Store shrinkwrap config for dependency groups to lock in package.json file

[szimek]

I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's the feature?

Store config for the shrinkwrap file in package.json (e.g. in config/shrinkwrap) that would list all dependency groups that should be shrinkwrapped (e.g. config: { shrinkwrap: { groups: ['dependencies', 'devDependencies'] }}. This config could be created when running npm shrinkwrap, if it doesn't already exist. npm install --save/--save-dev would then add dependencies to the shrinkwrap file only if their group is listed in this config.

What problem is the feature intended to solve?

Currently when installing a development dependency using --save-dev option with existing npm-shrinkwrap.json file, this dependency will only be added to the shrinkwrap file, if there already exists any development dependency locked in it. It has a few disadvantages, e.g. it's sometimes necessary to delete the shrinkwrap file and recreate it (e.g. when there's a merge conflict in it) and it's easy to forget to add --also=development option when generating it again. It's also rather unintuitive if one has only production dependencies in their shrinkwrap file and wants to add development dependency using install --save-dev command.

Is the absence of this feature blocking you or your team? If so, how?

No.

Is this feature similar to an existing feature in another tool?

No. However, in Ruby Bundler tool (https://bundler.io), all dependencies are locked by default (e.g. development, test, production) and one can then select which ones to install by passing an option to install command. Now that npm supports install --only=production command it could work in the same way, i.e. lock everything by default. However, this would change the existing behavior, so maybe it could be changed in the next major version of npm ;)

Is this a feature you're prepared to implement, with support from the npm CLI team?

Yes!

[npm-robot]

We're closing this issue as it has gone seven days without activity and without being labeled. If we haven't even labeled in issue in seven days then we're unlikely to ever read it.

If you are still experiencing the issue that led to you opening this or this is a feature request you're still interested in then we encourage you to open a new issue. If this was a support issue, you may be better served by joining package.communty and asking your question there.

For more information about our new issue aging policies and why we've instituted them please see our blog post.