[BUG] shrinkwrap will wrongly install dev dependecies #1036
Description
What / Why
Upstream project have a dependency (depA) that ships with a shrinkwrap file.
The shrinkwrap includes dev dependencies of depA (clearly marked with dep: true).
The dev dependencies of depA will be installed when it is installed in the upstream project
When
runnin npm install dep that has a shrink wrap
see test package - npm install test-shrink-dep
Where
any npm (tested with latest 6.14.3)
How
Current Behavior
npm install test-shrink-dep will also install lodash which is a dev dependency
Steps to Reproduce
start fresh project
npm init
install test package
npm install test-shrink-dep
see lodash installed to node_modules/test-shrink-dep/node_modules/lodash
Expected Behavior
lodash should not be installed
References
here is test-shrink-dep npm-shrinkwrap.json file for reference -
{
"name": "test-shrink-dep",
"version": "1.0.0",
"lockfileVersion": 1,
"requires": true,
"dependencies": {
"lodash": {
"version": "4.17.15",
"resolved": "https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz",
"integrity": "sha512-8xOcRHvCjnocdS5cpwXQXVzmmh5e5+saE2QGoeQmbKmRS6J3VQppPOIt0MnmE+4xlZoumy0GPG0D0MVIQbNA1A==",
"dev": true
}
}
}here is package.json -
{
"name": "test-shrink-dep",
"version": "1.0.0",
"description": "test package do not use",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"author": "Yoni Jah",
"license": "ISC",
"devDependencies": {
"lodash": "^4.17.15"
}
}