Feature Request: Don't check sub-dependencies

[mnpenner]

I've got hundreds of sub-dependencies. I don't want to add them all to my package.json. I only care that the packages I've explicitly listed in package.json are shrinkwrapped. Can you add an option to filter those out?

[Morantron]

The main point of shrinkwrap is to freeze sub-dependencies versions also.

Bumping one package can also bump a sub-dependency that is shared by a third one, with the risk of breaking things.

Actually this situation is what motivated us to start using npm-shrinwkrap.json and subsequently create npm-shrinkwrap-check to deal with the out-of-sync annoyances

Are you sure you only want top level dependencies to be shrinkwrapped?

[mnpenner]

I think there's a misunderstanding. I want everything to be shrinkwrapped, I just don't want to list all my dependencies-of-dependencies in my package.json. npm-shrinkwrap-check is spitting out a ton of warnings because a whole bunch of modules that are in npm-shrinkwrap.json aren't listed in package.json, but they're all sub-dependencies.

i.e. it's returning a non-0 exit status code even after a fresh shrinkwrap.

[Morantron]

Hmm, that might be because you are using npm3. If so update npm-shrinkwrap-check to 0.1.0 and those warning should be gone by running npm-shrinkwrap-check with -3 flag.

[mnpenner]

Not working with -3 either:

$ npm-shrinkwrap-check -3          
package.json and npm-shrinkwrap.json out of sync
 * fsevents found in package.json but not in npm-shrinkwrap.json
 * esprima-fb found in package.json but not in npm-shrinkwrap.json
 * tap-stream found in package.json but not in npm-shrinkwrap.json
 * event-stream found in package.json but not in npm-shrinkwrap.json
 * node-static found in package.json but not in npm-shrinkwrap.json
 * hapi found in package.json but not in npm-shrinkwrap.json
   ...

[Morantron]

Could you share your package.json dependencies? I'll try to reproduce locally

[mnpenner]

@Morantron Sure.

  "devDependencies": {
    "autoprefixer": "^6.3.1",
    "babel-core": "^6.8.0",
    "babel-loader": "^6.2.0",
    "babel-plugin-check-es2015-constants": "^6.8.0",
    "babel-plugin-syntax-async-functions": "^6.8.0",
    "babel-plugin-syntax-flow": "^6.8.0",
    "babel-plugin-syntax-trailing-function-commas": "^6.8.0",
    "babel-plugin-transform-async-to-generator": "^6.8.0",
    "babel-plugin-transform-async-to-module-method": "^6.8.0",
    "babel-plugin-transform-class-constructor-call": "^6.8.0",
    "babel-plugin-transform-class-properties": "^6.8.0",
    "babel-plugin-transform-decorators": "^6.8.0",
    "babel-plugin-transform-es2015-arrow-functions": "^6.8.0",
    "babel-plugin-transform-es2015-block-scoped-functions": "^6.8.0",
    "babel-plugin-transform-es2015-block-scoping": "^6.8.0",
    "babel-plugin-transform-es2015-classes": "^6.8.0",
    "babel-plugin-transform-es2015-computed-properties": "^6.8.0",
    "babel-plugin-transform-es2015-destructuring": "^6.8.0",
    "babel-plugin-transform-es2015-for-of": "^6.8.0",
    "babel-plugin-transform-es2015-function-name": "^6.8.0",
    "babel-plugin-transform-es2015-literals": "^6.8.0",
    "babel-plugin-transform-es2015-modules-commonjs": "^6.8.0",
    "babel-plugin-transform-es2015-object-super": "^6.8.0",
    "babel-plugin-transform-es2015-parameters": "^6.8.0",
    "babel-plugin-transform-es2015-shorthand-properties": "^6.8.0",
    "babel-plugin-transform-es2015-spread": "^6.8.0",
    "babel-plugin-transform-es2015-sticky-regex": "^6.8.0",
    "babel-plugin-transform-es2015-template-literals": "^6.8.0",
    "babel-plugin-transform-es2015-typeof-symbol": "^6.8.0",
    "babel-plugin-transform-es2015-unicode-regex": "^6.8.0",
    "babel-plugin-transform-es3-member-expression-literals": "^6.8.0",
    "babel-plugin-transform-es3-property-literals": "^6.5.0",
    "babel-plugin-transform-es5-property-mutators": "^6.5.0",
    "babel-plugin-transform-exponentiation-operator": "^6.8.0",
    "babel-plugin-transform-export-extensions": "^6.8.0",
    "babel-plugin-transform-flow-strip-types": "^6.3.15",
    "babel-plugin-transform-object-rest-spread": "^6.5.0",
    "babel-plugin-transform-regenerator": "^6.8.0",
    "babel-plugin-transform-runtime": "^6.8.0",
    "babel-polyfill": "^6.8.0",
    "babel-preset-react": "^6.3.13",
    "babel-runtime": "^6.6.1",
    "blueimp-file-upload": "^9.12.1",
    "bootstrap": "^3.3.6",
    "bundle-loader": "^0.5.4",
    "core-js": "^2.4.0",
    "css-loader": "^0.23.0",
    "datatables": "^1.10",
    "exports-loader": "^0.6.2",
    "expose-loader": "^0.7.1",
    "extract-text-webpack-plugin": "^1.0.1",
    "fancybox": "^2.1.8",
    "file-loader": "^0.8.5",
    "highcharts": "^4.2.5",
    "imports-loader": "^0.6.5",
    "jquery": "^1.12.2",
    "jquery-expander": "^1.6.1",
    "jquery-migrate": "^1.4.0",
    "jquery-ui": "^1",
    "jquery-ui-touch-punch": "^0.2.3",
    "jquery-validation": "^1.15.0",
    "jquery.cookie": "^1.4.1",
    "jquery.iframe-transport": "^1.0.0",
    "jquery.taps": "0.0.3",
    "jquery.transit": "^0.9.12",
    "less": "^2.7.1",
    "less-loader": "^2.2.2",
    "loader-utils": "^0.2.13",
    "lodash": "^3",
    "marked": "^0.3.5",
    "memory-fs": "^0.3.0",
    "numeral": "^1.5.3",
    "optimist": "^0.6.1",
    "postcss-loader": "^0.9.1",
    "raw-loader": "^0.5.1",
    "react": ">= 0.14, < 0.15",
    "react-dom": "^0.14.8",
    "react-hot-loader": "^1.3.0",
    "regenerator": "^0.8.45",
    "sanitize-filename": "^1.6.0",
    "script-loader": "^0.7.0",
    "select2": "^3.5.1",
    "sizzle": "^2.2.1",
    "sprintf-js": "^1.0.3",
    "style-loader": "^0.13.0",
    "supports-color": "^3.1.2",
    "through2": "^2.0.1",
    "timezone-js": "^0.4",
    "underscore.string": "^3.3.4",
    "url-loader": "^0.5.7",
    "webpack": "^1.12.9",
    "webpack-dev-server": "^1.14.0",
    "webpack-error-notification": "^0.1.5"
  },
  "dependencies": {},

Presently using npm 3.8.9 FYI.

Oh.. you know what it might be? Are you only checking dependencies but not devDependencies?

I just moved all my devDevs into dependencies and that reduced the false positives by quite a bit, but there's still a few that are wrong...

[Morantron]

Thanks! I've spotted some issues in the script that yield false positives. I've sorted them out, but I still have one pending issue: optionalDependencies #fuuuuu

I need to figure out what to do exactly with them ( specially when they are subdependency optional dependencies ), since they are included in npm-shrinkwrap.json.

[Morantron]

Should be fixed with 0.1.1 version. In the end I've opted to just ignore peer and optional dependencies, and show warnings instead.

[mnpenner]

Awesome, thank you! Seems to pass now with npm-shrinkwrap-check -3 -d.

[mnpenner]

Can we get an option to suppress all those warnings? They're just going to happen every time, forever.

[Morantron]

Will reduce verbosity in this issue #11