[BUG] v8.6.0 --only=prod resolved for devDependencies

[kftsehk]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

devDependencies are checked and fails the build even when --only=prod or --omit=dev is specified, which is not the behavior in previous 8.5.x versions, and is probably not a correct behavior as --only=prod seem to mean only install prod dependencies

Expected Behavior

Should reproduce the behavior of npm 8.5.x and 8.4.x, npm i --only=prod should succeed to install the dependencies block containing axios only.

Steps To Reproduce

Reproduce with this docker file

FROM public.ecr.aws/lambda/nodejs:14

RUN npm i -g 'npm@~8.6.0' && npm --version
RUN npm i --save axios
RUN npm i
RUN npm i -D @storybook/addon-storyshots-puppeteer
RUN npm i -D puppeteer
RUN cat package.json
RUN rm node_modules -rf

# FAIL here, where dev dependency resolution is effective even when --only=prod is specified
RUN npm i --omit=dev
# this doesn't work either
RUN npm i --only=prod

CMD [ "src.handler" ]

Incorrect output with npm@8.6.0:

Step 9/10 : RUN npm i --omit=dev
 ---> Running in 0756d74f6686
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @storybook/addon-storyshots-puppeteer@6.4.20
npm ERR! Found: puppeteer@13.5.2
npm ERR! node_modules/puppeteer
npm ERR!   dev puppeteer@"^13.5.2" from the root project
npm ERR!   peer puppeteer@">=1.10.0 <= 13" from @axe-core/puppeteer@4.4.2
...
npm ERR! A complete log of this run can be found in:
npm ERR!     /root/.npm/_logs/2022-04-03T12_05_16_708Z-debug-0.log
The command '/bin/sh -c npm i --omit=dev' returned a non-zero code: 1

Output with npm@~8.5.0

Step 7/10 : RUN cat package.json
 ---> Running in dc66804a2ae1
{
  "dependencies": {
    "axios": "^0.26.1"
  },
  "devDependencies": {
    "@storybook/addon-storyshots-puppeteer": "^6.4.20",
    "puppeteer": "^13.5.2"
  }
}
Step 9/10 : RUN npm i --omit=dev
 ---> Running in a360877d662c

added 2 packages, and audited 3 packages in 1s

1 package is looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Environment

• npm: 8.6.0
• Node.js: 14
• OS Name: Container Image
• System Model Name:
• npm config:

; "env" config from environment

prefix = "/usr/local/lib/npm" 

; node bin location = /usr/bin/node
; cwd = /home/user/test123
; HOME = /home/user
; Run `npm config ls -l` to show all defaults.

[kftsehk]

This is probably related to #4664 , a step to reproduce using only devDependencies is provided.

[wraithgar]

Yes this is related to peer dependency resolution and not devDependencies per se.

As of testing just now (usingv8.14.0) npm does install successfully with npm i --omit=dev using the example given.

Errors seen during install using the example given are due to npm trying to correctly resolve all extant peer dependencies. See #5113 for more info on that