4

I have a package.json with cucumber listed as a devDependency. cucumber has a dependency on cucumber-html. For some reason when I run npm-shrinkwrap on my project, cucumber-html is included in the npm-shrinkwrap.json. Is there any way to prevent this from happening?

package.json

"dependencies": {
    "bcrypt": "*",
    "bluebird": "2.2.1",
    "body-parser": "~1.12.0",
    "compression": "*",
    "cookie-parser": "~1.3.4",
    "debug": "~2.1.1",
    "etag": "*",
    "express": "~4.12.2",
    "interpolate": "*",
    "jade": "~1.9.2",
    "jwt-simple": "*",
    "lockdown": "0.0.6",
    "lodash": "*",
    "moment": "*",
    "morgan": "~1.5.1",
    "nano": "*",
    "node-rest-client": "*",
    "node-uuid": "*",
    "nodemailer": "*",
    "passport": "*",
    "passport-jwt": "thedewpoint/passport-jwt",
    "passport-local": "*",
    "q": "*",
    "serve-favicon": "~2.2.0",
    "validator": "*"
  },
  "devDependencies": {
    "add-stream": "^1.0.0",
    "gulp": "^3.9.0",
    "gulp-angular-templatecache": "^1.7.0",
    "gulp-concat": "^2.6.0",
    "gulp-if": "^1.2.5",
    "gulp-image-optimization": "^0.1.3",
    "gulp-minify-css": "^1.2.0",
    "gulp-minify-html": "^1.0.4",
    "gulp-uglify": "^1.2.0",
    "gulp-useref": "^1.3.0",
    "cucumber": "^0.5.2"
  }

npm-shrinkwrap.json

 "cucumber-html": {
      "version": "0.2.3",
      "from": "cucumber-html@0.2.3",
      "resolved": "https://registry.npmjs.org/cucumber-html/-/cucumber-html-0.2.3.tgz"
    },

Thank you

MorningDew
  • 503
  • 3
  • 9
  • 1
    Is there a chance the cucumber-html module was installed by hand using `npm install cucumber-html` before shrinkwrap? – GPX Aug 24 '15 at 17:49
  • I don't think so. I deleted all of my node modules and did npm install and then npm shrinkwrap and I see it still – MorningDew Aug 24 '15 at 18:38
  • This could a version-specific bug. Have you checked the issue tracker for npm to see if someone else is facing a similar issue? Also, when you deleted node_modules, did you also delete your existing shrinkwrap file? – GPX Aug 25 '15 at 04:12
  • I checked npm and didnt see anyone with a similar issue. And yes I deleted the existing shrinkwrap before deleting as well. – MorningDew Aug 25 '15 at 04:50

1 Answers1

1

I'm not sure I understand why everyone thinks this is an issue. This is the point behind npm-shrinkwrap. It says in the documentation that it recursively locks down each dependency. So the fact that it locks down a transitive dependency is expected behavior. To answer the original question, the docs don't indicate that this is possible, except by doing everything yourself by installing your dependencies into source control.

ingshtrom
  • 66
  • 1
  • 1
  • 9