[BUG] Production prune removes peerDeps that are also devDeps

[kf6kjg]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

The packages that are both peer and development packages are removed when pruning due to the omit=dev option being applied to all development dependencies.

I.E. the below script emits Expected dev and peer package not found was pruned when it was not supposd to be.

Expected Behavior

The packages that are both peer and development packages are kept due to the include=peer option overriding the omit=dev option.

I.E. the below script emits Test passed.

Steps To Reproduce

Here's a shell script that reproduces the problem:

#!/bin/sh

set -e

rm -rf node_modules package.json package-lock.json

npm -v # 10.2.4


# Part 1: Set up a package for demonstration.

npm init --init-author-name bugdemo --init-license UNLICENSED --init-module index.js --init-version 0.0.0 --yes

## Install a package as a development dependency.
npm i -D --package-lock-only @slidewave/gitignore-include@2 c8

## Add the one package as peer dependency.
jq '. + {peerDependencies:{"@slidewave/gitignore-include": ">=2", "chai": ">=1"}}' package.json > t && mv t package.json

## Update the package-lock to include the peer dependency data.
npm i -D --package-lock-only @slidewave/gitignore-include


# Part 2: Demonstrate the bug.

## Install all the packages.
ENV_NAME=build npm ci --unsafe-perm --no-fund --no-audit

## Verify existence of the expected packages.
if [ ! -e 'node_modules/c8/package.json' ]; then
    echo "Expected dev-only package not found." >&2
    exit 1
fi
if [ ! -e 'node_modules/@slidewave/gitignore-include' ]; then
    echo "Expected dev and peer package not found." >&2
    exit 1
fi
if [ ! -e 'node_modules/chai' ]; then
    echo "Expected peer-only package not found." >&2
    exit 1
fi

## Remove the dev packages, but leave the peer packages.
ENV_NAME= npm prune --omit=dev --include=peer --no-fund --no-audit

hadError=
if [ -e 'node_modules/c8/package.json' ]; then
    echo "Expected dev-only package found when it should have been pruned." >&2
    hadError=1
fi
if [ ! -e 'node_modules/chai/package.json' ]; then
    echo "Expected peer-only package was pruned when it was not supposd to be." >&2
    hadError=1
fi
if [ ! -e 'node_modules/@slidewave/gitignore-include/package.json' ]; then
    echo "Expected dev and peer package not found was pruned when it was not supposd to be." >&2
    hadError=1
fi

if [ ! "$hadError" ]; then
    echo "Test passed."
fi

Environment

• npm: 10.2.4
• Node.js: v20.11.1
• OS Name: macOS 14.1.1
• System Model Name: Apple M1 Pro
• npm config:

; "user" config from /root/.npmrc

//npm.pkg.github.com/:_authToken = (protected) 
//registry.npmjs.org/:_authToken = (protected) 

; node bin location = /usr/local/share/nvm/versions/node/v20.11.1/bin/node
; node version = v20.11.1
; npm local prefix = /npmbug
; npm version = 10.2.4
; cwd = /npmbug
; HOME = /root
; Run `npm config ls -l` to show all defaults.

[kf6kjg]

According to the docs:

If a package type appears in both the --include and --omit lists, then it will be included.

and

Dependency types specified in --include will not be omitted, regardless of the order in which omit/include are specified on the command-line.

Thus I'd figured that a devdep that was also a peerdep would be retained after a prune that omits dev, but includes peer.

[nicojs]

I'm pretty sure this also happens with npm i --omit=dev when you fresh check out the source code.