npm prune --production (after npm ci only) erroneously uninstalls regular dependency

@DullReferenceExcptn wrote:

What I Wanted to Do

Produce a production-only build with only dev dependencies pruned.

What Happened Instead

One of the dependencies is erroneously removed despite it not being a dev dependency.

Reproduction Steps

Our CICD pipeline runs the following commands:

npm ci
npm prune --production

For some reason, one of the packages which is not flagged as a dev dependency in package-lock.json is erroneously removed. It’s not a devDependency in package.json either, and nothing has it as a dependency other than the root package.json. Strangely, if you do this sequence of events:

npm install
npm prune --production

…the package is not erroneously removed. This leads me to speculate that the version of the package.json for the dependency has an impact on things, since as far as I can tell that’s the only file difference produced between npm install and npm ci.

Details

The entry in package-lock.json looks like this:

"@gasket/mocha-plugin": {
  "version": "1.1.1",
  "resolved": "<url elided>/@gasket/mocha-plugin/-/@gasket/mocha-plugin-1.1.1.tgz",
  "integrity": "sha1-p4xEaJEKxREiBT5wp+UZEMkRjRc="
}

…with a package.json entry like:

"dependencies": {
  "@gasket/mocha-plugin": "latest"
}

Platform Info

$ npm --versions

    { 'seechange-pwa': '0.0.0',
      npm: '6.7.0',
      ares: '1.15.0',
      cldr: '33.1',
      http_parser: '2.8.0',
      icu: '62.1',
      modules: '64',
      napi: '3',
      nghttp2: '1.34.0',
      node: '10.15.0',
      openssl: '1.1.0j',
      tz: '2018e',
      unicode: '11.0',
      uv: '1.23.2',
      v8: '6.8.275.32-node.45',
      zlib: '1.2.11' }

$ node -p process.platform

    darwin

Posts: 12

Participants: 5

Read full topic