Generated pnpm-lock.yaml lists all dependencies as non-dev dependencies

[alexarg]

We've noticed that in the pnpm-lock.yaml file all of the packages that are listed have flag "dev: false", even when it is obvious that it is a dev dependency. Example:

  /@babel/core/7.5.5:
    dependencies:
      '@babel/code-frame': 7.5.5
      '@babel/generator': 7.5.5
      '@babel/helpers': 7.5.5
      '@babel/parser': 7.5.5
      '@babel/template': 7.4.4
      '@babel/traverse': 7.5.5
      '@babel/types': 7.5.5
      convert-source-map: 1.6.0
      debug: 4.1.1
      json5: 2.1.0
      lodash: 4.17.15
      resolve: 1.11.1
      semver: 5.7.0
      source-map: 0.5.7
    dev: false
    engines:
      node: '>=6.9.0'
    resolution:
      integrity: sha1-F7JobvDWvFj5Y93daKtml1VYLDA=

The expectation is that for packages that come from devDependencies attributes of package.json should have "dev: true"

[rakeshpatnaik]

@iclanton

[iclanton]

This is by design. Rush generates a repo-wide package.json that references generated tarballs for each project in the common/temp folder, and then runs the package manager's install operation on that package.json.

In these generated files (the package.json and the tarballs), the dependencies and dev-dependencies are merged together because, for the purpose of installation of local packages, there is no important distinction between dependencies and dev-dependencies. It's a side-effect that pnpm's metadata records them all as non-dev.

[joshughes]

@iclanton and important distinction is for when running tools like pnpm audit --prod

In these cases, we want to ensure that the packages we are using for production are safe. Dev dependencies often have security issues which take a while to get patched... so being able to have CI protect our production packages from know security issues is very important.

[iclanton]

This is fixed with pnpm workspaces.