Currently "npm shrinkwrap" is writing every installed dependency from "node_modules" to the "npm-shrinkwrap.json". Instead I think it should read package.json dependencies and use only dependencies from "node_modules" folder specified for production.
I believe this was implemented a while back. Try upgrading to the latest npm.
Issue can be closed, this was already fixed.
Closing as resolved!