[BUG] Can't dedupe deps in workspaces/links with lockfiles #4285
Description
What / Why
When trying to deduplicate versions of a module in a linked dependency, running npm install will not work as expected.
When
Given a package with a dep@ conflicting with a dep@ in a linked dependency, e.g:
root
├── abbrev@^1.1.1
└─┬ file:a
└── abbrev@=1.0.3
Updating a/package.json to list a dependency on abbrev@^1.0.0 will not result in a deduplicated install tree.
How
Before manually deduping dep
commit b2e106eedb40119c12e33a893e417f3763a7edcc
Author: Ruy Adorno <ruyadorno@hotmail.com>
Date: Thu Mar 11 15:23:02 2021 -0500
Added duplicate versions
diff --git a/a/package.json b/a/package.json
new file mode 100644
index 0000000..3de068e
--- /dev/null
+++ b/a/package.json
@@ -0,0 +1,7 @@
+{
+ "name": "a",
+ "version": "1.0.0",
+ "dependencies": {
+ "abbrev": "=1.0.3"
+ }
+}
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 0000000..abd3fd5
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,59 @@
+{
+ "name": "dedupe-after-lock",
+ "version": "1.0.0",
+ "lockfileVersion": 2,
+ "requires": true,
+ "packages": {
+ "": {
+ "version": "1.0.0",
+ "license": "MIT",
+ "dependencies": {
+ "a": "file:a",
+ "abbrev": "^1.1.1"
+ }
+ },
+ "a": {
+ "version": "1.0.0",
+ "dependencies": {
+ "abbrev": "=1.0.3"
+ }
+ },
+ "a/node_modules/abbrev": {
+ "version": "1.0.3",
+ "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.3.tgz",
+ "integrity": "sha1-qgScln+ZkiKqQuFENPDFYu9GgkE=",
+ "engines": {
+ "node": "*"
+ }
+ },
+ "node_modules/a": {
+ "resolved": "a",
+ "link": true
+ },
+ "node_modules/abbrev": {
+ "version": "1.1.1",
+ "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
+ "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
+ }
+ },
+ "dependencies": {
+ "a": {
+ "version": "file:a",
+ "requires": {
+ "abbrev": "=1.0.3"
+ },
+ "dependencies": {
+ "abbrev": {
+ "version": "1.0.3",
+ "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.3.tgz",
+ "integrity": "sha1-qgScln+ZkiKqQuFENPDFYu9GgkE="
+ }
+ }
+ },
+ "abbrev": {
+ "version": "1.1.1",
+ "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
+ "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
+ }
+ }
+}
diff --git a/package.json b/package.json
index 8af937d..4ccb1bf 100644
--- a/package.json
+++ b/package.json
@@ -1,12 +1,16 @@
{
"name": "dedupe-after-lock",
"version": "1.0.0",
"description": "",
"main": "index.js",
"scripts": {
"test": "echo \"Error: no test specified\" && exit 1"
},
"keywords": [],
"author": "Ruy Adorno <ruyadorno@hotmail.com> (https://ruyadorno.com/)",
- "license": "MIT"
+ "license": "MIT",
+ "dependencies": {
+ "a": "file:a",
+ "abbrev": "^1.1.1"
+ }
}
After manually trying to dedupe and running npm install
commit 723ef71520be1ae358ad68b6379405c776fb140b
Author: Ruy Adorno <ruyadorno@hotmail.com>
Date: Thu Mar 11 15:24:41 2021 -0500
Deduplicate range definitions
diff --git a/a/package.json b/a/package.json
index 3de068e..6cb97f1 100644
--- a/a/package.json
+++ b/a/package.json
@@ -2,6 +2,6 @@
"name": "a",
"version": "1.0.0",
"dependencies": {
- "abbrev": "=1.0.3"
+ "abbrev": "^1.0.0"
}
}
diff --git a/package-lock.json b/package-lock.json
index abd3fd5..b099fe9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,7 +15,7 @@
"a": {
"version": "1.0.0",
"dependencies": {
- "abbrev": "=1.0.3"
+ "abbrev": "^1.0.0"
}
},
"a/node_modules/abbrev": {
@@ -40,7 +40,7 @@
"a": {
"version": "file:a",
"requires": {
- "abbrev": "=1.0.3"
+ "abbrev": "^1.0.0"
},
"dependencies": {
"abbrev": {
Expected Behavior
I expect running npm install OR npm dedupe after manually tweaking dep version ranges in my package.json files to produced a deduplicated install tree.