Description
Reopening #3083, given that npm/arborist#266 and npm/arborist#272 didn't fix the issue.
Current Behavior:
When having multiple packages relying on each others having the exact same version, trying to update them all via npm install fails when there is another package which loosely rely on them via "peerDependencies": "^x.x.x", due to npm7 erroneous resolution.
Real world example: Angular core packages are supposed to be installed with the exact same version, so for example @angular/common@11.2.9 has "peerDependencies": { "angular/core": "11.2.9" } (note the exact version).
Until now everything is fine. You can update all versions to 11.2.10 in package.json, run npm install and it works.
But now add another package which relies on one of the core packages, for example @angular-devkit/build-angular@11.2.9 has a "peerDependencies": { "@angular/compiler-cli": "^11.0.0 || ^12.0.0-next" }.
Now if you update all versions to 11.2.10 in package.json and run npm install, it fails.
Expected Behavior:
npm install should work, as versions are correct and peerDependencies are respected.
Steps To Reproduce:
Working:
mkdir npmissuecd npmissuenpm init -ynpm install @angular/common@11.2.9 @angular/compiler@11.2.9 @angular/core@11.2.9 @angular/platform-browser@11.2.9 @angular/platform-browser-dynamic@11.2.9 -Enpm install @angular/compiler-cli@11.2.9 -D -E- Search/replace
11.2.9>11.2.10inpackage.json npm install: OK
Failing:
- Previous steps from 1 to 5 (included)
npm install @angular-devkit/build-angular@0.1102.9 -D -E- Search/replace
11.2.9>11.2.10and0.1102.9>0.1102.10inpackage.json npm install: fails withpeerDependencieserrors
npm log
Found: @angular/common@11.2.9
node_modules/@angular/common
@angular/common@"11.2.10" from the root project
peer @angular/common@"11.2.9" from @angular/platform-browser@11.2.9
node_modules/@angular/platform-browser
@angular/platform-browser@"11.2.10" from the root project
peer @angular/platform-browser@"11.2.9" from @angular/platform-browser-dynamic@11.2.9
node_modules/@angular/platform-browser-dynamic
@angular/platform-browser-dynamic@"11.2.10" from the root project
peer @angular/common@"11.2.9" from @angular/platform-browser-dynamic@11.2.9
node_modules/@angular/platform-browser-dynamic
@angular/platform-browser-dynamic@"11.2.10" from the root project
Could not resolve dependency:
@angular/common@"11.2.10" from the root project
Conflicting peer dependency: @angular/core@11.2.10
node_modules/@angular/core
peer @angular/core@"11.2.10" from @angular/common@11.2.10
node_modules/@angular/common
@angular/common@"11.2.10" from the root project
Fix the upstream dependency conflict, or retry
this command with --force, or --legacy-peer-deps
to accept an incorrect (and potentially broken) dependency resolution.
Environment:
- OS: macOS 11.2.3
- Node: 14.16.1
- npm: 7.11.2
Additional information:
This issue was raised because it causes issues in automatic dependencies update tools like Renovate, which are doing exactly what I described: updating the package.json and then doing a npm install.
See renovatebot/renovate#9561 for the Renovate issue, and cyrilletuzi/angular-async-local-storage#628 for a real world example, with npm logs.
Additional debug info:
Doing rm -rf node_modules && rm package-lock.json, then npm install works without errors or warnings.
Or doing npm install --force, then npm install has no more errors.
Meaning the peerDependencies are indeed respected and it should work in the first place. Seems like the presence of package-lock.json and/or node_modules results in an issue in correct dependencies resolution.