[BUG] Scoped packages no longer have bin files linked in package-lock or node_modules/.bin

[darcyrush]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Somewhere between npm 6.14.13 and 7.13.0, npm install no longer installs bins from scoped packages into node_modules/.bin/. As such, npx fails to run my-bin-name and instead trys to download the bin name from the public npmjs registry. Occurs on the latest version of npm 7.24.1 too.

I imagine however I have just missed some change in the documentation but I don't see anything in particular in the scope or bin sections..

Note I am using a private package on a private gitlab npm repository but I don't think that is related. I don't know any public packages with a scope and bin commands to test.

// Local package.json
{
  "name": "my-app",
  "devDependencies": {
    "@myscope/my-package": "1.0.0"
  }
}

// Dependency package.json
{
  "name": "@myscope/my-package",
  "version": "1.0.0",
  "files": [
    "lib/"
  ],
  "bin": {
    "my-bin-name": "lib/index.js"
  },
}

The bin property is also missing on the dependency in the package-lock.json file with lockfileVersion: 2

   "node_modules/@myscope/my-package": {
     "version": "1.0.0",
     "resolved": "https://...",
     "integrity": "sha1-...",
     "dev": true
   }

Expected Behavior

The bin file should appear in node_modules/.bin/my-bin-name and the local application package-lock.json using lockfileVersion: 2 should contain the bin property in the dependency json. npx my-bin-name should succeed without triggering an erroneous download attempt.

   "node_modules/@myscope/my-package": {
     "version": "1.0.0",
     "resolved": "https://...",
     "integrity": "sha1-...",
     "dev": true,
     "bin": {
       "my-bin-name": "lib/index.js"
     }
   }

Steps To Reproduce

Use a node install manager (like n) to change between node and npm versions. i.e.

$ rm -fr node_modules && rm package-lock.json && npm cache clean --force
$ sudo n
node/14.17.0 + npm/6.14.13
$ npm i
$ npx my-bin-name

 > success

$ rm -fr node_modules && rm package-lock.json && npm cache clean --force
$ sudo n
node/16.3.0 + npm/7.15.1
$ npm i
$ npx my-bin-name

npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/my-bin-name - Not found

Environment

• OS: Ubuntu 20.04
• Node: 16.3.0
• npm: 7.15.1

[danieldelcore]

I'm seeing this as well for both npm 6.14.13 and 7.13.0.

My package.json looks like:

{
  "name": "@codeshift/cli",
  "version": "0.2.1",
  "main": "dist/codeshift-cli.cjs.js",
  "bin": {
    "@codeshift/cli": "./bin/codeshift-cli.js",
    "codeshift-cli": "./bin/codeshift-cli.js"
  },
}

Also broken with shorthand config

{
  "name": "@codeshift/cli",
  "version": "0.2.1",
  "main": "dist/codeshift-cli.cjs.js",
  "bin": "./bin/codeshift-cli.js",
}

[ljharb]

What about npm 7.24?

[nzuyanov]

What about npm 7.24?

The same behavior
npm v7.24.1
node v16.5.0
macOS Big Sur, 11.6

[nzuyanov]

It seems that this is not npm issue, but Gitlab
https://gitlab.com/gitlab-org/gitlab/-/issues/275992

[darcyrush]

If someone else can confirm this only affects gitlab, then the issue can be closed

[glock47]

{
"name": "@codeshift/cli",
"version": "0.2.1",
"main": "dist/codeshift-cli.cjs.js",
"bin": "./bin/codeshift-cli.js",
}

[ruyadorno]

This seems to be the same as #4308 I'm going to close this to focus the conversation there, since I started some debugging there already. Thanks you all!