`node_modules` embedded in the package #123

onigoetz · 2016-03-30T15:48:58Z

Hi,

I just discovered that the fsevents zip uploaded to npmjs (https://registry.npmjs.org/fsevents/-/fsevents-1.0.9.tgz)

contains a node_modules folder with a huge list of dependencies :

└─┬ [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├─┬ [email protected]
  │ └─┬ [email protected]
  │   ├── [email protected]
  │   └── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├─┬ [email protected]
  │ └── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├─┬ [email protected]
  │ └─┬ [email protected]
  │   └─┬ [email protected]
  │     ├── [email protected]
  │     └── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├─┬ [email protected]
  │ └─┬ [email protected]
  │   └── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├─┬ [email protected]
  │ └── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├─┬ [email protected]
  │ └─┬ [email protected]
  │   ├─┬ [email protected]
  │   │ └── [email protected]
  │   ├── [email protected]
  │   ├─┬ [email protected]
  │   │ └─┬ [email protected]
  │   │   ├── [email protected]
  │   │   └── [email protected]
  │   ├─┬ [email protected]
  │   │ └── [email protected]
  │   └── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  ├── [email protected]
  └── [email protected]

but when installing there is only one dependency :

[email protected] node_modules/fsevents
└── [email protected]

Is this the intended behaviour ?

The text was updated successfully, but these errors were encountered:

onigoetz · 2016-03-30T16:07:09Z

I ask this because I use this module as a dependency in a bigger project, and shrinkwrap it before deployment.

But when putting the dependencies in the shrinkwrap, it puts the complete list, not only the ones from package.json.

When re-installing the package from the shrinkwrap, it fails because [email protected] has been unpublished from npm

es128 · 2016-03-30T16:57:29Z

Yes, it is the intended behavior, leveraging npm's bundledDependencies option, and it is necessary because node-pre-gyp needs to already be present before npm starts trying to download the rest of the dependencies. There's some further discussion about this in #93.

[email protected] was not unpublished - where do you see that?

onigoetz · 2016-03-30T19:25:24Z

Okay, I understand, this thing has a lot of dependencies :D

I see here that it was unpublished:

> npm view ansi-styles versions
[ '0.1.0',
  '0.1.1',
  '0.1.2',
  '0.2.0',
  '1.0.0',
  '1.1.0',
  '2.0.0',
  '2.0.1',
  '2.1.0',
  '2.2.1' ]

es128 · 2016-03-30T19:57:35Z

Ah, interesting, I was looking at the time object in npm which still lists 2.2.0. My mistake.

onigoetz closed this as completed Mar 30, 2016

onigoetz mentioned this issue Apr 4, 2016

Some features are missing in features list if caniuse-db is at the same level in node_modules Nyalab/caniuse-api#32

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

`node_modules` embedded in the package #123

`node_modules` embedded in the package #123

onigoetz commented Mar 30, 2016

onigoetz commented Mar 30, 2016

es128 commented Mar 30, 2016

onigoetz commented Mar 30, 2016

es128 commented Mar 30, 2016

node_modules embedded in the package #123

node_modules embedded in the package #123

Comments

onigoetz commented Mar 30, 2016

onigoetz commented Mar 30, 2016

es128 commented Mar 30, 2016

onigoetz commented Mar 30, 2016

es128 commented Mar 30, 2016

`node_modules` embedded in the package #123

`node_modules` embedded in the package #123