published package.json is different from source control

[vanjan]

http://registry.npmjs.com/pm2/2.0.18 contains one additional dependency, "gkt": "http://tgz.pm2.io/gkt-1.0.0.tgz, which prevents the package from being installed behind a firewall.

Oddly, the source does not contain gkt in dependencies, only optionalDependencies.

[vmarchaud]

Sadly that's because we use npm shrinkwrap that doesnt make difference between optional and required dependency, that's an issue in npm here.
We are discussing a solution for this one, but you can use npm i pm2@latest --no-optional -g --no-shrinkwrap to install it, this should work.

[vanjan]

How about publishing tgz into npm and using a regular version instead of url?

[vmarchaud]

Cause we are using it for analytics purpose so we need to get pinged when someone download it.

[santiagon610]

For those of us using an automation platform that does not accept the --no-optional and --no-shrinkwrap, does a workaround exist? Can I point to a different NPM registry that won't break?