[BUG] Wrong lock file modification for optional dependency

[kirrg001]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Lock file is incorrect after updating optional dependency.

Steps to reproduce:

package.json

{
  "name": "prisma-opt",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "optionalDependencies": {
    "prisma": "^5.13.0"
  },
  "author": "",
  "license": "ISC"
}

package-lock.json

{
  "name": "prisma-opt",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "prisma-opt",
      "version": "1.0.0",
      "license": "ISC",
      "optionalDependencies": {
        "prisma": "^5.13.0"
      }
    },

`

I want to update prisma to 5.14.0 running:

npm i prisma@^5.14.0 --save-optional

(I also tried npm i prisma@^5.14.0 and npm i prisma@latest, same behaviour)

package.json (correct)

  "optionalDependencies": {
    "prisma": "^5.14.0"
}

package-lock.json (wrong)

{
  "name": "prisma-opt",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "prisma-opt",
      "version": "1.0.0",
      "license": "ISC",
      "dependencies": {
        "prisma": "5.14.0"
      },
      "optionalDependencies": {
        "prisma": "^5.14.0"
      }
    },

"dependencies": {
"prisma": "5.14.0"
},

Running npm install again (correct)

{
  "name": "prisma-opt",
  "version": "1.0.0",
  "lockfileVersion": 3,
  "requires": true,
  "packages": {
    "": {
      "name": "prisma-opt",
      "version": "1.0.0",
      "license": "ISC",
      "optionalDependencies": {
        "prisma": "^5.14.0"
      }
    },

Expected Behavior

I do not expect that this change appears in the lock file:

"dependencies": {
"prisma": "5.14.0"
},

Or I do not expect that after npm install the change get's removed.

Steps To Reproduce

See "Current Behavior"

Please note: The steps to reproduce I have shared is a minimal application. This bug appears in my large application with having lot's of dev dependencies and optional dependencies, but we do not have production dependencies.

Environment

• npm: 10.7.0
• Node.js: Latest v18 (Also tested latest v22)
• OS Name: OSX
• System Model Name:
• npm config:

; copy and paste output from `npm config ls` here

[rahulio96]

Hello,

I spent some time looking into this issue, and it seems like this is intended behavior for when you install a package. According to a comment, optional dependencies are added to production dependencies to support "previous npm versions that require this behaviour."

I'll still open a PR to see how the project maintainers/engineers feel about changing this since it can come off as confusing to the user.

[xan187]

yes ty