[BUG] NPM Install includes transitive devDependencies for file: dependencies.

[MicahZoltu]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

<root>/b/package-lock.json will look like:

{
	"name": "b",
	"lockfileVersion": 2,
	"requires": true,
	"packages": {
		"": {
			"dependencies": {
				"a": "file:../a"
			}
		},
		"../a": {
			"devDependencies": {
				"typescript": "3.7.2"
			}
		},
		"node_modules/a": {
			"resolved": "../a",
			"link": true
		}
	},
	"dependencies": {
		"a": {
			"version": "file:../a",
			"requires": {
				"typescript": "3.7.2"
			}
		}
	}
}

Expected Behavior

<root>/b/package-lock.json should look like this:

{
	"name": "b",
	"lockfileVersion": 2,
	"requires": true,
	"packages": {
		"": {
			"dependencies": {
				"a": "file:../a"
			}
		},
		"../a": {
		},
		"node_modules/a": {
			"resolved": "../a",
			"link": true
		}
	},
	"dependencies": {
		"a": {
			"version": "file:../a",
			"requires": {
			}
		}
	}
}

Steps To Reproduce

<root>/a/package.json

{
	"devDependencies": {
		"typescript": "3.7.2"
	}
}

<root>/b/package.json

{
	"dependencies": {
		"a": "file:../a"
	}
}

cd a
npm install
cd ../b
npm install

Environment

• OS: Windows 10
• Node: 14.4.0
• npm: 7.16.0

[MicahZoltu]

Recreation of #492 but in NPM 7.x.

[lgrahl]

I just encountered this, too. The use case we have is dependencies in git submodules.

[ruyadorno]

hi @MicahZoltu thanks for taking the time to bring that up to our attention.

I don't believe that extra info in the package-lock.json file is going to cause errors, if you're finding that is causing a problem for users, please also attach that to the report.

I believe we track dev dependencies info in the lock file since we might need that during lifecycle scripts, for linked deps we do run the prepare scripts among others.

If you believe there's an error that is caused by the extra info in the lock file please feel free to open a new issue along with the reported error. Thanks again!