Manage "phoenix_html": "file:../deps/phoenix_html", style dependencies

[happysalada]

I'm just reporting, in case that is interesting.
in the package.json, you can have entries like
"phoenix_html": "file:../deps/phoenix_html",
This happens in the elixir ecosystem. Where the frontend dependencies are released with the backend dependencies. Therefore they just reference a file path.
Currently npmlock2nix will throw the following error

error: [npmlock2nix] A valid dependency consists of at least the resolved and integrity field. Missing one or both of them for `phoenix_html`. The object I got looks like this: {"version":"file:../deps/phoenix_html"}

just mentioning this is not critical since you can circumvent this by patching the version in the package.json, there is often an npm published version that corresponds. Just sometimes the exact version is different. For phoenix_html for example the npm package version is 3.0.0 where as the elixir package version is 3.0.2.
So just to say that this can be worked around if needed.

[pietdevries94]

This problem gets bigger when using npm workspaces https://docs.npmjs.com/cli/v7/using-npm/workspaces

The following package.json files result in a problematic lockfile

package.json

{
  "name": "my-workspaces-powered-project",
  "version": "1.0.0",
  "workspaces": [
    "web"
  ]
}

web/package.json

{
  "name": "web",
  "version": "1.0.0"
}

package-lock.json

{
  "name": "my-workspaces-powered-project",
  "version": "1.0.0",
  "lockfileVersion": 2,
  "requires": true,
  "packages": {
    "": {
      "name": "my-workspaces-powered-project",
      "version": "1.0.0",
      "workspaces": [
        "web"
      ]
    },
    "node_modules/web": {
      "resolved": "web",
      "link": true
    },
    "web": {
      "version": "1.0.0"
    }
  },
  "dependencies": {
    "web": {
      "version": "file:web"
    }
  }
}

[cideM]

I also ran into this issue with a project that uses Lerna where I replaced the references to packages that only Lerna knows about with file paths, thinking this would work because NPM understands this.

[Quelklef]

Bump. Weirdness of Purescript necessitates use of file: packages in some cases, which then breaks npmlock2nix. So another vote of desire from a Purescript user!

[Quelklef]

FWIW, I was able to get around this by removing my file: package from package.json and package-lock.json before passing them into npmlock2nix, and then manually re-adding them after-the-fact.

My package was called js-lib and the working nix code looked something like this:

node_modules = let

  without-local-deps =
    pkgs.stdenv.mkDerivation {
      name = "my-project-without-local-deps";
      src = ./.;
      buildInputs = [ pkgs.jq ];
      installPhase = ''
        mkdir $out
        cat $src/package.json \
              | jq 'del( .dependencies."js-lib" )' \
              > $out/package.json
        cat $src/package-lock.json \
              | jq 'del( .packages."".dependencies."js-lib" )' \
              | jq 'del( .packages."js-lib" )' \
              | jq 'del( .packages."node_modules/js-lib" )' \
              > $out/package-lock.json
      '';
    };

  npmlock2nix-d =
    npmlock2nix.node_modules {
      src = without-local-deps;
    };

  with-local-deps =
    pkgs.runCommand "my-project-with-local-deps" {} ''
      mkdir $out
      cp -r -- ${npmlock2nix-d}/node_modules $out
      chmod +w -R $out/node_modules
      cp -r -- ${./js-lib} $out/node_modules/js-lib
    '';

  in with-local-deps;