search

npm / cli

the package manager for JavaScript
https://docs.npmjs.com/cli/
Other
8.38k stars 3.11k forks source link

[BUG] npm ci installs nested dev dependency #3604

Closed Ketler13 closed 3 years ago

Ketler13 commented 3 years ago

Is there an existing issue for this?

Current Behavior

I have a project with following package.json:

{
  "name": "test",
  "version": "1.0.0",
  "dependencies": {
    "@apollo/client": "^3.3.21",
    "@fortawesome/fontawesome-svg-core": "^1.2.17",
    "@fortawesome/free-solid-svg-icons": "^5.8.1",
    "@fortawesome/react-fontawesome": "^0.1.4",
    "apollo-upload-client": "^10.0.1",
    "axios": "^0.21.1",
    "bluebird": "^3.5.5",
    "body-parser": "^1.19.0",
    "bootstrap": "^4.2.1",
    "chart.js": "^2.9.4",
    "classnames": "^2.2.6",
    "compression": "^1.7.4",
    "cookie-parser": "^1.4.4",
    "core-js": "^3.6.5",
    "cross-env": "^5.2.0",
    "dotenv": "^8.1.0",
    "dotenv-webpack": "^1.8.0",
    "draft-js": "^0.11.7",
    "ejs": "^3.1.5",
    "enzyme": "^3.10.0",
    "enzyme-adapter-react-16": "^1.14.0",
    "enzyme-to-json": "^3.3.5",
    "express": "^4.17.1",
    "firebase": "^8.8.0",
    "graphql": "^14.5.4",
    "graphql-tag": "^2.10.1",
    "i18next": "^20.3.5",
    "isomorphic-unfetch": "^3.0.0",
    "jest-styled-components": "7.0.0-beta.2",
    "js-cookie": "^2.2.1",
    "lodash.clonedeep": "^4.5.0",
    "lodash.compose": "^2.4.1",
    "lodash.concat": "^4.5.0",
    "lodash.cond": "^4.5.2",
    "lodash.constant": "^3.0.0",
    "lodash.debounce": "^4.0.8",
    "lodash.find": "^4.6.0",
    "lodash.findindex": "^4.6.0",
    "lodash.get": "^4.4.2",
    "lodash.isempty": "^4.4.0",
    "lodash.isfunction": "^3.0.9",
    "lodash.mergewith": "^4.6.2",
    "lodash.omit": "^4.5.0",
    "lodash.orderby": "^4.6.0",
    "lodash.partial": "^4.2.1",
    "lodash.partialright": "^4.2.1",
    "lodash.pick": "^4.4.0",
    "lodash.reject": "^4.6.0",
    "lodash.stubtrue": "^4.13.0",
    "lodash.without": "^4.4.0",
    "md5": "^2.2.1",
    "moment": "^2.27.0",
    "mongoose": "^5.12.3",
    "next": "^10.1.3",
    "next-build-id": "^3.0.0",
    "next-compose-plugins": "^2.2.0",
    "next-images": "^1.1.2",
    "polished": "^3.4.1",
    "prop-types": "^15.6.2",
    "react": "^16.13.1",
    "react-datepicker": "^2.8.0",
    "react-dom": "^16.13.1",
    "react-ga": "^2.7.0",
    "react-google-recaptcha": "^1.0.5",
    "react-i18next": "^11.11.4",
    "react-number-format": "^4.0.8",
    "react-router-dom": "^4.3.1",
    "react-select": "^2.4.2",
    "react-swipe": "^6.0.4",
    "react-table": "^7.6.3",
    "react-toastify": "^5.2.1",
    "react-uid": "^2.2.0",
    "reactstrap": "^8.9.0",
    "rgba-convert": "^0.3.0",
    "rxjs": "^6.5.3",
    "styled-components": "^5.2.3",
    "ua-parser-js": "^0.7.28",
    "webpack": "^4.46.0",
    "winston": "^3.3.3"
  },
  "scripts": {},
  "devDependencies": {
    "@storybook/preset-create-react-app": "^3.2.0",
    "@storybook/react": "^6.3.6",
    "@testing-library/jest-dom": "^5.11.10",
    "@testing-library/react": "^11.2.6",
    "babel-eslint": "^10.0.3",
    "babel-plugin-styled-components": "^1.12.0",
    "depcheck": "^1.4.0",
    "eslint": "^7.24.0",
    "eslint-config-airbnb": "^18.2.1",
    "eslint-config-prettier": "^8.2.0",
    "eslint-plugin-graphql": "^4.0.0",
    "eslint-plugin-import": "^2.22.1",
    "eslint-plugin-jest": "^24.3.5",
    "eslint-plugin-json": "^2.1.2",
    "eslint-plugin-jsx-a11y": "^6.4.1",
    "eslint-plugin-prettier": "^3.4.0",
    "eslint-plugin-react": "^7.23.2",
    "eslint-plugin-react-hooks": "^4.2.0",
    "handlebars": "^4.5.3",
    "husky": "^6.0.0",
    "ignore-loader": "^0.1.2",
    "lint-staged": "^11.1.1",
    "npm-run-all": "^4.1.5",
    "prettier": "^2.2.1",
    "react-scripts": "^4.0.3",
    "react-test-renderer": "^16.8.6"
  }
}

When I run npm install it creates package-lock.json. The module I'm interested in is ssri. Searching by string "ssri" within package-lock.json gives 12 matches. This module is referenced from both react-scripts and @storybook. In some places it has dev: true and in some - no.

And then if I rm -rf node_modules and run NODE_ENV=production npm ci --only=production node_modules will be created with ssri folder in it.

Is it something with npm or my understanding is no clear?

Expected Behavior

ssri folder will not appear in node_modules

Steps To Reproduce

  1. Copy package.json file from above.
  2. Run npm install to generate lock file.
  3. Remove node_modules.
  4. Run NODE_ENV=production npm ci --only=production.
  5. Check node_modules/ssri.

Environment

Ketler13 commented 3 years ago

Looks like the problem is in other deps where ssri must be a dependency, not the dev one.