package-lock.json file, package with "optional": true

One of my work mate's PRs contains a package-lock.json update, which added "optional": true:

 "minimist": {
   "version": "0.0.8",
   "bundled": true,
-  "dev": true
+  "dev": true,
+  "optional": true
 },
 "minipass": {

I am not sure what this means even after googling around. Could someone please explain?

From https://docs.npmjs.com/files/package-lock.json#optional:

If true then this dependency is either an optional dependency ONLY of the top level module or a transitive dependency of one. This is false for dependencies that are both an optional dependency of the top level and a transitive dependency of a non-optional dependency of the top level.

It's safe to merge this change.

The reason you see this change is most likely because npm slightly changed how package-lock.json is structured in version 6.6. Your mate basically ran npm install with npm 6.6+ on a package-lock.json previously generated with npm 6.5-.

You should be able to avoid this kind of issue by making sure everyone on your team uses a recent version of npm.

After a package is removed from dependencies, its dependencies are marked "optional": true in package-lock.json.

It is usually safe to remove such packages either by hand or by

$ rm -rf package-lock.json node_modules/
$ npm install

However, this is not 100% safe, as some packages will be updated to newer versions.

One of the reasons would be:

Some npm packages might require dependent packages(Eg minimist) to work in different OS. NPM marks this packages as optional on npm install, if at all, it is not required depending on OS you are using.

Please check the below issue:

Open Issue: package-lock.json and optional packages : https://github.com/npm/npm/issues/17722

Hope it helps.