pnpm icon indicating copy to clipboard operation
pnpm copied to clipboard
verified publisher icon pnpm

package peerDependencies are written into the lock file as if they were dependencies.

Open ZakaryCode opened this issue 1 year ago • 1 comments

Verify latest release

  • [X] I verified that the issue exists in the latest pnpm release

pnpm version

version 7、8、9

Which area(s) of pnpm are affected? (leave empty if unsure)

Lockfile, Package manager compatibility

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

Rely on a dependency in the project that includes peerDependencies configuration.

Project
|-- dependencies
|-- A: 1.0.0
|    |-- peerDependencies
|    |-- B: 1.0.0-beta.75
|-- B: 1.0.0-beta.75

Sorry, the verification project includes internal dependencies, and providing links also cannot be used properly.

Describe the Bug

Because B relies on being set as A's dependency in lock file, rather than depending on it from the project directory, if we link B's dependency in the project, it will cause A's dependencies to still use the installed dependencies, rather than the linked B dependencies.

Expected Behavior

When there is a clearly declared B dependency in the project dependencies, A's peerDependencies should not be locked into dependencies.

Which Node.js version are you using?

18.19.1

Which operating systems have you used?

  • [X] macOS
  • [ ] Windows
  • [ ] Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

ZakaryCode avatar May 20 '24 03:05 ZakaryCode

This problem can be circumvented with afterAllResolved, but it is still a bug in pnpm and should be fixed!

// .pnpmfile.cjs
module.exports = {
  hooks: {
    afterAllResolved: async (lockfile) => {
      Object.values(lockfile.packages).forEach(pkg => {
        Object.keys(pkg.peerDependencies || {}).forEach(name => {
          if (pkg.dependencies && pkg.dependencies[name]) {
            let version = pkg.dependencies[name].replace(/\(.+\)/g, '')
            if (version === pkg.peerDependencies[name]) {
              delete pkg.dependencies[name]
            }
          }
        })
      })
      return lockfile
    }
  }
}

ZakaryCode avatar May 21 '24 06:05 ZakaryCode

I have this problem as well on 9.15.3. A peer dependency of a package would be axios ^1.7 for instance, and I only depend on the package, not axios. I already had axios 1.6 installed from a previous version of the same package, and upgrading to a new version would give me:

 WARN  Issues with peer dependencies found
.
└─┬ my-private-package
  ├── ✕ unmet peer axios@^1.7: found 1.6.8
  └── ✕ unmet peer uuid@^11: found 9.0.1

If I remove the lockfile and reinstall everything, it correctly resolves to version 1.7 of axios (and puts that it in the lockfile).

nickdnk avatar Jan 16 '25 23:01 nickdnk