npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

devDependencies installed when package has shrinkwrap file

What I Wanted to Do

I want to have package that has shrinkwrap file for production and development dependencies.
I assume that when I install this package (npm install mypackage) it should not install devDependencies (like it’s working when package doesn’t have shrinkwrap file).

What Happened Instead

npm installs devDependencies of package that has shrinkwrap file (even if --production flag is passed to install command).

Reproduction Steps

Run npm install xmake@0.3.4 --verbose and take a look at the install tree.

In subsequent versions npm-shrinkwrap.json was removed, since the cost of having all those useless packages there is too high.


Original issue is
I’m not an author of it but I’ve tested that with latest npm (6.4.1).

Platform Info

$ npm --versions
{ npm: '6.4.1',
  ares: '1.10.1-DEV',
  cldr: '32.0',
  http_parser: '2.8.0',
  icu: '60.1',
  modules: '57',
  napi: '3',
  nghttp2: '1.32.0',
  node: '8.12.0',
  openssl: '1.0.2p',
  tz: '2017c',
  unicode: '10.0',
  uv: '1.19.2',
  v8: '6.2.414.66',
  zlib: '1.2.11' }
$ node -p process.platform

Firstly in case you didn’t know, shrinkwrap is only recommended for CLI tools and not for libraries. See npm-shrinkwrap.json.

Secondly, using the dependencies from xmake in a new module I reproduced the behaviour that the --production install flag is not changing what is installed with shrink-wrap and npm v6.4.1, at least when using npm pack and installing using the tarball.

A work-around for the production-only case might be to produce a stripped down shrinkwrap. e.g.

npm prune --production
npm shrinkwrap

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

(post withdrawn by author, will be automatically deleted in 24 hours unless flagged)

Is current behaviour bug or feature?
imho, it’s at least unexpected.
For me it looks like expected behaviour for npm install to work in the same way with or without shrinkwrap file.
It’s also looks possible to implement - dev dependencies already have “dev” field (with value true) at shrinkwrap file.