What is `"dev" true` in package-lock.json for?

I think this paragraph tries to illustrate how the package dependency's dev: true is assigned.

  • Directly development dependency -> dev: true
  • With only indirect development dependency -> dev: true
  • Directly development dependency however it also has indirect non-develop dependency -> no "dev: true"

In other words, once a develop dependency package is indirectly dependent by a non-development package, it shall be dev: false and thus it will be included in the build process. The purpose of this rule is to make sure that packages needed by the non-develop package will not have "dev: true".

Besides, if install via "npm install -D , then the package will be installed as the develop package thus no "dev: true" changes may occur. However, if install via "npm install ", this may remove many existing dependencies' "dev: true" attribute.

For example, I run "npm install -D bestzip" in my project and the ressult is:

  • 53 dependencies with "dev": true added

Run "npm install bestzip" and the result is:

  • 53 dependencies without "dev": true added
  • 43 existing dependencies' "dev": true attribute are removed

So answering your first question, "dev": true in package-lock.json means this dependency won't be installed by npm install/npm ci when running in production mode.

Having dependencies used only for local development environment marked with "dev": true and then using --production in your CI might save you some build time.

From documentation https://docs.npmjs.com/cli/install#description:

By default, npm install will install all modules listed as dependencies in package.json.

With the --production flag (or when the NODE_ENV environment variable is set to production), npm will not install modules listed in devDependencies.