NPM packages don't include the "peerDependenciesMeta" map from package.json

[jahudka]

Description

NPM packages may specify peer dependencies. These are typically used to indicate "another package which this package is compatible with". Now, I don't know the full story of how we got here, but for some reason package managers by default install all peer dependencies of a package you're installing as a dependency in your project, which often means installing packages you don't need. The way to make it clear to a package's consumer that a peer dependency shouldn't be installed by default is to use a separate peerDependenciesMeta mapping in the package's package.json file. But the Gitea API doesn't include that mapping in responses to package metadata requests, causing peer dependencies of packages installed from Gitea to always be installed.

I'm filing this as a bug, but it may easily be also seen as an enhancement of compatibility with NPM. Not sure which is more correct.

In any case, I'm not Go developer, but it looks to me like it may be a one-line fix by inserting a single line in this file somewhat like this:

 66	Dependencies:         metadata.Dependencies,
 67	BundleDependencies:   metadata.BundleDependencies,
 68	DevDependencies:      metadata.DevelopmentDependencies,
 69	PeerDependencies:     metadata.PeerDependencies,
+70	PeerDependenciesMeta: metadata.PeerDependenciesMeta,
 71	OptionalDependencies: metadata.OptionalDependencies,

Gitea Version

latest

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

No response

How are you running Gitea?

binary download, but irrelevant

Database

None

[jahudka]

The relevant documentation of the NPM package.json format: https://docs.npmjs.com/cli/v11/configuring-npm/package-json#peerdependenciesmeta

[wxiaoguang]

could you try 1.23-nightly? I think it should have been fixed there

• https://dl.gitea.com/gitea/1.23-nightly/
• https://hub.docker.com/r/gitea/gitea/tags?name=1.23-nightly

[jahudka]

Hi, sorry for not getting back earlier. I'm not sure I can test that right away - I'm currently running Gitea 1.18.3, I think it would be smart to first back everything up, then update to latest stable, then back everything up again and then try the nightly - but I don't know when I'll have the time to do all that.. But yeah, the source in the 1.23 branch does include the line I mentioned, so at the very least it means the Gitea team already knows about this and are working on supporting it, so this issue can probably be closed :-) it's not too urgent for me, I'm happy to wait for it to become part of a stable release.

[wxiaoguang]

Thank you for the feedback. Feel free to reopen if there is any problem.