I've been doing some playing around to understand this better. Here are the 3 scenarios I tried:
1) link: cd cordova-lib rm -r node_modules rm npm-shrinkwrap.json npm link cordova-js npm install npm shrinkwrap Result is that ALL the devDependencies from cordova-js are present in the cordova-lib shrinkwrap.json file. Bad. 2) directory install: cd cordova-lib rm -r node_modules rm npm-shrinkwrap.json npm install ../cordova-js npm install npm shrinkwrap Result is that none of the devDependencies from cordova-js are present in the cordova-lib shrinkwrap.json file. Good. 3) registry install: cd cordova-lib rm -r node_modules rm npm-shrinkwrap.json npm install cordova-js (fetches from registry) npm install npm shrinkwrap Result is that none of the devDependencies from cordova-js are present in the cordova-lib shrinkwrap.json file. Good. So what I get from this is that having a linked dependency matters: the shrinkwrap command will grab everything in the submodule's directory tree even if it isn't listed as a dependency in the submodule's package.json. That feels like a flaw in the shrinkwrap command, especially when the shrinkwrap command is careful to check that the main module's node_modules matches its package.json dependencies. It seems to be treating the main module and the submodules differently. On Sep 16, 2014, at 9:56 PM, Andrew Grieve <agri...@chromium.org> wrote: >> It shouldn't matter if I had done an "npm link cordova-js" inside of >> cordova-lib, correct? > > This is the key! It *does* matter. shrinkwrap just records what it finds in > your node_modules directory, symlinks and all! You always want to do a > fresh rm -r & npm install before shrinkwrap to ensure you don't have > extraneous modules in there. > > That said, if you did that and it's still showing up, I don't know why that > is :S I did NOT clean out the node_modules before doing the shrinkwrap. My "npm link" is present. I wasn't aware this was necessary, and there isn't anything in the instructions about it. Now that I know what to do, I'll update the instructions and respin the lib, plugman, and cli RCs. I've done it this many times, what's once more? :-/ On Sep 16, 2014, at 9:25 PM, Carlos Santana <csantan...@gmail.com> wrote: > By default, npm install will install all modules listed as dependencies. > With the --production flag, npm will not install modules listed in > devDependencies. I did try "npm -g install --production cordova@rc" and it is still pulling in the devDependencies from cordova-js. > I will just ignore the Warning on connect and not respin. I'm a perfectionist, and don't want to see user confusion about the warning. On a broader note, we definitely need to change how we handle the shrinkwrap BEFORE the release process. I'll send out a note tomorrow with some ideas.
