I've found that since commit 1a90ec2, when npm dependencies are specified by using their git URLs, then child modules don't install the correct versions.
I've created a repo here that demonstrates this:https://github.com/BryanDonovan/npm-git-test
If you clone that repo and run npm install with a commit prior to 1a90ec2, (e.g. npm@2.0.0 works) the child dependencies are installed correctly. E.g.,:
$ npm list
npm-git-test@1.0.0 /Users/bdonovan/code/node/npm-git-test
├─┬ dummy-npm-bar@4.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-bar.git#575b86626745cda65c05da620ae1c64e8a34dee7)
│ ├── dummy-npm-buzz@3.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-buzz.git#fc6c1ebffccd5ef8755c833072c41be51448f2d6)
│ └── dummy-npm-foo@3.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-foo.git#8524863b7db0ab64eedf7a38c8af670d04865839)
├── dummy-npm-buzz@3.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-buzz.git#fc6c1ebffccd5ef8755c833072c41be51448f2d6)
└─┬ dummy-npm-foo@4.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-foo.git#295739950f3366d9ce668082748e80674670d605)
└── dummy-npm-buzz@2.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-buzz.git#21673508ffed3584acb800421be7c4a337f4fe78)
But if we run npm install with a newer version of npm, the dummy-npm-bar dependency has the wrong version of dummy-npm-buzz installed (it should be 3.0.0, but it's 2.0.0 instead):
$ npm list
npm-git-test@1.0.0 /Users/bdonovan/code/node/npm-git-test
├─┬ dummy-npm-bar@4.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-bar.git#575b86626745cda65c05da620ae1c64e8a34dee7)
│ ├── dummy-npm-buzz@2.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-buzz.git#21673508ffed3584acb800421be7c4a337f4fe78)
│ └── dummy-npm-foo@3.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-foo.git#8524863b7db0ab64eedf7a38c8af670d04865839)
├── dummy-npm-buzz@3.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-buzz.git#fc6c1ebffccd5ef8755c833072c41be51448f2d6)
└─┬ dummy-npm-foo@4.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-foo.git#295739950f3366d9ce668082748e80674670d605)
└── dummy-npm-buzz@2.0.0 (git+ssh://git@github.com:BryanDonovan/dummy-npm-buzz.git#21673508ffed3584acb800421be7c4a337f4fe78)
That is, dummy-npm-bar@4.0.0 lists dummy-npm-buzz@3.0.0 as a dependency, but dummy-npm-buzz@2.0.0 is installed.
The dummy-npm-foo npm lists dummy-npm-buzz@2.0.0 as a dependency, so somehow this is getting mixed up with the dummy-npm-bar dependency of dummy-npm-buzz@3.0.0.
I've found that since commit 1a90ec2, when npm dependencies are specified by using their git URLs, then child modules don't install the correct versions.
I've created a repo here that demonstrates this:https://github.com/BryanDonovan/npm-git-test
If you clone that repo and run
npm installwith a commit prior to 1a90ec2, (e.g. npm@2.0.0 works) the child dependencies are installed correctly. E.g.,:But if we run npm install with a newer version of npm, the
dummy-npm-bardependency has the wrong version ofdummy-npm-buzzinstalled (it should be 3.0.0, but it's 2.0.0 instead):That is,
dummy-npm-bar@4.0.0listsdummy-npm-buzz@3.0.0as a dependency, butdummy-npm-buzz@2.0.0is installed.The
dummy-npm-foonpm listsdummy-npm-buzz@2.0.0as a dependency, so somehow this is getting mixed up with thedummy-npm-bardependency ofdummy-npm-buzz@3.0.0.