devDependencies is using production dependencies and breaks modules

What I Wanted to Do

Trying to npm install only devDependencies section.

What Happened Instead

npm install --only=dev downloads a different set of dependencies when package.json holds a production dependency.
Later on, trying to use an install dependency will fail due to sub-dependencies mismatch.

If the dependencies section is empty, a “proper” set of dependencies will be downloaded and all will work.

Reproduction Steps

Use the following package.json file:

{
  "name": "tmp",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "dependencies": {
    "pump": "3.0.0"
  },
  "devDependencies": {
    "grunt": "1.0.4"
  },
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC"
}

Running npm install --only=dev will output “added 95 packages from 63 contributors and audited 185 packages in 2.51s”, and running grunt --version afterwards will fail due to dependency issues (Error: Cannot find module 'wrappy').

Trying to run the npm install --only=dev without the pump production dependency in package.json will result in “added 97 packages from 63 contributors and audited 179 packages in 1.443s”, and grunt --version will work properly.

Details

Also, it seems that running npm install -D <some_package> will run a full npm install and install all dependencies.
In npm@4.6.1 for example, it would only install the wanted package and add it to package.json.

This is a degradation from npm@4.6.0.

Platform Info

root@efaabbe4d6b4:/var/tmp# node -v
v10.16.3
root@efaabbe4d6b4:/var/tmp# npm -v
6.9.0
$ npm --versions
{ tmp: '1.0.0',
  npm: '6.9.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  modules: '64',
  napi: '4',
  nghttp2: '1.39.2',
  node: '10.16.3',
  openssl: '1.1.1c',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '6.8.275.32-node.54',
  zlib: '1.2.11' }
$ node -p process.platform
linux