to this on Monday.PPS: also hi