Git-based npm modules not installing correct versions #7202
Description
I've found that since commit 1a90ec2, when npm dependencies are specified by using their git URLs, then child modules don't install the correct versions.
I've created a repo here that demonstrates this:https://github.com/BryanDonovan/npm-git-test
If you clone that repo and run npm install with a commit prior to 1a90ec2, (e.g. [email protected] works) the child dependencies are installed correctly. E.g.,:
$ npm list
[email protected] /Users/bdonovan/code/node/npm-git-test
├─┬ [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-bar.git#575b86626745cda65c05da620ae1c64e8a34dee7)
│ ├── [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-buzz.git#fc6c1ebffccd5ef8755c833072c41be51448f2d6)
│ └── [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-foo.git#8524863b7db0ab64eedf7a38c8af670d04865839)
├── [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-buzz.git#fc6c1ebffccd5ef8755c833072c41be51448f2d6)
└─┬ [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-foo.git#295739950f3366d9ce668082748e80674670d605)
└── [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-buzz.git#21673508ffed3584acb800421be7c4a337f4fe78)
But if we run npm install with a newer version of npm, the dummy-npm-bar dependency has the wrong version of dummy-npm-buzz installed (it should be 3.0.0, but it's 2.0.0 instead):
$ npm list
[email protected] /Users/bdonovan/code/node/npm-git-test
├─┬ [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-bar.git#575b86626745cda65c05da620ae1c64e8a34dee7)
│ ├── [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-buzz.git#21673508ffed3584acb800421be7c4a337f4fe78)
│ └── [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-foo.git#8524863b7db0ab64eedf7a38c8af670d04865839)
├── [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-buzz.git#fc6c1ebffccd5ef8755c833072c41be51448f2d6)
└─┬ [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-foo.git#295739950f3366d9ce668082748e80674670d605)
└── [email protected] (git+ssh://[email protected]:BryanDonovan/dummy-npm-buzz.git#21673508ffed3584acb800421be7c4a337f4fe78)
That is, [email protected] lists [email protected] as a dependency, but [email protected] is installed.
The dummy-npm-foo npm lists [email protected] as a dependency, so somehow this is getting mixed up with the dummy-npm-bar dependency of [email protected].