Closed
Description
Is there an existing issue for this?
- I have searched the existing issues
Current Behavior
I have a project with following package.json:
{
"name": "test",
"version": "1.0.0",
"dependencies": {
"@apollo/client": "^3.3.21",
"@fortawesome/fontawesome-svg-core": "^1.2.17",
"@fortawesome/free-solid-svg-icons": "^5.8.1",
"@fortawesome/react-fontawesome": "^0.1.4",
"apollo-upload-client": "^10.0.1",
"axios": "^0.21.1",
"bluebird": "^3.5.5",
"body-parser": "^1.19.0",
"bootstrap": "^4.2.1",
"chart.js": "^2.9.4",
"classnames": "^2.2.6",
"compression": "^1.7.4",
"cookie-parser": "^1.4.4",
"core-js": "^3.6.5",
"cross-env": "^5.2.0",
"dotenv": "^8.1.0",
"dotenv-webpack": "^1.8.0",
"draft-js": "^0.11.7",
"ejs": "^3.1.5",
"enzyme": "^3.10.0",
"enzyme-adapter-react-16": "^1.14.0",
"enzyme-to-json": "^3.3.5",
"express": "^4.17.1",
"firebase": "^8.8.0",
"graphql": "^14.5.4",
"graphql-tag": "^2.10.1",
"i18next": "^20.3.5",
"isomorphic-unfetch": "^3.0.0",
"jest-styled-components": "7.0.0-beta.2",
"js-cookie": "^2.2.1",
"lodash.clonedeep": "^4.5.0",
"lodash.compose": "^2.4.1",
"lodash.concat": "^4.5.0",
"lodash.cond": "^4.5.2",
"lodash.constant": "^3.0.0",
"lodash.debounce": "^4.0.8",
"lodash.find": "^4.6.0",
"lodash.findindex": "^4.6.0",
"lodash.get": "^4.4.2",
"lodash.isempty": "^4.4.0",
"lodash.isfunction": "^3.0.9",
"lodash.mergewith": "^4.6.2",
"lodash.omit": "^4.5.0",
"lodash.orderby": "^4.6.0",
"lodash.partial": "^4.2.1",
"lodash.partialright": "^4.2.1",
"lodash.pick": "^4.4.0",
"lodash.reject": "^4.6.0",
"lodash.stubtrue": "^4.13.0",
"lodash.without": "^4.4.0",
"md5": "^2.2.1",
"moment": "^2.27.0",
"mongoose": "^5.12.3",
"next": "^10.1.3",
"next-build-id": "^3.0.0",
"next-compose-plugins": "^2.2.0",
"next-images": "^1.1.2",
"polished": "^3.4.1",
"prop-types": "^15.6.2",
"react": "^16.13.1",
"react-datepicker": "^2.8.0",
"react-dom": "^16.13.1",
"react-ga": "^2.7.0",
"react-google-recaptcha": "^1.0.5",
"react-i18next": "^11.11.4",
"react-number-format": "^4.0.8",
"react-router-dom": "^4.3.1",
"react-select": "^2.4.2",
"react-swipe": "^6.0.4",
"react-table": "^7.6.3",
"react-toastify": "^5.2.1",
"react-uid": "^2.2.0",
"reactstrap": "^8.9.0",
"rgba-convert": "^0.3.0",
"rxjs": "^6.5.3",
"styled-components": "^5.2.3",
"ua-parser-js": "^0.7.28",
"webpack": "^4.46.0",
"winston": "^3.3.3"
},
"scripts": {},
"devDependencies": {
"@storybook/preset-create-react-app": "^3.2.0",
"@storybook/react": "^6.3.6",
"@testing-library/jest-dom": "^5.11.10",
"@testing-library/react": "^11.2.6",
"babel-eslint": "^10.0.3",
"babel-plugin-styled-components": "^1.12.0",
"depcheck": "^1.4.0",
"eslint": "^7.24.0",
"eslint-config-airbnb": "^18.2.1",
"eslint-config-prettier": "^8.2.0",
"eslint-plugin-graphql": "^4.0.0",
"eslint-plugin-import": "^2.22.1",
"eslint-plugin-jest": "^24.3.5",
"eslint-plugin-json": "^2.1.2",
"eslint-plugin-jsx-a11y": "^6.4.1",
"eslint-plugin-prettier": "^3.4.0",
"eslint-plugin-react": "^7.23.2",
"eslint-plugin-react-hooks": "^4.2.0",
"handlebars": "^4.5.3",
"husky": "^6.0.0",
"ignore-loader": "^0.1.2",
"lint-staged": "^11.1.1",
"npm-run-all": "^4.1.5",
"prettier": "^2.2.1",
"react-scripts": "^4.0.3",
"react-test-renderer": "^16.8.6"
}
}When I run npm install it creates package-lock.json. The module I'm interested in is ssri. Searching by string "ssri" within package-lock.json gives 12 matches. This module is referenced from both react-scripts and @storybook. In some places it has dev: true and in some - no.
And then if I rm -rf node_modules and run NODE_ENV=production npm ci --only=production node_modules will be created with ssri folder in it.
Is it something with npm or my understanding is no clear?
Expected Behavior
ssri folder will not appear in node_modules
Steps To Reproduce
- Copy
package.jsonfile from above. - Run
npm installto generate lock file. - Remove node_modules.
- Run
NODE_ENV=production npm ci --only=production. - Check node_modules/ssri.
Environment
- OS: MacOS BigSur 11.5.1
- Node: 14.16.1
- npm: 7.20.3