The issue appears to be in this code:

var minimizeDependencyTree = function (tree) {
  var minimizeModule = function (module) {
    var version;
    if (module.resolved &&
        !module.resolved.match(/^https:\/\/registry.npmjs.org\//)) {
      version = module.resolved;

From @glasser -

"Note that the URLs they have are http. Something about npm (maybe in the server, maybe in the modules) is serving http URLs in this resolved thing and we aren't filtering properly. We could change that code to have https? and release it to deal with this. (I don't know if this actually will cause any problems if we don't, other than shrinkwrap files that seemingly-randomly switch back and forth between otherwise equivalent data)"