JavaScript providers produce inconsistent results for peerDependencies and optionalDependencies

[soul2zimate]

What happened?

JavaScript package manager providers (npm, pnpm, yarn classic, yarn berry) produce inconsistent dependency analysis results when package.json contains peerDependencies, optionalDependencies, and devDependencies. Some providers silently drop production dependencies or include dev dependencies in the scan.

Please provide runtime information.

Expected behavior

All four JS providers (npm, pnpm, yarn classic, yarn berry) should produce consistent results:

• dependencies — included
• peerDependencies — included
• optionalDependencies — included
• bundledDependencies — included (subset of dependencies)
• devDependencies — excluded

Using npm as the baseline (4 direct deps scanned: express, axios, minimist, lodash), all other providers should match.

Actual behavior

Given a package.json:

{
  "dependencies": { "express": "4.17.1", "axios": "0.19.0" },
  "peerDependencies": { "minimist": "1.2.0" },
  "optionalDependencies": { "lodash": "4.17.19" },
  "bundledDependencies": ["express"],
  "devDependencies": { "jest": "26.0.0", "webpack": "4.46.0", "eslint": "7.0.0", "mocha": "8.0.0" }
}

Provider	Direct deps scanned	Missing	Incorrectly included
npm (baseline)	4: express, axios, minimist, lodash	—	—
pnpm	3: express, axios, minimist	lodash (optional)	—
yarn classic	2: express, axios	lodash (optional), minimist (peer)	—
yarn berry	7: express, axios, lodash, jest, webpack, eslint, mocha	minimist (peer)	jest, webpack, eslint, mocha (dev)

Relevant log output

How can this issue be reproduced?

No response