[BUG] npm-shrinkwraps not respected for global installs of local packages?

[edvincent]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When globally installing a package that contains an npm-shrinkwrap.json file, it's not respected. It's actually always installing the latest version, just as it the shrinkwrap file wasn't there.

This kind of defeats the purpose its serves - as per https://docs.npmjs.com/cli/v8/configuring-npm/npm-shrinkwrap-json: The recommended use-case for npm-shrinkwrap.json is applications deployed through the publishing process on the registry: for example, daemons and command-line tools intended as global installs.

I was actually looking into moving to use that shrinkwrap file exactly for that in coder/code-server#5071 - vending it installed as a global install with deterministic dependencies - because we had issues with latest releases not being compatible. But realized it doesn't actually work at all...

Expected Behavior

As per https://docs.npmjs.com/cli/v8/configuring-npm/npm-shrinkwrap-json, I'd would expect a global install to use the versions from the shrinkwrap file - even when doing a global install...

When doing a non-global install, it works as expected.

Steps To Reproduce

mkdir test
cd test/
npm init # Saying ok to all defaults
npm install [email protected]
npm shrinkwrap
npm pack
npm install -g test-1.0.0.tgz # Attached this tgz to the issue here too

Resulting tgz: test-1.0.0.tgz

One would expect [email protected] in the dependencies.

But [email protected] (at the moment of this writing, the latest version) gets installed:

ubuntu@ip-172-26-4-193:~/test$ npm list -g --depth=10
[...]
└─┬ [email protected]
  └── [email protected]

More confirmations:

• /home/ubuntu/.nvm/versions/node/v16.17.0/lib/node_modules/test/npm-shrinkwrap.json shows [email protected] as expected
• /home/ubuntu/.nvm/versions/node/v16.17.0/lib/node_modules/test/node_modules/lru-cache/package.json shows "version": "7.14.0"

Environment

• npm: 8.18.0 (issue as well with 8.15.0)
• Node.js: v16.17.0
• OS Name: Ubuntu 20.02
• System Model Name: AWS Lightstail Instances
• npm config:

; "user" config from /home/ubuntu/.npmrc

python = "python3"

; node bin location = /home/ubuntu/.nvm/versions/node/v16.17.0/bin/node
; node version = v16.17.0
; npm local prefix = /home/ubuntu
; npm version = 8.18.0
; cwd = /home/ubuntu
; HOME = /home/ubuntu
; Run `npm config ls -l` to show all defaults.

[edvincent]

Didn't find an issue for this, the only discussion around shrinkwrap problems seems to be in #4323

Which I actually used as another package to confirm that the shrinkwrap file wasn't doing anything (later versions than the ones listed in the shrinkwrap file are downloaded)...

[edvincent]

Need a bit more research, but a quick update: this bug seems to only apply to installs done locally. When installing from a remote NPM package, the shrinkwrap file is seems respected... Which is weird because when I installed firebase-tools (from the comment above) it did seem to apply...