fix(ls): use virtual tree instead of actual for listing

[G-Rath]

It seems that npm list is currently using the actual tree, which requires node_modules to exist - this in turn means you have to be able to do a successful npm install (i.e meeting all requirements such as node version, OS, C libs, etc) which greatly increases the cost of any tooling that involves npm list.

This requirement was not present in npm v6. actually it was.

Additionally this means that npm list will include dependencies that are in the lock but not on disk due to them not meeting requirements for install (i.e optional OS-specific dependencies like fsevents). This would match the tree I'm guessing npm audit checks against, as currently for one of our projects npm audit flags node_modules/fsevents/node_modules/ini, but doing npm list ini does not show any version of ini within the vulnerable range; with this change it does show up.

However, this could be the complete opposite of what npm list is meant to do, so some discussion might be needed 😓

References

Resolves #3068

[isaacs]

npm ls has always used the actual tree on disk. I'm not sure what the user is seeing as a problem. #3068 (comment)

[G-Rath]

ah, ok then - that's fair (I thought it didn't, but I should have actually checked 😅)

However, I do have a use-case for using the virtual tree, and as I said there is a sort-of bug/inconsistency with the output of npm audit vs npm list - I could probably the info I'm needing from parsing the package-lock.json but I was hoping npm list would provide a less-brittle solution.

Do you think this could be worth supporting behind a flag, i.e --virtual?

[G-Rath]

Going to close this since it's wrong, and have moved my comment onto the original issue for discussion.