The question:
In NodeJS how can I ignore the shrinkwrap of a dependency "Package B" on an "npm install" in the higher order "Project A", when "Package B" comes from a private repo.
The background:
Let's say we develop on a private npm-package "fancy-frontend" and got a CI system for that, which requires to keep a npm-shrinkwrap.json next to the package.json (to have a deterministic snapshot of all dependencies).
In another repo we do the development on the higher system with the node project "fancy-system". That project has a dependency to a tagged version of "fancy-frontend". So we do an install of that project with the command
npm i git+ssh://git@bitbucket.org/myteam/fancy-frontend.git#v1.0.2 --save
Because of the existing npm-shrinkwrap.json in our sub-dependency "fancy-frontend" npm seems to use that sub-shrinkwrap and builds up a complete independent package-tree within the "fancy-frontend" modules. Ending up with this huge dependency file tree:
fancy-system/
package.json
npm-shrinkwrap.json
node_modules/
react-16.13.1
fancy-frontend/
package.json
npm-shrinkwrap.json
node-modules/
react-16.13.1 // e.g. same react dep as in parent, but has it's own instance
other-deps
other deps
NOTE: I added react as sample dependency that should be shared by both modules, but is not.
The issues:
We got a huge dependency mass with a lot of duplicated packages (although "fancy-system" and "fancy-frontend" are referencing the same version!). We got issues with react and multiple instances (although we set react as peer dependency in "fancy-frontend"!).
