@saleforce/cli not installable in environments that control npm versions

[hungrypipo]

The latest @salesforce/cli (v 2.1.7 at this time) is not installable in our environment because two dependencies request non-standard npm versions(ones that do not come packaged with NodeJS versions)

@oclif/plugin-plugins@3.1.6
--- npm@9.8.0
@salesfoce/plugin-trust@2.4.32
--- npm@8.19.4

We have NodeJS 18.16.1 with npm 9.5.1, we are not allowed to pull npm as an artifact so the install fails

I also understand that the dependencies are managed by dependabot which automatically bumps the versions

Would it be possible to stop dependabot on the npm dependency for these 2 dependencies and make sure the npm version aligns with NodeJS packages?

[github-actions]

Thank you for filing this issue. We appreciate your feedback and will review the issue as soon as possible. Remember, however, that GitHub isn't a mechanism for receiving support under any agreement or SLA. If you require immediate assistance, contact Salesforce Customer Support.

[github-actions]

Hello @hungrypipo 👋 It looks like you didn't include the full Salesforce CLI version information in your issue.
Please provide the output of version --verbose --json for the CLI you're using (sf or sfdx).

A few more things to check:

• Make sure you've provided detailed steps to reproduce your issue.
  • A repository that clearly demonstrates the bug is ideal.
• Make sure you've installed the latest version of Salesforce CLI. (docs)
  • Better yet, try the rc or nightly versions. (docs)
• Try running the doctor command to diagnose common issues.
• Search GitHub for existing related issues.

Thank you!

[iowillhoit]

Hey @hungrypipo, I just want to make sure I understand the problem: Your company restricts you from downloading any npm version that has not shipped [at one time] with node?

[hungrypipo]

Yes correct, we only get npm packaged with node releases that they approve and make available and all other artifacts from npm are also controlled via artifact infrastructure.
We've hit this issue with sfdx-cli and now @salesforce/cli now that the plugin infrastructure pulls in npm as a dependency

[iowillhoit]

Gotcha, thanks. I have a few ideas on how we could to resolve this, going to run it by the team. I'll get back to ya

[hungrypipo]

Please and thank you, it would help a lot of people

[iowillhoit]

@hungrypipo Could you please clarify something for me

with node releases that they approve

Do you have blanket approval on the LTS version of Node? Or do you have to get approval for specific semver versions of Node. For example: Today LTS is 18.17.0. If tomorrow they released 18.17.1 as LTS could you use it? Or would 18.17.1 need to be approved before use?

[hungrypipo]

We get an approved version not directly the LTS that node releases that day. So right now LTS is 18.17.0 we are on 18.16.1

[iowillhoit]

Are you able to download the CLI tarballs? They have deps bundled and would not require an npm install.

[hungrypipo]

No because we can't install from external sources. We use NPM because with the artifact management system we can request artifacts to be procured to it but it breaks now because of the NPM artifact being blocked.

[iowillhoit]

Gotcha, I didn't figure. Well, this is a bit tricky since you do not have blanket approval on all versions on Node LTS. If you did, my thought was that we could create a Github Action (cron) to do the following on plugin-trust and plugin-plugins to ensure we always included an "approved" version of npm:

• Start a runner with Node LTS
  • Get the npm version included
• yarn add it
• If the version changed (git status is not clean)
  • Run tests
  • Commit and push it

However this would continually bump the npm version, this happens all the time. Just search for upgrade npm to here. There have been 34 npm version bumps in Node 18 so far. We also cannot reasonably just pin those npm versions. They would fall behind and we would have to check in with you every time we changed the version. Not to mention remembering all of this a year from now.

Could you please try a potential work around? Create a directory and add this package.json and do an npm install

{
  "name": "npm-test",
  "version": "1.0.0",
  "dependencies": {
    "@salesforce/cli": "2.1.7"
  },
  "overrides": {
    "npm": "9.5.1"
  }
}

Testing this locally, running npm why npm after an install shows that this is working
overridden npm@"9.5.1" (was "^9.7.2") from @oclif/plugin-plugins@3.1.6
overridden npm@"9.5.1" (was "^8.19.4") from @salesforce/plugin-trust@2.4.32

[hungrypipo]

Oh nice will try and let you know! Thanks!
Just to clarify, this package.json has to be in your local path? because the salesforce/cli is installed as global

[iowillhoit]

You'll have to play around with that a little bit. You might be able to put that package.json in your global npm folder and run the install from there?

For me, that is /Users/username/.nvm/versions/node/v18.15.0/lib since I use nvm

Otherwise, you would just need to make sure the installed node_nodules/.bin directory was on your PATH
For example: export PATH=/Users/username/dev/npm-test/node_modules/.bin:$PATH

Afterward, run which -a sf to show every sf that exists on your PATH

[hungrypipo]

Ok so if I do a local (not global) install of @salesforce/cli the override trick works

Also your fix you mentioned, trying to understand, I know we don't get blanket approval of all LTS versions but wouldn't your process create versions that aligned to LTS versions. Like if your GitHub action was in place there would be a version of the cli that aligns with each LTS version, we would just install the one we are on.

Which would be a huge improvement to what we have now

[hungrypipo]

I guess what I'm asking, could you do the Github Action (cron) to make the LTS aligned versions?
I understand there would be interim versions that had bumped npm versions that didn't align to LTS too but we would stay away from those. That way we have clean installable versions in our artifact repository without workarounds.
The workaround is just that, and gets messy because we have to maintain version in that package.json and make it work in Jules too.

[iowillhoit]

Cool, glad that the overrides (sorta) works.

Yea, that would be the idea. It would always be a version of npm that had shipped with node. One caveat though, we would likely run this cron on Tuesdays since we promote on Wednesdays. It is possible that, just by chance, multiple weeks in a row would include a version of npm that your company has not yet approved.

I suppose worst case, if there was a CLI bug fix that you really needed you could do the override trick or ask your IT department to approve the node that includes the npm version

[hungrypipo]

Yeah but you would build up a library of LTS versions so once we got to that LTS we could use the artifact.
So I guess starting now you'd have LTS 18.17.0 since that's out and we'll be able to use it once we're at 18.17.0

[iowillhoit]

Yep, understood, I think were saying the same things 😁 I'll get a ticket created and try to get to it soon, I'll be out most of next week. Have a great weekend @hungrypipo!

[git2gus]

This issue has been linked to a new work item: W-13848117

[github-actions]

Thank you for filing this feature request. We appreciate your feedback and will review the feature at our next grooming or sprint planning session. We prioritize feature requests with more upvotes and comments.

[hungrypipo]

Curious how I can track this workitem/feature? Why was the feature tag removed?

[hungrypipo]

@iowillhoit can you help me understand what the state of this issue is?

[github-actions]

This issue has not received a response in 7 days. It will auto-close in 7 days unless a response is posted.

[hungrypipo]

@iowillhoit can you help me understand what the state of this issue is?

[iowillhoit]

Hey @hungrypipo, sorry I've been OOO a bit and we've had some priority changes. I am going to work on this today.

[iowillhoit]

@hungrypipo The workflow is in place that will update the npm version in plugin-trust and plugin-plugins every Tuesday morning. This will get included in Tuesday's nightly build. nightly is promoted to latest-rc on Wednesdays. The following Wednesday, it will be promoted to latest.

As we discussed, this will ensure that the included npm version will always be one that has been bundled with Node LTS. I confirmed that the version installed is correct: node@18.17.1 currently includes npm@9.6.7. See the screenshot from the Github runner below and the npm version update in the Node changelog.

If by chance this npm version is not approved, work with your IT or wait until next weeks update. Note: I just manually kicked off a new "nightly", you can install it now with npm install @salesforce/cli@nightly --global

[hungrypipo]

@iowillhoit Thank you!

[hungrypipo]

Just tested this nightly build 2.8.8 npm as expected! npm@9.6.7

[iowillhoit]

Awesome! Glad it's working for ya 🎉