Exclusion of devDependencies is partially broken when using Npm 7 (with some specific dependencies)

[janpio]

When debugging a user problem with using Prisma and Serverless Framework together I accidentally discovered that the serverless package functionality has a problem with the recent Node version 15.14.0 when used with some of our packages.

A full reproduction is available here: https://github.com/janpio/repro6644_3 Here are full CI runs including the generated archives and their size:

• Node 14: https://github.com/janpio/repro6644_3/actions/runs/768797405
• Node 15: https://github.com/janpio/repro6644_3/actions/runs/768802907

The dependencies included in the project besides serverless itself are used to surface the problem: node_modules/@prisma/client should be fully included, as should the generated output in node_modules/.prisma. Not included should be prisma, which is only a devDependency or node_modules/@prisma/engines which is only used by that package.

I am not 100% sure if this is a problem on Serverless Framework side, Node side, or even somehow the Prisma side that is causing these packages and folder to not be excluded from the packaging process.

As a last resort we could tell our users to add a exclude list to their serverless configuration file of course, but I would prefer to understand the issue first.

serverless.yml

```yaml service: test-serverless-packaging provider: name: aws runtime: nodejs12.x memorySize: 512 timeout: 10 versionFunctions: false tracing: lambda: true functions: hello: handler: index.handler name: test-serverless-packaging-lambda ```

ls -l .serverless

``` total 81500 -rw-r--r-- 1 runner docker 2077 Apr 20 22:58 cloudformation-template-create-stack.json -rw-r--r-- 1 runner docker 5398 Apr 20 22:58 cloudformation-template-update-stack.json -rw-r--r-- 1 runner docker 10697 Apr 20 22:58 serverless-state.json -rw-r--r-- 1 runner docker 83427975 Apr 20 22:58 test-serverless-packaging.zip ```

Installed version

Framework Core: 2.37.0 (local)
Plugin: 4.5.3
SDK: 4.2.2
Components: 3.8.3

[pgrzesik]

Hello @janpio, thanks a lot for the detailed report. I've managed to reproduce the issue locally and did some extra digging. It seems that the problem surfaces for npm@7, regardless of Node version.

In order to determine dependencies that should be included/excluded, we run the following:

• npm ls --dev=true --parseable=true --long=false --all --silent
• npm ls --prod=true --parseable=true --long=false --all --silent

For npm@7, prisma packages exhibit a "weird" behavior with that command - for prod version, these are the packages listed:

repro6644_3/node_modules/@prisma/client
repro6644_3/node_modules/@prisma/engines-version
repro6644_3/node_modules/prisma
repro6644_3/node_modules/@prisma/engines

while for npm@6, it's only:

repro6644_3/node_modules/@prisma/client
repro6644_3/node_modules/@prisma/engines-version

which I believe is the expected outcome. I've tested with multiple other dev dependencies and they're correctly excluded. Do you have an idea what might be causing that different behavior for prisma packages specifically? I was trying multiple different approaches to npm ls for npm@7, but seems like it's always including these packages as needed for prod. I'll continue investigating what exact changes in npm@7 might cause this, but if you have any ideas/anything specific to prisma packages, please let me know as it might help out with debugging.

[janpio]

Oh right, Npm 7 makes total sense here - much more than Node. I updated the issue title.

I have a hunch why Npm might be thinking differently here, but let me double check. Possibly this is a new feature of Npm 7 that we are triggering somehow. Will get back to you.

[pgrzesik]

Hello @janpio - did you manage to get to the root cause of this issue with npm 7 in this particular case?

[janpio]

No, I did not unfortunately. I got lost in details and did not find my way back out yet :/

[pgrzesik]

No worries, I appreciate the update @janpio :bow:

[FirstSanny]

Not sure if that is happening here aswell, but i wanted to share what broke my deploy process. Since npm 7 they automatically install the peer dependencies aswell.
And since these arent listet under dev, they are getting deployed with all the dependencies they had. Had to change the call i made to be safe to not deploy devDependencies from:

npm prune --production
sls deploy

to:

npm prune --production --omit=peer
sls deploy

[jim-emed]

npm prune --production --omit=peer
sls deploy

Just a note that this will cause deployments to fail unless serverless is installed globally (which I think is preferred now).