Skip to content

[BUG] npm dedupe breaks dependencies with individual installs #1548

New issue
New issue
Closed
Closed
[BUG] npm dedupe breaks dependencies with individual installs#1548
Labels
Bugthing that needs fixingRelease 6.xwork is associated with a specific npm 6 release
@JacobLey

Description

@JacobLey
JacobLey
opened on Jul 21, 2020

What / Why

npm dedupe is used to bring common modules down the dependency tree. It should not do it so much that it breaks any dependency though.

When installing packages one-by-one (e.g. npm install <package-name> rather than npm i) that share common sub-dependencies but require different versions, running npm dedupe afterwards breaks some dependencies.

The easiest way to show is by example. I have created a basic example package https://github.com/JacobLey/cli/tree/dedupeExample that is able to recreate errors.

The notable dependency tree looks like:

 dedup-example
├─┬ express-openapi-validator@3.16.7
│ └── path-to-regexp@6.1.0
└─┬ tar-dep@1.0.0
  └─┬ express@4.17.1
    └── path-to-regexp@0.1.7

(these packages have many other dependencies but we are focusing on path-to-regexp here. It is my belief this is an issue with npm rather than any of these packages, it is just a combination that successfully recreates issue)

When

In the example repo, after running:

npm i
npm i tar-dep
npm dedupe

multiple dependency issue happen.

Skipping the explicit npm i tar-dep step prevents errors. Similarly prior to npm dedupe there are no detectable dependency issues.

Where

Example repo: https://github.com/JacobLey/cli/tree/dedupeExample
Go to dedupe-example directory

node --version -> v12.16.3
npm --version -> 6.14.5

How

Somehow breaking the install into several steps causes dedupe to screw up the dependency tree.

Current Behavior

See Why/When.
Running dedupe after explicit installs can break dependency tree, if there are sub dependencies that must be different versions.

Steps to Reproduce

# from working cli directory
git remote add jacob-dedupe git@github.com:JacobLey/cli.git
git pull jacob-dedupe dedupeExample
git co dedupeExample
cd ./dedupe-example
./dedupe.sh

After script has finished, inspect before-dedupe.txt and after-dedupe.txt for errors.

Expected Behavior

Assuming that all dependencies are already installed without error (before-dedupe.txt has no UNMET_DEPENDENCY errors), then npm dedupe should remove any "extraneous" packages, as well as pull packages down that do not cause a conflict.

References

https://docs.npmjs.com/cli/dedupe
https://docs.npmjs.com/cli/install

Metadata

Metadata

Assignees

No one assigned

    Labels

    Bugthing that needs fixingRelease 6.xwork is associated with a specific npm 6 release

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions