I'm opening this issue because:

• npm is crashing.
• npm is producing an incorrect install.
• npm is doing something I don't understand.
• Other (see below for feature requests):

What's going wrong?

The repository I'm currently working on has a dependency declared in its package.json file as such:

{
  "dependencies": {
    "name-of-my-private-lib": "git+https://XXXXXXXXX:x-oauth-basic@github.com/username/my-private-lib.git#vx.y.z"
  }
}

name-of-my-private-lib also depends on mocha, that is being declared as followed:

{
  "dependencies": {
    "mocha": "=2.3.4"
  }
}

The repository I'm currently working on uses npm shrinkwrap.
Recently, I removed both the node_modules folder and the npm-shrinkwrap.json file, ran the npm install command and then ran the npm shrinkwrap command but that one failed, telling me that there are some extraneous packages. Usually, I run npm prune, run npm shrinkwrap again and it works, but unfortunately not this time.
Here are the 2 things I've noticed:

• with npm v4.1.2, npm ls lists all my packages and flags mocha@2.3.4 as extraneous package but npm prune does not remove it.
• under the same conditions, running npm prune with npm v4.0.5 will remove mocha@2.3.4 whereas npm v4.1.2 will not

See the following:

$ npm ls
└─┬ name-of-my-private-lib@0.8.0 (git+https://XXXXXXX:x-oauth-basic@github.com/username/my-private-lib.git#1234567890987654322)
  ├─┬ i18next@1.10.2
  │ ├─┬ cookies@0.6.2
  │ │ ├── depd@1.1.0
  │ │ └── keygrip@1.0.1
  │ ├── i18next-client@1.10.2
  │ └── json5@0.2.0
  ├── mocha@2.3.4 extraneous
  ├─┬ moment-timezone@0.3.1
  │ └── moment@2.10.6
  └─┬ pdfmake@0.1.18
    ├── lodash@3.1.0
    ├── lodash-node@3.1.0
    └─┬ pdfkit@0.7.1
      ├─┬ linebreak@0.1.2
      │ └── unicode-trie@0.1.2
      └── png-js@0.1.1

npm ERR! extraneous: mocha@2.3.4 /home/user/test/node_modules/name-of-my-private-lib/node_modules/mocha


$ npm version                                                                                                                                                                                                                           1 ↵
{ test: '1.0.0',
  npm: '4.1.2',
  ares: '1.10.1-DEV',
  cldr: '30.0.3',
  http_parser: '2.7.0',
  icu: '58.2',
  modules: '51',
  node: '7.5.0',
  openssl: '1.0.2k',
  tz: '2016j',
  unicode: '9.0',
  uv: '1.10.2',
  v8: '5.4.500.48',
  zlib: '1.2.8' }


$ npm prune
npm WARN test@1.0.0 No description
npm WARN test@1.0.0 No repository field.

$ nvm use 7.4.0
Now using node v7.4.0 (npm v4.0.5)

$ npm version
{ test: '1.0.0',
  npm: '4.0.5',
  ares: '1.10.1-DEV',
  cldr: '30.0.3',
  http_parser: '2.7.0',
  icu: '58.2',
  modules: '51',
  node: '7.4.0',
  openssl: '1.0.2j',
  tz: '2016j',
  unicode: '9.0',
  uv: '1.10.1',
  v8: '5.4.500.45',
  zlib: '1.2.8' }

$ npm prune
npm WARN package.json test@1.0.0 No description
npm WARN package.json test@1.0.0 No repository field.
npm WARN package.json test@1.0.0 No README data
unbuild mocha@2.3.4

How can the CLI team reproduce the problem?

I tried to reproduce the situation explained above with packages available on the NPM registry but it seems that the problem only occurs with packages installed using https+ssh...

supporting information:

• npm -v prints: 4.1.2
• node -v prints: v7.5.0
• npm config get registry prints: https://registry.npmjs.org/
• Windows, OS X/macOS, or Linux?: Mac OS X 10.12.3 (Sierra)
• Network issues:
  • Geographic location where npm was run:
  • I use a proxy to connect to the npm registry.
  • I use a proxy to connect to the web.
  • I use a proxy when downloading Git repos.
  • I access the npm registry via a VPN
  • I don't use a proxy, but have limited or unreliable internet access.
• Container:
  • I develop using Vagrant on Windows.
  • I develop using Vagrant on OS X or Linux.
  • I develop / deploy using Docker.
  • I deploy to a PaaS (Triton, Heroku).