Too aggressive in deleting new dependencies of unchanged packages
kriskowal opened this issue · 1 comments
kriskowal commented
If shrinkwrap sync encounters a new dependency on disk even though the version of the dependee did not change from the previous shrinkwrap, it assumes that it was introduced because of install churn. However, the dependency was originally not installed because a parent package already had a copy, and that parent changed in such a way that it no longer depended upon the dependency, it would be necessary for the dependency to be introduced. npm-shrinkwrap needs to not delete the dependency in this case.
Raynos commented
The simplest way to implement this is to:
- default
keep-nested
to false, i.e. never delete nested changes. - Do a post shrinkwrap
npm ls
and if it fails re-run shrinkwrap withkeep-nested
to false.
Actually implementing the proper detection of whether a nested dependency churn is churn or not is hard.