When using the --registry
flag on an npm install
, and installing a dependency that is only available on Valist and not on npmjs.com, subdependencies are not resolved.
Steps to reproduce:
npm init -yy
npm install --registry=https://app.valist.io/api/npm @valist/sdk
This creates a package-lock.json
file with the following contents:
{
"name": "testing",
"version": "1.0.0",
"lockfileVersion": 2,
"requires": true,
"packages": {
"": {
"version": "1.0.0",
"license": "ISC",
"dependencies": {
"@valist/sdk": "npm:sdk@^0.3.4"
}
},
"node_modules/@valist/sdk": {
"name": "sdk",
"version": "0.3.4",
"resolved": "https://gateway.valist.io/ipfs/bafkreihuomgtyukg5rdrpgpqzwinubh3d7i2c4bygxb5ecgst5b4jidrde"
}
},
"dependencies": {
"@valist/sdk": {
"version": "npm:[email protected]",
"resolved": "https://gateway.valist.io/ipfs/bafkreihuomgtyukg5rdrpgpqzwinubh3d7i2c4bygxb5ecgst5b4jidrde"
}
}
}
In the last block, the @valist/sdk
object should actually contain the full list of dependencies that were listed in the package.json
within @valist/sdk
, like so:
"dependencies": {
"@biconomy/mexa": "^1.5.15",
"@typescript-eslint/eslint-plugin": "^4.25.0",
"encoding": "^0.1.13",
"eslint": "^7.27.0",
"eslint-config-airbnb-typescript": "^12.3.1",
"eslint-plugin-import": "^2.23.3",
"eth-sig-util": "^3.0.1",
"ipfs-http-client": "47.0.1",
"node-fetch": "^2.6.1",
"web3": "^1.3.6",
"web3-core": "^1.3.6"
}
This is very likely due to the fact that we return an empty object for dependencies
in our npm registry api, at this line: https://github.com/valist-io/valist/blob/master/relay/pages/api/npm/%5B...releaseName%5D.ts#L48
In previous versions of NPM, we could get away with a second npm install
without the registry flag, which would force the dependency resolution. However, this is no longer the case with 7+, and was never a good flow anyway so we'll need to fix this.