I was wondering what the logic was for always installing git repository based packages - even if the the parent already has a matching copy?
I think that this happens because npm treats git repositories as opaque blobs that are never equal to each other -- evidence for this is that npm doesn't distinguish between a repository revision tagged with a sha (which is immutable) vs. a branch name or tag name (which can move).
The only thing I can suggest for -- if you want npm to use version numbers to decide whether or not to install a package -- is to work around this by publishing your code to the npm registry, to a private registry, or into a protected namespace (e.g., using the new @org/package syntax).
We are trying to clean up older npm issues, so if we don't hear back from you within a week, we will close this issue. (Don't worry -- you can always come back again and re-open it!)
See #4042 (comment) for additional context on how I want git dependencies to be cached / installed once the cache rewrite project is finished. This should significantly simplify the case where we've already cached a given treeish, and should also just generally make working with git dependencies a lot less painful.
I'm going to go ahead and close this issue as abandoned, but also tag it onto the cache rewrite milestone, so there's a place to keep an eye on what happens with git repos in the cache rewrite.