I'm using npm-shrinkwrap to lock down my project dependencies.
However I'm running into one issue. It seems as though if you remove a dependency from the npm-shrinkwrap.json then node backs on to the original tree dependency resolution via package.json. I tested this by deleting an entry in my npm-shrinkwrap.json and noticing that it still turned up in node_modules after an npm install.
My concern here is that someone unwittingly use npm intall --save-dev to add a new dependency to the project but forgets to update the npm-shrinkwrap.json. You're then in a position where potentially you're introducing variable dependencies into the project that may change from developer to developer or CI server, which it seems is what npm shrinkwrap is designed to prevent.
My question is whether I'm right in this assertion, or misunderstanding the behaviour somehow, or if correct, is there something I can do to force npm install to use only the npm-shrinkwrap.json dependencies and ignore what's in package.json. It occurs to me I could work around this by deleting the dependencies in package.json after producing the npm-shrinkwrap.json, but obviously this is not ideal.