What / Why
Upstream project have a dependency (depA) that ships with a shrinkwrap file.
The shrinkwrap includes dev dependencies of depA (clearly marked with dep: true).
The dev dependencies of depA will be installed when it is installed in the upstream project
When
runnin npm install dep that has a shrink wrap
see test package - npm install test-shrink-dep
Where
any npm (tested with latest 6.14.3)
How
Current Behavior
npm install test-shrink-dep will also install lodash which is a dev dependency
Steps to Reproduce
start fresh project
npm init
install test package
npm install test-shrink-dep
see lodash installed to node_modules/test-shrink-dep/node_modules/lodash
Expected Behavior
lodash should not be installed
References
here is test-shrink-dep npm-shrinkwrap.json file for reference -
{
"name": "test-shrink-dep",
"version": "1.0.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"lodash": {
"version": "4.17.15",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
"integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
"dev": true
}
}
}here is package.json -
{
"name": "test-shrink-dep",
"version": "1.0.0",
"description": "test package do not use",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "Yoni Jah",
"license": "ISC",
"devDependencies": {
"lodash": "^4.17.15"
}
}
What / Why
Upstream project have a dependency (depA) that ships with a shrinkwrap file.
The shrinkwrap includes dev dependencies of depA (clearly marked with dep: true).
The dev dependencies of depA will be installed when it is installed in the upstream project
When
runnin
npm install depthat has a shrink wrapsee test package -
npm install test-shrink-depWhere
any npm (tested with latest 6.14.3)
How
Current Behavior
npm install test-shrink-depwill also installlodashwhich is a dev dependencySteps to Reproduce
start fresh project
npm initinstall test package
npm install test-shrink-depsee lodash installed to
node_modules/test-shrink-dep/node_modules/lodashExpected Behavior
lodash should not be installed
References
here is
test-shrink-depnpm-shrinkwrap.json file for reference -{ "name": "test-shrink-dep", "version": "1.0.0", "lockfileVersion": 1, "requires": true, "dependencies": { "lodash": { "version": "4.17.15", "resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz", "integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==", "dev": true } } }here is package.json -
{ "name": "test-shrink-dep", "version": "1.0.0", "description": "test package do not use", "main": "index.js", "scripts": { "test": "echo \"Error: no test specified\" && exit 1" }, "author": "Yoni Jah", "license": "ISC", "devDependencies": { "lodash": "^4.17.15" } }