How does npm error affect old git commits? - npm

In my create-react-app project I've installed many node packages via npm. Every time, I've used npm install --save to update package.json and package-lock.json and then committed the changes to git.
Recently, something caused a previously-working npm module to fail. Since I couldn't find the cause, I tried removed and reinstalled all dependencies like this:
rm -rf node_modules/
npm install
However, the same module still fails, even when I switch back to older commits and repeat the commands above!
Since the problem can't be in the committed code itself (which is running fine on another machine), the problem must be somewhere else such as in the create-react-app development server or the /node_modules.
How can I reset my work to a working state, given that everything is in git and was working before?
UPDATE:
My answer below turned out to be only partly right. npm did install a newer version of the package, but that was not actually the problem after all. The true fix was realising that my data (from my database) was corrupt, so returning to prior "working version" made no difference until I fixed my data!

UPDATE: As mentioned in the updated question, this answer did not actually solve my problem after all. Messing around with the npm modules did fix something, but it soon started failing again, so the fix was incomplete.
UPDATE 2: There was also a problem in the data I was passing from my database to the module! That data is not stored in git, so fiddling with npm modules and git had no power.
It seems that the problem was in the npm versioning! Since my package.json listed somepackage#^6.0.0, running npm install fetched the latest version (which had the bug).
Hence, my old working commits that referenced somepackage#^6.0.0 still actually installed the new faulty version when re-installed from scratch.
The solution was to edit package.json and change somepackage#^6.0.0 to somepackage#6.0.0(exact match without ^)

Related

"cb() never called!" - very persistent, tried to solve it using conventional techniques, hasn't worked

When I try to "npm install" my project, it always results in a "cb() never called!". I'm using the 6.14.13 version of npm and 14.17.0 version of node.
I've tried running this command on a different machine- works there. I've also tried...
Running "npm cache clean --force" "npm cache verify"
Deleting node_modules folder
Completely uninstalling and reinstalling node
Combining steps 1-3
It resolved itself for about 12 hours one time, even though I hadn't changed anything. (I ran it once, it failed, ran it again about 60 seconds later, and it worked). I also tried cloning the repository into another folder. This hadn't worked previously, but as of this morning, it does now for some reason.
I'm very confused. Please help. Thank you.
It seems that this may be due to your package-lock.json being corrupted.
Have you tried:
deleting package-lock.json
then running: npm cache clean --force
then running: npm install
source: https://reactgo.com/npm-err-cb-never-called/
This old SO post has some more ideas you could try: npm ERR cb() never called

Why does my 'npm install' give so many vulnerabilities?

Everytime I do npm install after cloning a github project OR install packages on my local system for my practice projects, there are always around 20+ vulnerabilities.
But the guys in youtube tutorials always have 0 vulnerabilities.
I even reinstalled npm but it didn't change anything
If you are following an old video, you are likely installing old packages. Therefore it's pretty common to have vulnerabilities.
If you want the warnings to disappear, you can try to remove #version in your packages inside package.json and then run npm i again. Or, as bogdanoff says, run npm update instead.
But be careful: packages may behave differently from the video when updated.

What is the integrity field in the npm package-lock.json actually for?

I'm poking around in npm at the moment. I am trying to see what sort of security risks there are to developers using npm.
The main sort of attack I'm interested in are supply chain attacks where either a developer or a build system (which we can consider just another developer) get something they don't expect.
I have unexpected - at least for me - behaviour when I do the following:
npm init
npm install xxx - doesn't matter what xxx is
Edit the package-lock.json file and alter the integrity - e.g. change one char
rm -rf node_modules
npm install
EXPECT
Some sort of complaint that the installed package's hash doesn't match
ACTUAL
package-lock.json just gets updated
Am I being dense here? I'm expecting the integrity field to cause npm to somehow spot when something unexpected is installed. Why does it just get updated?
I tested with both npm#7 and npm#6 and got an EINTEGRITY error both times. I installed Node.js 10.x and tested with npm#5 and again got EINTEGRITY. Prior to npm#5, there was no package-lock.json file supported.
I can think of two scenarios (other than "I forgot to save my changes in package-lock.json" and stuff like that) that might explain what you are seeing.
First, perhaps you are accidentally removing package-lock.json when removing node_modules? I mean, I remove both together so often that there's a potential muscle memory issue for me. Maybe you have the same?
The only other thing I can come up with is if you initially installed using a version of npm that supports package-lock.json but then after editing package-lock.json, you re-installed using a version prior to the introduction of the package-lock.json feature. That seems unlikely, but is possible if you are using different interactive shells for the installs and using nvm. Open two terminals, change the version of node and npm in one terminal, and then use both terminals--you are now using different versions in the two terminals.

NPM installing package removes another

When i install a package with npm install for my react-native project it automaticly removes another. How can I stop this from happening?
The problem is that you've added a git dep, possibly using a branch identifier like: git+https://..../you/your_project.git#your_branch but after resolution it's saved in package-lock.json not as #your_branch but as #sha_for_latest_commit_to_your_branch. When npm tries to resolve this difference it gets confused and removes what you've got currently.
You can get around the npm bug, while we wait for a fix to land, by copying that sha from package-lock.json into your package.json. You'll need to change the sha in package.json any time the dep gets more commit(s) pushed that you want in your project....
This would be annoying if you wanted it to automatically pick up changes to a frequently changing git dependency, but at least it would stop the uninstall behavior.. by Adam Tuttle ... cant see more in this link https://github.com/npm/npm/issues/17379

packages.json: suppress looking for new versions

Is there any way we can suppress not to look for new versions during npm install. I know we can remove it from packages.json but doing the same thing in every dependent packages can quite become a challenge. The current problem i have is our company doesn't allow us to pull from public domain unless they are accepted and added to our private repository. Every time we add all the packages and after couple of days if we run npm install it will fail since a new minor or major version is released and we don't have it in our repository.
UPDATE Just recently Npm release npm ci command especially for such purposes. It strictly follows the package-lock.json file
I think starting with npm5 you have a lock file which solves that problem. In addition you could try npm shrinkwrap command, which is a bit older approach, it creates the shrinkwrap.json file with exact version of packages and next time npm will use only this versions.