[BUG] Running `npm ci` silently executes `npm install` if `package.json` contains a `github:` package

[FeBe95]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

If a project requires at least one GitHub package as a dependency, the command npm ci will also execute npm install.
This is a problem, since npm install is totally different from npm ci and might break project installations (more about potential issues at the very bottom).

Expected Behavior

Running the command npm ci with a GitHub package as a dependency should not run npm install.

See: https://docs.npmjs.com/cli/v11/commands/npm-install#:~:text=npm%20install%20github

Steps To Reproduce

1. Install package from GitHub: npm install github:jquery/jquery#3.x-stable
2. Do a clean install: npm ci
3. Open the NPM _logs folder
4. Open the three created log files:
   • verbose title npm ci
   • verbose title npm install
   • verbose title npm outdated ...

Environment

• npm: 11.4.0
• Node.js: v24.0.2
• OS Name: Windows 11
• System Model Name: -
• npm config:

; "builtin" config from C:\Users\fbern\AppData\Roaming\npm\node_modules\npm\npmrc

prefix = "C:\\Users\\fbern\\AppData\\Roaming\\npm"

; "user" config from C:\Users\fbern\.npmrc

unicode = true

; "project" config from C:\xampp\htdocs\bidX\.npmrc

@fortawesome:registry = "https://npm.fontawesome.com/"
//npm.fontawesome.com/:_authToken = (protected)

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v24.0.2
; npm local prefix = C:\xampp\htdocs\bidX
; npm version = 11.4.0
; cwd = C:\xampp\htdocs\bidX
; HOME = C:\Users\fbern
; Run `npm config ls -l` to show all defaults.

Background

In our project, we usually use packages from the NPM repository. While developing a new feature, I installed a new dependency from a GitHub repository. Everything was working fine, at least on my machine. However, some of my colleagues have recently reported that running npm ci has thrown some new errors. They are unable to successfully execute npm ci with the new feature in place.

We then discovered that during the installation process, NPM was trying to install a peer dependency that required a Python executable. Python was not installed on their machines. We were baffled by these errors since the peer dependency isn't present in our package.json and shouldn't be installed at all.

To be even more specific, we use sass-loader, which requires either sass or node-sass (see: https://github.com/webpack-contrib/sass-loader/blob/v12.6.0/package.json#L42-L43). We use sass, which does not require Python.

So we started investigating why NPM was suddenly trying to install node-sass as well. Looking at the installation logs, we discovered that npm install was being run silently, with the --include=peer and --include=optional flags set:

7 verbose title npm install
8 verbose argv "install" "--force" "--cache" "C:\\Users\\fbern\\AppData\\Local\\npm-cache" "--prefer-offline" "false" "--prefer-online" "false" "--offline" "false" "--no-progress" "--no-save" "--no-audit" "--include" "dev" "--include" "peer" "--include" "optional" "--no-package-lock-only" "--no-dry-run"

This shouldn't be the case. Why is NPM trying to installing the dependency twice at all?

Possible solutions

• Don't run two separate installations (get rid of the second npm install)
• Run the second installation as npm ci if the first one was also npm ci
• Run the second installation as npm install without setting the include flags

[alexsch01]

with npm@10.8.2, I see npm ci creates 2 log files

first one being verbose title npm ci
second one being verbose title npm install

[wraithgar]

This is by design. Git dependencies have to be installed, it has been like this for a long time.

Here's a snippet from the lifecycle scripts docs page:

NOTE: If a package being installed through git contains a prepare script, its dependencies and devDependencies will be installed, and the prepare script will be run, before the package is packaged and installed.

Not sure where else we can link to or warn about this, a PR would be welcome if you think the docs could improve. This is not a bug however.

[FeBe95]

Thanks for the explanation and the link. However, I still don't quite understand how this applies to the case demonstrated. First of all, the package in question does not have a prepare script. Second, npm not only installs the package (via npm install <package-name>), but also installs the whole project (by calling npm install without a package name). Is this also by design, and yes, could you perhaps elaborate on why exactly?

Regarding the docs: Before opening this issue, I had a look at the npm install docs. There is a paragraph similar to the one you commented on above:

As with regular git dependencies, dependencies and devDependencies will be installed if the package has a prepare script before the package is done installing.

But like I said, I don't know if this applies to my case here.

[wraithgar]

If a package being installed through git contains a prepare script, its dependencies and devDependencies will be installed

The prepare script is ancillary to this part for git packages. Git references are and have always been considered "source code" and not "published modules". This is the root reason why the install happens. While it's possible that some git packages will work just fine without this step, not all will.

We do not recommend using git references in general in your package.json. Git is source control. Most of the things in npm that support git references are a compromise because of this reality. If you use git references you are going to have to live with those compromises.

I'm going to close this now, as this is not a bug.

[FeBe95]

I just published my package to NPM (first one for me, yay! 😊). This resolves the issue for me :) Thanks again!