[BUG] Multiple related packages install fail due to wrong peerDependencies resolution

[sarunint]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

Reopening #3171 (cc @cyrilletuzi)

(The content below is modified from #3171)

When having multiple packages relying on each others having the exact same version, trying to update them all via npm install fails when there is another package which loosely rely on them via "peerDependencies": "^x.x.x", due to npm7 erroneous resolution.

Real world example: Angular core packages are supposed to be installed with the exact same version, so for example @angular/common@12.1.1 has "peerDependencies": { "@angular/core": "12.1.1" } (note the exact version).

Until now everything is fine. You can update all versions to 12.2.1 in package.json, run npm install and it works.

But now add another package which relies on one of the core packages, for example @angular-devkit/build-angular@11.2.9 has a "peerDependencies": { "@angular/compiler-cli": "^11.0.0 || ^12.0.0-next" }.

Now if you update all versions to 11.2.10 in package.json and run npm install, it fails.

(The striketrough text issue has been solved in npm@7.20.3, as stated in #3171 (comment).)

This time, there are two more dependencies that become related in this, namely:

• @angular/animations@12.1.1. Similar to @angular/common@12.1.1, this package has "peerDependencies": { "@angular/core": "12.1.1" }
• ngx-clipboard@14.0.1, which is a clipboard library for Angular. This one has the following:

"peerDependencies": {
    "@angular/common": ">=10.0.0",
    "@angular/core": ">=10.0.0"
}

If you modify all 12.1.1 versions to 12.2.2 and run npm install, I get the following error:

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR!
npm ERR! While resolving: npm-test@0.0.0
npm ERR! Found: @angular/animations@12.1.1
npm ERR! node_modules/@angular/animations
npm ERR!   @angular/animations@"12.2.2" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! @angular/animations@"12.2.2" from the root project
npm ERR!
npm ERR! Conflicting peer dependency: @angular/core@12.2.2
npm ERR! node_modules/@angular/core
npm ERR!   peer @angular/core@"12.2.2" from @angular/animations@12.2.2
npm ERR!   node_modules/@angular/animations
npm ERR!     @angular/animations@"12.2.2" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See /home/sarunint/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/sarunint/.npm/_logs/2021-08-19T20_20_01_099Z-debug.log

I've created test packages to try to debug this issue, and published them to my GitLab registry.

I also discovered that the order of the package names does matter, surprisingly! As you can see with my test packages, I've dedicated package-4 to ngx-clipboard in the above example, and package-{1,2,3} to 3 @angular/* packages, with all 6 permutations (order-{a,b,c,d,e,f}). It turns out that only permutation d and f does reproduce the issue.

Expected Behavior

npm install should work, as versions are correct and peerDependencies are respected.

Steps To Reproduce

1. mkdir npmissue
2. cd npmissue
3. echo "@sarunint:registry=https://gitlab.com/api/v4/projects/28910102/packages/npm/" > .npmrc
4. npm init -y
5. npm install -E @sarunint/order-f-package-1@1.0.0 @sarunint/order-f-package-2@1.0.0 @sarunint/order-f-package-3@1.0.0 @sarunint/order-f-package-4@1.0.0
6. Replace 1.0.0 with 1.0.1 for only first 3 packages.
7. npm install: should fail with following error:

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR!
npm ERR! While resolving: npmissue@1.0.0
npm ERR! Found: @sarunint/order-f-package-1@1.0.0
npm ERR! node_modules/@sarunint/order-f-package-1
npm ERR!   @sarunint/order-f-package-1@"1.0.1" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! @sarunint/order-f-package-1@"1.0.1" from the root project
npm ERR!
npm ERR! Conflicting peer dependency: @sarunint/order-f-package-3@1.0.1
npm ERR! node_modules/@sarunint/order-f-package-3
npm ERR!   peer @sarunint/order-f-package-3@"1.0.1" from @sarunint/order-f-package-1@1.0.1
npm ERR!   node_modules/@sarunint/order-f-package-1
npm ERR!     @sarunint/order-f-package-1@"1.0.1" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR! See /home/sarunint/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/sarunint/.npm/_logs/2021-08-19T19_47_04_754Z-debug.log

(You can try replace order-f with other variants. Only order-d and order-f will reproduce the issue.)

Environment

• OS: Arch
• Node: 14.17.5
• npm: 7.21.0

[KristenLeach]

I've updated npm to 7.23.0 and I am still seeing this error. Are there any updates?

[brandones]

The error is still present on 7.24.2. @sarunint 's reproduction is very easy to understand once you look at the code in the repository: https://gitlab.com/sarunint/npm-dependency-bug . Here's a diagram:

[OrangeDog]

I don't know if this is the same issue, but I appear to have a peer version of "*" being expanded into "0.0.0" and then failing?

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR!
npm ERR! While resolving: @angular-eslint/eslint-plugin@2.1.1
npm ERR! Found: eslint-plugin-jsdoc@36.1.0
npm ERR! node_modules/eslint-plugin-jsdoc
npm ERR!   dev eslint-plugin-jsdoc@"^36.1.0" from the root project
npm ERR!   peer eslint-plugin-jsdoc@"*" from @angular-eslint/eslint-plugin@2.1.1
npm ERR!   node_modules/@angular-eslint/eslint-plugin
npm ERR!     dev @angular-eslint/eslint-plugin@"^2.1.1" from the root project
npm ERR!     @angular-eslint/eslint-plugin@"2.1.1" from @angular-eslint/schematics@2.1.1
npm ERR!     node_modules/@angular-eslint/schematics
npm ERR!       dev @angular-eslint/schematics@"^2.1.1" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer eslint-plugin-jsdoc@"*" from @angular-eslint/eslint-plugin@2.1.1
npm ERR! node_modules/@angular-eslint/eslint-plugin
npm ERR!   dev @angular-eslint/eslint-plugin@"^2.1.1" from the root project
npm ERR!   @angular-eslint/eslint-plugin@"2.1.1" from @angular-eslint/schematics@2.1.1
npm ERR!   node_modules/@angular-eslint/schematics
npm ERR!     dev @angular-eslint/schematics@"^2.1.1" from the root project
npm ERR!
npm ERR! Conflicting peer dependency: eslint-plugin-jsdoc@0.0.0
npm ERR! node_modules/eslint-plugin-jsdoc
npm ERR!   peer eslint-plugin-jsdoc@"*" from @angular-eslint/eslint-plugin@2.1.1
npm ERR!   node_modules/@angular-eslint/eslint-plugin
npm ERR!     dev @angular-eslint/eslint-plugin@"^2.1.1" from the root project
npm ERR!     @angular-eslint/eslint-plugin@"2.1.1" from @angular-eslint/schematics@2.1.1
npm ERR!     node_modules/@angular-eslint/schematics
npm ERR!       dev @angular-eslint/schematics@"^2.1.1" from the root project

[lukekarrys]

Thanks for the thorough repro and explanation! This is definitely a bug, since it's a case npm should be able to resolve.

Another interesting thing I found when debugging this is that if I run the problematic install command with --force I get an identical package-lock.json as I get if I install them all at the same time. I'm going to dig into making this a test case in arborist so we can get this fixed.

echo "@sarunint:registry=https://gitlab.com/api/v4/projects/28910102/packages/npm/" > .npmrc

# reset everything
rm -rf node_modules/ package-lock.json package.json
npm init -y

# install the end result we want directly, this works
npm install -E @sarunint/order-f-package-1@1.0.1 @sarunint/order-f-package-2@1.0.1 @sarunint/order-f-package-3@1.0.1 @sarunint/order-f-package-4@1.0.0 --loglevel silly
cp package-lock.json this-was-successful.json

# reset everything again
rm -rf node_modules/ package-lock.json package.json
npm init -y

# install all 1.0.0
npm install -E @sarunint/order-f-package-1@1.0.0 @sarunint/order-f-package-2@1.0.0 @sarunint/order-f-package-3@1.0.0 @sarunint/order-f-package-4@1.0.0 --loglevel silly
# then install packages 1,2,3@1.0.1, but with force
npm install -E @sarunint/order-f-package-1@1.0.1 @sarunint/order-f-package-2@1.0.1 @sarunint/order-f-package-3@1.0.1 --force --loglevel silly
cp package-lock.json force.json

cmp this-was-successful.json force.json
# shows 0 since files are identical
echo $?

[OrangeDog]

And another, when attempting npm dedupe:

npm ERR! Conflicting peer dependency: typescript@4.4.3
npm ERR! node_modules/typescript
npm ERR!   peer typescript@"*" from @angular-eslint/builder@4.3.0
npm ERR!   node_modules/@angular-eslint/builder
npm ERR!     dev @angular-eslint/builder@"^4.3.0" from the root project

[jpage-godaddy]

Similar for me. There's a package def with a * version for jkl in peerDependencies, and despite the fact that a newer version of jkl is installed, the peerDependencies for the very earliest publish of jkl are being demanded. This is in npm@8.1.3.

» npm audit fix

npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR! 
npm ERR! While resolving: my-app@0.1.0
npm ERR! Found: react-intl@4.7.6
npm ERR! node_modules/react-intl
npm ERR!   peer react-intl@"^4.5.3" from abc@2102.0.4
npm ERR!   node_modules/abc
npm ERR!     peer abc@">=2002.0.0" from def@4.18.4
npm ERR!     node_modules/def
npm ERR!       def@"^4.18.0" from the root project
npm ERR!       1 more (ghi)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer react-intl@"^2.8.0" from jkl@2000.7.21
npm ERR! node_modules/jkl
npm ERR!   peer jkl@"*" from def@4.18.4
npm ERR!   node_modules/def
npm ERR!     def@"^4.18.0" from the root project
npm ERR!     1 more (ghi)

» npm ls jkl

my-app@0.1.0 /home/foo
└─┬ def@4.18.4
  └── jkl@2102.0.4

[TrevorKarjanis]

There are additional upstream reports with a similar failure in issues 21204 and 22365. This issue seems to be the closest I can find if they are indeed issues with npm. This time it errors reconciling @angular/compiler-cli@13.1.0 with @angular/compiler-cli@"^13.0.0 || ^13.1.0-next".

[e1himself]

I believe the issue I've reported here might be related too: #4104