devDependencies installed when package has shrinkwrap file

cli
help-wanted
good-first-patch
priority:medium
triaged

(Oleg Korobenko) #1

What I Wanted to Do

I want to have package that has shrinkwrap file for production and development dependencies.
I assume that when I install this package (npm install mypackage) it should not install devDependencies (like it’s working when package doesn’t have shrinkwrap file).

What Happened Instead

npm installs devDependencies of package that has shrinkwrap file (even if --production flag is passed to install command).

Reproduction Steps

Run npm install xmake@0.3.4 --verbose and take a look at the install tree.

In subsequent versions npm-shrinkwrap.json was removed, since the cost of having all those useless packages there is too high.

Details

Original issue is https://github.com/npm/npm/issues/18776
I’m not an author of it but I’ve tested that with latest npm (6.4.1).

Platform Info

$ npm --versions
{ npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.12.0',
  openssl: '1.0.2p',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.66',
  zlib: '1.2.11' }
$ node -p process.platform
linux

(John Gee) #2

Firstly in case you didn’t know, shrinkwrap is only recommended for CLI tools and not for libraries. See npm-shrinkwrap.json.

Secondly, using the dependencies from xmake in a new module I reproduced the behaviour that the --production install flag is not changing what is installed with shrink-wrap and npm v6.4.1, at least when using npm pack and installing using the tarball.

A work-around for the production-only case might be to produce a stripped down shrinkwrap. e.g.

npm prune --production
npm shrinkwrap

(Oleg Korobenko) #5

Is current behaviour bug or feature?
imho, it’s at least unexpected.
For me it looks like expected behaviour for npm install to work in the same way with or without shrinkwrap file.
It’s also looks possible to implement - dev dependencies already have “dev” field (with value true) at shrinkwrap file.