Can no longer be installed due to npm-shrinkwrap 5.4.0 dependency

[Mr0grog]

I’ve just started working on a project that uses metalsmith-concat and can’t seem to install it because of the dependency on npm-shrinkwrap 5.4.0. That version of shrinkwrap depends on an older version of read-json that is no longer available (not sure if any relation to Azer Koçulu unpublishing of a bunch of modules yesterday, read-json among them).

At any rate, npm-shrinkwrap 5.4.1 appears to no longer depend on read-json and is installable for me. So I think the issue would be resolved by simply bumping the dependency up to 5.4.1 in package.json.

[Mr0grog]

I guess you’d also have to update in npm-shrinkwrap.json, too. (As a side note, why are the dev dependencies shrinkwrapped?)

[askogrand]

Installing with --no-shrinkwrap is the safest, quickest way around this. Otherwise, yes, this library is currently broken.

[aymericbeaumet]

thanks for the heads-up, should now be fixed, reopen if needed!

[Mr0grog]

@aymericbeaumet Thanks!

I know it’s slightly out-of-scope for this issue, but can I ask why all the dev dependencies are shrinkwrapped? There are only 4 dependencies for a consumer of the library, but the shrinkwrap file lists 267 dependencies, which is a lot more to pull down when someone tries to npm install an app that uses this.

[aymericbeaumet]

i don't think the dev dependencies are being included in the shrinkwrap

$ npm shrinkwrap
npm WARN shrinkwrap Excluding devDependency: codeclimate-test-reporter@0.3.1 { minimatch: '3.0.0' }
npm WARN shrinkwrap Excluding devDependency: istanbul@0.4.2 { minimatch: '3.0.0' }
npm WARN shrinkwrap Excluding devDependency: metalsmith@2.1.0 { minimatch: '3.0.0' }
npm WARN shrinkwrap Excluding devDependency: standard@6.0.8 { minimatch: '3.0.0' }
npm WARN shrinkwrap Excluding devDependency: tape@4.5.1 { minimatch: '3.0.0' }
wrote npm-shrinkwrap.json

the file lists 267 dependencies because it includes all the dependencies (recursively, down to the last one)

$ npm shrinkwrap --dev
$ git diff | wc -l
     548

[Mr0grog]

Well, just looking at: https://github.com/aymericbeaumet/metalsmith-concat/blob/master/npm-shrinkwrap.json

And if you look into minimatch, the only non-dev dependency, it only has one dependency: https://github.com/isaacs/minimatch/blob/v3.0.0/package.json
Which is brace-expansion, which has two dependencies: https://github.com/juliangruber/brace-expansion/blob/v1.1.3/package.json
Which are balanced-match and concat-map, each of which have no dependecies:
https://github.com/juliangruber/balanced-match/blob/v0.3.0/package.json
https://github.com/substack/node-concat-map/blob/0.0.1/package.json

…so there should only be 4 modules in npm-shrinkwrap.json if it doesn’t include any dev dependencies.

─ minimatch@3.0.0
  └─ brace-expansion@1.1.3
     ├─ balanced-match@0.3.0
     └─ concat-map@0.0.1

There are clearly a lot more things than that listed in the file.

[Mr0grog]

npm-remote-ls is also a helpful tool for this kind of stuff:

npm-remote-ls minimatch@3.0.0 --development false

[Mr0grog]

Also, I’d venture a guess that you’re tripping over the same problem I was when I tried to do this in my PR—it’s easiest if you blow away your shrinkwrap file before regenerating; it can screw up the generation of a new one. That’s why I had a second commit that modified the shrinkwrap file again: f0ce590

[aymericbeaumet]

i see, npm install --production && npm shrinkwrap solved the issue. thanks for noticing!

[Mr0grog]

No problem :)