NPM 7 causes ATA to discover too many dependencies

[uniqueiniquity]

Bug Report

🔎 Search Terms

"npm 7"

🕗 Version & Regression Information

• This is the behavior in every version I tried

⏯ Playground Link

N/A

💻 Code

//@filename: index.js
'use strict';
var debug = require('debug');
var express = require('express');
var path = require('path');
var favicon = require('serve-favicon');
var logger = require('morgan');
var cookieParser = require('cookie-parser');
var bodyParser = require('body-parser');

package.json

{
  "name": "express-app11",
  "version": "0.0.0",
  "private": true,
  "scripts": {
    "start": "node app"
  },
  "description": "ExpressApp11",
  "author": {
    "name": ""
  },
  "dependencies": {
    "body-parser": "^1.15.0",
    "cookie-parser": "^1.4.0",
    "debug": "^2.2.0",
    "express": "^4.14.0",
    "morgan": "^1.7.0",
    "pug": "^2.0.0-beta6",
    "serve-favicon": "^2.3.0"
  },
  "engines": {
    "node": "~6.10.x"
  }
}

🙁 Actual behavior

Typings installer log:

Found package names: ["accepts","acorn","acorn-globals","align-text","array-flatten","asap","babel-runtime","babel-types","babylon","basic-auth","body-parser","bytes","call-bind","camelcase","center-align","character-parser","clean-css","cliui","content-disposition","content-type","cookie","cookie-parser","cookie-signature","core.js","core-js","debug","decamelize","depd","destroy","doctypes","ee-first","encodeurl","escape-html","esutils","etag","express","finalhandler","forwarded","fresh","function-bind","get-intrinsic","has","has-symbols","http-errors","inherits","is-buffer","is-core-module","is-expression","is-promise","is-regex","js-stringify","jstransformer","kind-of","lazy-cache","lodash","longest","media-typer","merge-descriptors","methods","mime","mime-db","mime-types","morgan","ms","negotiator","object-assign","on-finished","on-headers","parseurl","path-parse","path-to-regexp","promise","proxy-addr","pug","pug-attrs","pug-code-gen","pug-error","pug-filters","pug-lexer","pug-linker","pug-load","pug-parser","pug-runtime","pug-strip-comments","pug-walk","qs","range-parser","raw-body","regenerator-runtime","repeat-string","resolve","right-align","safer-buffer","send","serve-favicon","serve-static","statuses","to-fast-properties","toidentifier","token-stream","type-is","uglify-js","uglify-to-browserify","unpipe","utils-merge","vary","void-elements","window-size","with","wordwrap","yargs"]

🙂 Expected behavior

Typings installer log:

Found package names: ["body-parser","cookie-parser","core.js","debug","express","morgan","pug","serve-favicon"]

Investigation notes

ATA discovers typings from the node modules folder by parsing each depedency's package.json and using the _requiredBy field to determine whether it's a top-level dependency or not.

In NPM 7, this field was removed, so every dependency is considered top-level and has its typings installed.

[uniqueiniquity]

#7179 (comment) asks the same question that I have, but was never answered 🤷‍♂️

[minestarks]

@zkat I'm not sure if there's a better way for Typing Installer to find actual top-level dependencies. What's your take?

[zkat]

This information should be encoded in package-lock.json now. But also, if you want to make it package manager agnostic, is there a reason why you can't filter by "what's in package.json's dependencies"?

Also I don't know what ATA is haha

[minestarks]

@zkat Welp, this is a good excuse to dive in :). ATA = Automatic Type Acquisition. I'm not sure about the rationale behind the current behavior, but I'm sure it can be improved as Typing Installer has been around for a while.