fix: corrects peer dependency flag propagation#8579
Merged
owlstronaut merged 1 commit intolatestfrom Sep 19, 2025
Merged
Conversation
owlstronaut
force-pushed
the
owlstronaut/fix-peer-flag-calc
branch
4 times, most recently
from
90d9c5e to
bcd771f
Compare
Contributor
Author
Contributor
|
@owlstronaut I've confirmed that this fixes my simple repro here ... |
Contributor
|
The fix also works in our internal repos whose installs failed under |
Member
|
Thank you so much for reviewing this @jenseng it really helps when folks with domain knowledge do this. |
wraithgar
reviewed
Sep 18, 2025
wraithgar
reviewed
Sep 18, 2025
wraithgar
reviewed
Sep 18, 2025
wraithgar
reviewed
Sep 18, 2025
owlstronaut
force-pushed
the
owlstronaut/fix-peer-flag-calc
branch
from
6623b75 to
cb986c5
Compare
wraithgar
reviewed
Sep 19, 2025
| "integrity": "sha512-UlLAnTPrFdNGoFtbSXwcGFQBtQZJCNjaN6hQNP3UPvuNXT1i82N26KL3dZeIpNalWywr9IuQuncaAfUaS1g6sQ==", | ||
| "dev": true, | ||
| "license": "MIT", | ||
| "peer": true, |
Member
There was a problem hiding this comment.
Just wanted to double check some of these and the very first one is good. This is being correctly flagged as a peer, from npm explain @babel/core@7.28.0:
peer @babel/core@"^7.0.0" from @babel/helper-module-transforms@7.27.3
wraithgar
approved these changes
Sep 19, 2025
This was referenced Sep 19, 2025
Merged
2 tasks
2 tasks
1 task
1 task
wraithgar
pushed a commit
that referenced
this pull request
Oct 13, 2025
- reverts pruning added in #8431, which incorrectly prunes deps flagged as `peer` and `optional` - these flags don't mean that this node is an optional peer! - reverts much of #8579, which I think mistakenly changed peer dep calculation logic - rewrites calcDepFlags - adds logic to avoid unsetting `extraneous` when following optional peer edges (how #8431, should have been fixed) - updates my prev fix to avoid looking for missing optional peer deps (`if ((!edge.to && edge.type !== 'peerOptional') || !edge.valid) {`) - refactors dep flag unsetting and resetting into Node methods - removes `shake out Link target timing issue` test, which was testing code [removed](2db6c08#diff-6778dbd4bbfddaeb827a8d2aa7248d4c9b329229f69e407d5fd487abe16dd942L333) a while back - avoids omitting flaky`selflink` fixture when writing snapshots Fixes #8535
This was referenced Oct 18, 2025
fbezagu
added a commit
to betagouv/anssi-demain-specialiste-cyber
that referenced
this pull request
Nov 17, 2025
...GitHub utilise désormais la nouvelle version de node (24.11.1) et npm (11.6.2) qui introduit une correction dans la résolution des dépendances. (npm/cli#8579) Cette correction a introduit un bug dans notre installation de dépendances (avec @parcel/watcher non trouvé).
fbezagu
added a commit
to betagouv/anssi-demain-specialiste-cyber
that referenced
this pull request
Nov 17, 2025
...GitHub utilise désormais la nouvelle version de node (24.11.1) et npm (11.6.2) qui introduit une correction dans la résolution des dépendances. (npm/cli#8579) Cette correction a introduit un bug dans notre installation de dépendances (avec @parcel/watcher non trouvé).
cmenon12
added a commit
to Capgemini/gov-prototype-by-prompt
that referenced
this pull request
Nov 27, 2025
This release corrects the peer dependency flag propagation. See https://docs.npmjs.com/cli/v11/using-npm/changelog#1161-2025-09-23 and npm/cli#8579
cmenon12
added a commit
to Capgemini/gov-prototype-by-prompt
that referenced
this pull request
Nov 27, 2025
…ectories with 4 updates (#91) * Bump the minor-updates group across 2 directories with 4 updates Bumps the minor-updates group with 4 updates in the / directory: [hmrc-frontend](https://github.com/hmrc/hmrc-frontend), [openai](https://github.com/openai/openai-node), [prettier](https://github.com/prettier/prettier) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint). Bumps the minor-updates group with 1 update in the /data/zip-download directory: [hmrc-frontend](https://github.com/hmrc/hmrc-frontend). Updates `hmrc-frontend` from 6.100.0 to 6.103.0 - [Release notes](https://github.com/hmrc/hmrc-frontend/releases) - [Changelog](https://github.com/hmrc/hmrc-frontend/blob/main/CHANGELOG.md) - [Commits](hmrc/hmrc-frontend@v6.100.0...v6.103.0) Updates `openai` from 6.8.1 to 6.9.1 - [Release notes](https://github.com/openai/openai-node/releases) - [Changelog](https://github.com/openai/openai-node/blob/master/CHANGELOG.md) - [Commits](openai/openai-node@v6.8.1...v6.9.1) Updates `prettier` from 3.6.2 to 3.7.0 - [Release notes](https://github.com/prettier/prettier/releases) - [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md) - [Commits](prettier/prettier@3.6.2...3.7.0) Updates `typescript-eslint` from 8.46.0 to 8.48.0 - [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases) - [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md) - [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.48.0/packages/typescript-eslint) Updates `hmrc-frontend` from 6.100.0 to 6.103.0 - [Release notes](https://github.com/hmrc/hmrc-frontend/releases) - [Changelog](https://github.com/hmrc/hmrc-frontend/blob/main/CHANGELOG.md) - [Commits](hmrc/hmrc-frontend@v6.100.0...v6.103.0) Updates `hmrc-frontend` from 6.100.0 to 6.103.0 - [Release notes](https://github.com/hmrc/hmrc-frontend/releases) - [Changelog](https://github.com/hmrc/hmrc-frontend/blob/main/CHANGELOG.md) - [Commits](hmrc/hmrc-frontend@v6.100.0...v6.103.0) Updates `hmrc-frontend` from 6.100.0 to 6.103.0 - [Release notes](https://github.com/hmrc/hmrc-frontend/releases) - [Changelog](https://github.com/hmrc/hmrc-frontend/blob/main/CHANGELOG.md) - [Commits](hmrc/hmrc-frontend@v6.100.0...v6.103.0) --- updated-dependencies: - dependency-name: hmrc-frontend dependency-version: 6.103.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: openai dependency-version: 6.9.1 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: prettier dependency-version: 3.7.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: typescript-eslint dependency-version: 8.48.0 dependency-type: direct:development update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: hmrc-frontend dependency-version: 6.103.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: hmrc-frontend dependency-version: 6.103.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates - dependency-name: hmrc-frontend dependency-version: 6.103.0 dependency-type: direct:production update-type: version-update:semver-minor dependency-group: minor-updates ... Signed-off-by: dependabot[bot] <support@github.com> * Update ESLint config See https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.46.4 and typescript-eslint/typescript-eslint#11333 * Set npm version to v11.6.1 This release corrects the peer dependency flag propagation. See https://docs.npmjs.com/cli/v11/using-npm/changelog#1161-2025-09-23 and npm/cli#8579 * Upgrade npm to v11.6.1 in code-quality.yml --------- Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> Co-authored-by: Christopher Menon <16004217+cmenon12@users.noreply.github.com>
This was referenced Dec 1, 2025
domoscargin
added a commit
to alphagov/govuk-design-system
that referenced
this pull request
Dec 8, 2025
We've recently updated to Node 24, using at least npm v11.6.0. In npm v11.6.1, there was some work to improve the tagging of dependencies with `"peer": true`. npm/cli#8579 This PR updates our package-lock.json file to reflect these changes by running: 1. `nvm use` 2. `npm install`
lfdebrux
added a commit
to alphagov/forms-runner
that referenced
this pull request
Dec 11, 2025
There was a bug in npm v11.6.0 and prior that would mark dependencies as peer dependencies incorrectly (see npm/cli#8579). This was fixed in v11.6.1 (see the [npm changelog], but it seems that at some point our package lockfile was updated with incorrectly marked peer dependencies, and now when we run `npm install` on our machines with the latest version of npm it updates the package lockfile to remove the marks, leading to noise in git. This commit updates the package lockfile with the (hopefully) correct peer dependency marks. I don't think we need to worry about Dependabot changing things back, as looking at the logs of a [recent Dependabot run] it looks like that is now using npm v11.6.2. [npm changelog]: https://github.com/npm/cli/blob/latest/CHANGELOG.md#1161-2025-09-23 [recent Dependabot run]: https://github.com/alphagov/forms-runner/actions/runs/20049289324/job/57501554830
lfdebrux
added a commit
to alphagov/forms-admin
that referenced
this pull request
Dec 11, 2025
There was a bug in npm v11.6.0 and prior that would mark dependencies as peer dependencies incorrectly (see npm/cli#8579). This was fixed in v11.6.1 (see the [npm changelog], but it seems that at some point our package lockfile was updated with incorrectly marked peer dependencies, and now when we run `npm install` on our machines with the latest version of npm it updates the package lockfile to remove the marks, leading to noise in git. This commit updates the package lockfile with the (hopefully) correct peer dependency marks. I don't think we need to worry about Dependabot changing things back, as looking at the logs of a [recent Dependabot run] it looks like that is now using npm v11.6.2. [npm changelog]: https://github.com/npm/cli/blob/latest/CHANGELOG.md#1161-2025-09-23 [recent Dependabot run]: https://github.com/alphagov/forms-runner/actions/runs/20049289324/job/57501554830
lfdebrux
added a commit
to alphagov/forms-product-page
that referenced
this pull request
Dec 11, 2025
There was a bug in npm v11.6.0 and prior that would mark dependencies as peer dependencies incorrectly (see npm/cli#8579). This was fixed in v11.6.1 (see the [npm changelog], but it seems that at some point our package lockfile was updated with incorrectly marked peer dependencies, and now when we run `npm install` on our machines with the latest version of npm it updates the package lockfile to remove the marks, leading to noise in git. This commit updates the package lockfile with the (hopefully) correct peer dependency marks. I don't think we need to worry about Dependabot changing things back, as looking at the logs of a [recent Dependabot run] it looks like that is now using npm v11.6.2. [npm changelog]: https://github.com/npm/cli/blob/latest/CHANGELOG.md#1161-2025-09-23 [recent Dependabot run]: https://github.com/alphagov/forms-runner/actions/runs/20049289324/job/57501554830
lfdebrux
added a commit
to alphagov/forms-runner
that referenced
this pull request
Dec 12, 2025
There was a bug in npm v11.6.0 and prior that would mark dependencies as peer dependencies incorrectly (see npm/cli#8579). This was fixed in v11.6.1 (see the [npm changelog], but it seems that at some point our package lockfile was updated with incorrectly marked peer dependencies, and now when we run `npm install` on our machines with the latest version of npm it updates the package lockfile to remove the marks, leading to noise in git. This commit updates the package lockfile with the (hopefully) correct peer dependency marks. I don't think we need to worry about Dependabot changing things back, as looking at the logs of a [recent Dependabot run] it looks like that is now using npm v11.6.2. [npm changelog]: https://github.com/npm/cli/blob/latest/CHANGELOG.md#1161-2025-09-23 [recent Dependabot run]: https://github.com/alphagov/forms-runner/actions/runs/20049289324/job/57501554830
lfdebrux
added a commit
to alphagov/forms-admin
that referenced
this pull request
Dec 12, 2025
There was a bug in npm v11.6.0 and prior that would mark dependencies as peer dependencies incorrectly (see npm/cli#8579). This was fixed in v11.6.1 (see the [npm changelog], but it seems that at some point our package lockfile was updated with incorrectly marked peer dependencies, and now when we run `npm install` on our machines with the latest version of npm it updates the package lockfile to remove the marks, leading to noise in git. This commit updates the package lockfile with the (hopefully) correct peer dependency marks. I don't think we need to worry about Dependabot changing things back, as looking at the logs of a [recent Dependabot run] it looks like that is now using npm v11.6.2. [npm changelog]: https://github.com/npm/cli/blob/latest/CHANGELOG.md#1161-2025-09-23 [recent Dependabot run]: https://github.com/alphagov/forms-runner/actions/runs/20049289324/job/57501554830
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Fixes peer dependency flag propagation in npm's dependency resolution system by correcting how
"peer": trueflags are calculated and applied.Problem
Peer dependency flags were inconsistently and incorrectly calculated, leading to incorrect or missing
"peer": trueflags in the ideal tree, which could cause dependency resolution issues.#8431 revealed a number of bugs, the worst of which appears to be that many packages in an ideal tree were marked peer when they shouldn't have been. If they were also optional, they were being removed by this pruning. This is my attempt to make a forward-fix instead of revert the aforementioned correct but also (through no fault of its own) disruptive PR #8431 .
This doesn't solve the problem of legitimate peerOptionals being uninstallable even with
npm i <peer-optional-package>. It both makes sense for that to be pruned, but also for people that do it to have it either install or warn them. Right now it silently moves along. We could allow it to not be pruned that 1 time by usingexplicitRequests, but would subsequently be pruned on further installs.Related:
#8464
#8431
#8489