Shrinkwrap did not use hashes and did not guarantee deterministic installs. Subdependencies could still end up as different versions.
Even the shrinkwrap file itself contained a lot of trash and generated massive diff noise. I had a file full of scripts to make the shrinkwrap file usable and even then we had (production!!!) issues due to changing subdeps. We reworked our build processes to zip & deploy the exact code that passed the tests to work around that, but it was still a massive pain that installs at different points in time would yield different trees.
When yarn came out, I deleted a folder full of hacky scripts, cut my install time by 60% and finally got deterministic installs. Needless to say, I was ecstatic.
npm used to have issues that if you had a shrinkwrap and a pre-existing node_modules directory and ran `npm install`, then npm would often report success but silently fail to make the node_modules directory actually match the shrinkwrap. ... After our build system ran into this issue once and built and deployed code to production with fatally mismatched dependencies, I wrote a hacky wrapper script which would double-check that node_modules really did match the shrinkwrap, and if not it would remove the directory entirely and re-run `npm install`... Thankfully this was fixed in npm v4.
OK that's a bug, but it's fixed for more than a year. Nobody in this entire thread has given a reason why a captured versions of the entire tree wouldn't produce deterministic output.
Yeah, it should only be bugs that cause subdependency versions to not match the shrinkwrap. Your question seemed valid. I can only guess others have run into similar issues as me and hadn't known if they were fixed.
Even the shrinkwrap file itself contained a lot of trash and generated massive diff noise. I had a file full of scripts to make the shrinkwrap file usable and even then we had (production!!!) issues due to changing subdeps. We reworked our build processes to zip & deploy the exact code that passed the tests to work around that, but it was still a massive pain that installs at different points in time would yield different trees.
When yarn came out, I deleted a folder full of hacky scripts, cut my install time by 60% and finally got deterministic installs. Needless to say, I was ecstatic.