Add option to `no-extraneous-dependencies` to check shrinkwrap

[jfmengels]

Just thinking of this : If a package has a npm-shrinkwrap.json file, any (production) dependencies should also appear in the shrinkwrap.

I'm proposing to add a new option (checkShrinkwrap: bool?) to add an additional check for dependencies (that we know are production dependencies), to verify that they also appear at the top level of the shrinkwrap.

What do you think?

PS: Yup. This rule has a lot of options...

[benmosher]

My new barometer for rule creation/mutation is "will I immediately be glad I can use this?"

If no: not right now.

It would be cool to validate that shrinkwrap matches dependencies, but that feels more like a script to call during posttest/prepublish than a lint rule.

But again: if you'll use it and be glad you have it, do it. 😄

[jfmengels]

My new barometer for rule creation/mutation is "will I immediately be glad I can use this?"

Sounds like a good rule of thumb :+1:

I need to talk about it to colleagues, but I think we'd definitely use it at work. It happens sometimes (too often at least) that dependencies are added to the projects without the shrinkwrap being updated. I agree that a separate tool could be used for this (there probably exists some, don't know any, but I haven't looked for any either), but I think that this would be a nice addition here. It would be one less think to set up in a project, as ESLint configs are shareable, but build processes are not.

Now that I think of it, this could get a bit harder when there are multiple shrinkwraps in a project (as we've seen with the multiple package.json issues), though I don't know if (and thus how...) that is used somehow.