[BUG] shrinkwrap and bundledDependencies not respected for aliased packages

[dominykas]

Current Behavior:

When a package has a shrinkwrap which includes an aliased dependency (e.g. "lodash4": "npm:lodash@^4.17.19"), it will installed the latest version of that dependency that matches the range in the package.json, but not the version that is in the shrinkwrap, when installing with the -g flag.

Example: aliased

https://github.com/dominykas/test-things/blob/a6ea7ed9bc24dfcec2b6fab55c9d9c98cfbc1b46/npm-shrinkwrap.json#L7-L11

/Users/dominykas/.nvm/versions/node/v12.20.0/lib
├─┬ @dominykas/test-things@0.0.0-development.1
│ └── lodash4@npm:lodash@4.17.20

Example: unaliased

https://github.com/dominykas/test-things/blob/16287e485849ab28fa493a8d32791a55f84ab4bd/npm-shrinkwrap.json#L7-L11

/Users/dominykas/.nvm/versions/node/v12.20.0/lib
├─┬ @dominykas/test-things@0.0.0-development.2
│ └── lodash@4.17.19

Expected Behavior:

Shrinkwrap should be respected.

The same behavior is exhibited with bundledDependencies when they are aliased.

This only works correctly when you're running npm install in a folder which contains the shrinkwrap (but not when installing globally or as a dependency).

Environment:

• npm: v6.14.9

npm@next-7 seems to deal with this correctly.

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo