installing extraneous dependencies

i noticed some peer dependency warnings about semantic-release and got curious why my non-package project had semantic-release installed at all. it looks like your dev dependencies are getting installed for some reason.

Expected Behavior

installing is-website-vulnerable should only install it and its production dependencies

Current Behavior

even though semantic-release and its plugins are only listed as dev-dependencies, at least some of the dependencies are getting installed in my project:

$ npm ls @semantic-release/github
matt.travi.org@ /path/to/my/project/matt.travi.org
└─┬ is-website-vulnerable@1.9.3
  └── @semantic-release/github@5.5.5  extraneous

Possible Solution

i havent used shrinkwrap much, but that is my best guess as to why this is happening. is it possible to only shrinkwrap prod dependencies?

Steps to Reproduce (for bugs)

1. npm install is-website-vulnerable --save-dev
2. npm ls @semantic-release/github (or another dev-dependency)

Context

i’m seeing peer-dependency warnings for dev-dependencies of this project that shouldnt have an impact on my project. i normally also enforce that npm ls exits with zero, which this would make fail. this particular does not fully enforce that yet, so this issue slipped through unnoticed originally

Your Environment

• Library Version used: https://github.com/travi-org/matt.travi.org/blob/be7fa9cb6d70ca8ffee31df38bed187f706d88b2/package.json#L55
• Node.js version (e.g. Node.js 5.4): https://github.com/travi-org/matt.travi.org/blob/be7fa9cb6d70ca8ffee31df38bed187f706d88b2/.nvmrc#L1 (currently 10.17.2)
• Operating System and version (desktop or mobile): macOS catalina 10.15.2