dedupe + shrinkwrap not playing nice

[Raynos]

npm install de-duplicates any nested dependencies it finds if they exist higher up the tree.

This causes issues if you de-duplicate a nested dependency when it is a devDependency of it's parent.

Especially if that parent runs npm shrinkwrap and shrinkwraps all dependencies except dev dependencies;

Consider:

mkdir foobaz;
cd foobaz/;
npm init;
npm i individual@0.1.1 --save-dev;
npm i data-set --save;
npm ls; # no errors
npm shrinkwrap; # dont shrinkwrap devDeps
cat npm-shrinkwrap.json; # no individual anywhere
rm -rf node_modules/;
npm i --production;
npm ls; # npm ERR! missing: individual@~0.1.1

We generated a shrinkwrap and installed freshly from it and our node_modules tree is in an incorrect state.

Suggested fix

1. do not have npm install dedupe if a parent dependency is a dev dependency.
2. have npm shrinkwrap bail and shout about this inconsistency.

I think the first suggestion is a good fix, I'm willing to make a PR to avoid deduping if a parent dependency is a dev dependency.

[isaacs]

Another way to go about this is to say that npm shrinkwrap SHOULD include devDeps if they are non-dev dependencies of anything further down the tree.

[Raynos]

@isaacs that would work too. npm shrinkwrap can include dev deps at the top level if anyone else relies on them.

Would you prefer npm shrinkwrap or npm install to deal with this edge case ?

[davglass]

We have several builds breaking after upgrading to 1.4.10, I'll have to downgrade due to this.

[iarna]

I'm closing this as this will be addressed by #6933. Further discussion should happen there.