Package-lock.json missing top-level dependency entry when locking for @microsoft/sp-build-web

What I Wanted to Do

Use the package-lock.json file as an accurate top level capture of all dependencies in use for @microsoft/sp-build-web, and as jest is a top level dependency for sp-build-web, I expected to see it in the lock file.

What Happened Instead

When doing an npm install on a package.json that is only using @microsoft/sp-build-web (^1.9.1) as a devDependency, the package-lock.json is missing the “jest” package from the top level dependencies collection, even though other top level dependencies dependent on “jest” are there.

Reproduction Steps

npm install this package.json: https://gist.github.com/brphelps/d9dcef0f18192b42fc757dbc4fc81a20

Don’t see “jest” as a top level dependency in package-lock.json (using version latest of npm, 6.12.0 at the time of this writing)

Platform Info

$ npm --versions
{ npm: '6.12.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  modules: '64',
  napi: '4',
  nghttp2: '1.34.0',
  node: '10.16.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '6.8.275.32-node.52',
  zlib: '1.2.11' }
$ node -p process.platform
win32

I do not know what you mean by “jest is a top level dependency for sp-build-web” since I do not see Jest listed in the package.json for sp-build-web. I do still see Jest listed in the package-lock file, deeper down.

You can use npm ls to investigate what versions of a package are getting included and why. In this case Jest is getting pulled in by @microsoft/gulp-core-build and not directly by @microsoft/sp-build-web:

$ npm ls jest
10458@1.0.0 /Users/jgee/Sandpits/Play•/holodeck/npm.community/10458
└─┬ @microsoft/sp-build-web@1.9.1
  └─┬ @microsoft/gulp-core-build@3.9.26
    └── jest@23.6.0