[BUG] npm doesn't download version specified in the devEngines field

[trivikr]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

The devEngines proposal provides the following options for onFail

The onFail field defines what should happen if validation fails:

• ignore: nothing.
• warn: print something and continue.
• error: print something and exit.
• download: remediate the validation failure by downloading the requested tool/version.

The [email protected] doesn't automatically download the version requested in devEngines

$ echo '{ "name": "test-devEngines", "version": "0.0.1", "devEngines": { "packageManager": { "name": "npm", "version": "10.9.0", "onFail": "download" } } }' > package.json

$ npm install -g [email protected]

$ npm install
npm error code EBADDEVENGINES
npm error EBADDEVENGINES The developer of this package has specified the following through devEngines
npm error EBADDEVENGINES Invalid engine "packageManager"
npm error EBADDEVENGINES Invalid semver version "10.9.0" does not match "11.0.0" for "packageManager"
npm error EBADDEVENGINES {
npm error EBADDEVENGINES   current: { name: 'npm', version: '11.0.0' },
npm error EBADDEVENGINES   required: { name: 'npm', version: '10.9.0', onFail: 'download' }
npm error EBADDEVENGINES }

Expected Behavior

Since the value in devEngines.packageManager.onFail is download, the project should switch to [email protected] smoothly instead of requiring developers to install the specific version.

Steps To Reproduce

$ echo '{ "name": "test-devEngines", "version": "0.0.1", "devEngines": { "packageManager": { "name": "npm", "version": "10.9.0", "onFail": "download" } } }' > package.json

$ npm install -g [email protected]

$ npm install

Environment

• npm: 11.0.0
• Node.js: v23.5.0
• OS Name: macOS
• System Model Name: Macbook Pro
• npm config:

npm config ls     
; "user" config from /Users/trivikr/.npmrc

//registry.npmjs.org/:_authToken = (protected)

; node bin location = /Users/trivikr/.nvm/versions/node/v23.5.0/bin/node
; node version = v23.5.0
; npm local prefix = /Users/trivikr/workspace/test-devEngines
; npm version = 11.0.0
; cwd = /Users/trivikr/workspace/test-devEngines
; HOME = /Users/trivikr
; Run `npm config ls -l` to show all defaults.

[trivikr]

As per #8003 (comment), it appears that npm is not going to implement onFail=download option because of some security concern.

That was by design; npm chose not to implement download because it's a security concern.

Consumers of devEngines with npm package manager will have to explicitly install npm version in their setup (local workspace as well as CI), or change onFail to ignore or warn.

[trivikr]

I created a feature request in devEngines specification, to follow-up on this mismatch openjs-foundation/package-metadata-interoperability-collab-space#33

If behind the scenes package manager version management is important for you, it might be wise to stick with corepack at the time of comment and not onboard to devEngines proposal.

[GeoffreyBooth]

This isn't a bug. The proposal says that package managers can choose what to do for onFail: 'download'. One of the examples given was that a package manager that doesn't support downloading would error, which is what npm is doing here per your example.

[trivikr]

The proposal says that package managers can choose what to do for onFail: 'download'

Verified that this is mentioned in the specification

In the event of onFail: 'download', it would be the responsibility of the tool to determine what and how to download, perhaps by looking in the tool’s associated lockfile for a specific version and integrity hash. It could also be supported on a case-by-case basis, like perhaps Yarn and pnpm could support downloading a satisfactory version while npm would error.