Too aggressive in deleting new dependencies of unchanged packages

Question

Too aggressive in deleting new dependencies of unchanged packages

kriskowal opened this issue 10 years ago · 1 comments

If shrinkwrap sync encounters a new dependency on disk even though the version of the dependee did not change from the previous shrinkwrap, it assumes that it was introduced because of install churn. However, the dependency was originally not installed because a parent package already had a copy, and that parent changed in such a way that it no longer depended upon the dependency, it would be necessary for the dependency to be introduced. npm-shrinkwrap needs to not delete the dependency in this case.

Answer 1 · 2015-02-03T19:03:52.000Z

The simplest way to implement this is to:

default keep-nested to false, i.e. never delete nested changes.
Do a post shrinkwrap npm ls and if it fails re-run shrinkwrap with keep-nested to false.

Actually implementing the proper detection of whether a nested dependency churn is churn or not is hard.