BREAKING CHANGE: Drop peer deps

[lili2311]

With this breaking change the resolved tree will no longer resolve peerDependencies

Why?

• Peer dependencies are currently incorrectly handled by this module, latest NPM forces users to manually install those so user would add them to package.json if they do decide to add them anyway.
• The tree currently aims to represent "install relations" between dependencies rather than "use relations" - so if e.g. a project depends on both react and react-dropzone. The tree before this PR would duplicate the whole react sub-tree under react-dropzone although react wasn't installed by NPM due to the peerDependency on react in react-dropzone. So after this PR - react-dropzone will no longer have react as a dependency.
• In many cases (such as projects using react.native e.g.) this will create drastically smaller trees

What will this PR do

Peer deps will be DROPPED, this will bring this packages dependency support more in line with https://github.com/snyk/nodejs-lockfile-parser. Also npm is no longer installing peer deps since npm >= 3 https://docs.npmjs.com/files/package.json#peerdependencies

[CLAassistant]

All committers have signed the CLA.

[adrukh]

O M G

[michael-go]

I think this should be a BREAKING CHANGE

[michael-go]

1. so does this PR mean we no longer collect peer & bundled dependencies ?

2. suggest a better explanation is needed to why we decided to do this. I guess you mean the bundled and depType are "unused" by https://github.com/snyk/snyk , but this library might be used by other projects. And I think that the fact the dependencies exist in the tree is actually used today also by the Snyk CLI

[lili2311]

@michael-go Added a better description & why, are you thinking to keep these deps still?

[michael-go]

can you please also mention that this not only removes annotations, but actual subtrees

[michael-go]

• regarding peerDependencies: I think it's fine we drop these - as the information loss is only partial, as the deps will usually still be deps of the root, just not duplicated again and again like today for every peerDependency occurrence.

• regrading bundledDependencies: I agree the bundled array that exists today is strange, wasteful and not useful. But what about actually including bundledDependencies in the tree? what was happening before and will it change? Because bundled dependencies are installed by npm and we better not miss these when we build the tree.

@darscan can please take a look too?

[lili2311]

Bundled is being used in CLI, will re-check exactly for what and if it changes this PR

[lili2311]

Left bundled deps alone for now as they are being used in CLI, will come back to fix those in a separate PR

[michael-go]

any reason this was moved above the if (pkg.dependencies .. ?

[lili2311]

None I can think of, let me move it back