yarn install --production installs some dev packages

[janaz]

Do you want to request a feature or report a bug?

bug

What is the current behavior?

yarn install --production installs some of the packages from devDependencies into node_modules directory

If the current behavior is a bug, please provide the steps to reproduce.

package.json

{
  "name": "test",
  "version": "1.0.0",
  "dependencies": {
    "lodash": "4.17.4"
  },
  "devDependencies": {
    "chai": "3.5.0",
    "nock": "9.0.6"
  }
}

To reproduce, please create the package.json file with the above content and run:

$ yarn install --production

What is the expected behavior?

Expected behavior - node_modules doesn't contain the chai module:

$ yarn install --production
$ ls -1 node_modules/ | grep chai
chai # this line should not be printed

Please mention your node.js, yarn and operating system version.

My environment: OSX 10.11.6

$ uname -a
Darwin tomasz 15.6.0 Darwin Kernel Version 15.6.0: Thu Sep  1 15:01:16 PDT 2016; root:xnu-3248.60.11~2/RELEASE_X86_64 x86_64
$ yarn --version
0.20.3
node --version
v7.5.0
npm --version
4.1.2

[janaz]

Here are some additional details after debugging the code:

The ignorePatterns list is populated correctly with [chai@3.5.0, nock@9.0.6]

The markIgnored function is trying to calculate the total number of requests to the pattern. If there's more than 1 request the package will not be ignored.

When markIgnored is executed for chai@3.5.0 the ref.requests array is:

  requests:
   [ PackageRequest {
       parentRequest: undefined,
       lockfile: [Object],
       registry: 'npm',
       reporter: undefined,
       resolver: [Object],
       optional: false,
       pattern: 'chai@3.5.0',
       config: [Object] },
     PackageRequest {
       parentRequest: [Object],
       lockfile: [Object],
       registry: 'npm',
       reporter: undefined,
       resolver: [Object],
       optional: false,
       pattern: 'chai@>=1.9.2 <4.0.0',
       config: [Object] } ],

The first element of the array represents the module specified in devDependecies setion of my package.json file. The second element represents the module specified in dependencies section of the nock module which in my package.json is also defined in the devDependencies section and should be ignored.

The problem is that at this point we don't check if the requests (PackageRequest objects) are coming from other ignored packages or not.

[janaz]

To summarize, the issue happens when

(1) in our package.json we define:

"dependencies": {
  "A": "0.0.1"
},
"devDependencies": {
  "B": "0.0.1",
  "C": "0.0.1"
}

(2) The package.json of the module C is:

"dependencies": {
  "B": "0.0.1"
}

then:

yarn install --production

will install package B (+its dependecies)

[scinos]

Dupe of #2304 ?

[janaz]

It is in fact the same issue as #2304. This one includes the in-depth analysis of the problem. I will close it and put some comments in the original issue.