installing additional (non)required bower dependencies when installing using npm repo

[2dareis2do]

I have noticed that on occasion additional unused dependencies are installed when using composer.

e.g. when installing npm-asset/imagesloaded

I notice https://github.com/desandro/imagesloaded/blob/master/bower.json#L6C27-L6C27 we have a ev-emitter dependency required.

When installing with:

composer require 'npm-asset/imagesloaded:^4.1.4'

I see that composer also installs ev-emitter library, although, in this case, this looks to be bundled with imagesloaded anyway

https://github.com/desandro/imagesloaded/blob/92de29b5a9a416bebeb6bb58a1882af8c5f76931/imagesloaded.pkgd.js#L8

Interestingly when installing bower-asset/masonry vs npm-asset/tmasonry_layout (path override required for npm), is also installed additional dependencies via npm as opposed to bower that did not seem to?

see https://asset-packagist.org/package/search?query=masonry&platform=bower%2Cnpm v4.2.2.

My question is why does composer-installers-extender seem to install additional bower dependencies by default when installing via npm and is there away to disable this behaviour as they do not seem to be actually required in this case?

[2dareis2do]

Actually I have just installed masonry again via bower and again all dependencies seem to be installed:

e.g composer require 'bower-asset/masonry:^4.2.2'
Info from https://repo.packagist.org: #StandWithUkraine
./composer.json has been updated
Running composer update bower-asset/masonry
Gathering patches for root package.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 6 installs, 0 updates, 0 removals

• Locking bower-asset/desandro-matches-selector (v2.0.2)
• Locking bower-asset/ev-emitter (v1.1.1)
• Locking bower-asset/fizzy-ui-utils (v2.0.7)
• Locking bower-asset/get-size (v2.0.3)
• Locking bower-asset/masonry (v4.2.2)
• Locking bower-asset/outlayer (v2.1.1)
  Writing lock file
  Installing dependencies from lock file (including require-dev)
  Package operations: 6 installs, 0 updates, 0 removals
  Gathering patches for root package.
  Gathering patches for dependencies. This might take a minute.
• Installing bower-asset/desandro-matches-selector (v2.0.2): Extracting archive
• Installing bower-asset/get-size (v2.0.3): Extracting archive
• Installing bower-asset/fizzy-ui-utils (v2.0.7): Extracting archive
• Installing bower-asset/ev-emitter (v1.1.1): Extracting archive
• Installing bower-asset/outlayer (v2.1.1): Extracting archive
• Installing bower-asset/masonry (v4.2.2): Extracting archive
  Generating autoload files
  88 packages you are using are looking for funding.
  Use the composer fund command to find out more!
  phpstan/extension-installer: Extensions installed
  No security vulnerability advisories found

Not sure if there is a way to disable this behaviour as I really only want the actual package and not it dependencies?

I can see in bower.json we have the following declared:

"dependencies": {
"get-size": "^2.0.2",
"outlayer": "^2.1.0"
},

and in same for outlayer we also have

"dependencies": {
"ev-emitter": "^1.0.0",
"get-size": "^2.0.2",
"fizzy-ui-utils": "^2.0.0"
},

In fizzy-ui-utils we also have

"dependencies": {
"desandro-matches-selector": "^2.0.0"
},

This all seems to correlate with what is installed. How can I disable this behaviour as non of these dependencies are actually required when installing via composer afaict