[BUG] npm removes invalid references instead of failing with an error starting in 9.6.6

[yeikel]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Starting with npm 9.6.6 if we run npm install fetch-factory@0.0.2 --package-lock-only with a package.json containing invalid references, it succeeds and removes the invalid references instead of failing with a validation error like previous versions

npm install fails as expected

I went over the release notes of 9.6.6 and I could not find any mention about this change in behavior. Was this intentional?

Expected Behavior

In 9.6.5 the same command fails with the error npm ERR! must provide string spec

Steps To Reproduce

Reproducer : https://github.com/yeikel/npm-invalid-dependency-removed
Logs : https://github.com/yeikel/npm-invalid-dependency-removed/actions/runs/5994585281/job/16256409062

1. git clone https://github.com/yeikel/npm-invalid-dependency-removed.git
2. nvm install 18
3. nvm use 18
4. npm --version -> 9.6.7
5. Run npm install fetch-factory@0.0.2 --package-lock-only

Expected : npm should fail with the following error npm ERR! must provide string spec

Actual :

• npm succeeds
• npm removes the invalid dependencies from the package.json

diff --git a/package.json b/package.json
index fc17427..22a8ea8 100644
--- a/package.json
+++ b/package.json
@@ -1,4 +1,3 @@
-
 {
   "name": "name",
   "version": "1.0.0",
@@ -15,12 +14,6 @@
   },
   "homepage": "https://github.com/waltfy/PROTO_TEST#readme",
   "dependencies": {
-    "fetch-factory": "^0.0.1"
-  },
-  "devDependencies": {
-    "etag": "^1.0.0",
-    "cordova-plugin-geolocation": {
-      "GEOLOCATION_USAGE_DESCRIPTION": "To locate you"
-    }
+    "fetch-factory": "^0.0.2"
   }
 }

Environment

• npm: Any after 9.6.5
• Node.js: 18

[THETCR]

This would technically be a breaking change for the end user and therefore not inline with the semantic versioning spec.

[yeikel]

@wraithgar Do you have any insights about this one? From the release diff, it seems that you are the main contributor of this release

[bartelemi]

What is the plan here? We just noticed that our github-action dependabot pipelines started failing due to us using a node v20 + npm v10, which doesn't play well with dependabot.

npm ERR! code EBADENGINE
npm ERR! engine Unsupported engine
npm ERR! engine Not compatible with your version of node/npm: *******-service@1.26.0
npm ERR! notsup Not compatible with your version of node/npm: *******-service@1.26.0
npm ERR! notsup Required: {"node":"^20.0.0","npm":">=10.0.0"}
npm ERR! notsup Actual:   {"npm":"9.6.5","node":"v20.18.0"}

[reggi]

@bartelemi your issue seems unrelated to op *******-service@1.26.0 is requiring you use npm 10 or above and you're using 9 thats the author of *******-service@1.26.0 who made that requirement

[wraithgar]

This is not a bug. That error npm ERR! must provide string spec was not npm preventing this, it was npm not being able to handle this situation correctly.

npm install x is always considered able to write to the package.json, package-lock, and node_modules.

--package-lock-only means npm will only update the package-lock on an update, and things in node_modules will not be considered. It's making a "virtual" tree instead of a "real" one.

In this case you asked npm to install a module, which it did. Part of the package install process is writing the new info to the package.json and package-lock.

[jeffwidman]

Thanks for the clarity @wraithgar , much appreciated.