cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] npm install in workspace root installs optional peer dependencies of workspace package dependencies

Open bradbarrow opened this issue 4 years ago • 3 comments

Current Behaviour:

See Steps to Reproduce for details.

When running npm install in the root of a project with workspaces configured, duplicate versions of react are installed because npm installs the version that one of my packages depends on directly AND a version of react that is an optional peer dependency of one of my package's dependencies resulting in:

[email protected] is installed in /root/node_modules/react [email protected] is installed in /root/apps/next-js-app/node_modules/react

Running the app with npm run dev results in React errors from duplicate versions of react

Expected Behavior:

react@17 satisfies my next app's own dependency AND the peer dependency of @apollo/client and thus only:

[email protected] is installed in /root/node_modules/react

Steps To Reproduce:

I've provided the following reproduction example https://github.com/bradbarrow/npm-peer-deps-workspaces Run npm install in the root of that repository and note the duplicate versions of react with npm list react

OR follow the full reproduction steps below:

  1. Create a workspace root in /root with a workspace config "workspaces": ["apps/*"]
  2. Create a NextJS app in the apps/next-js-app directory
  3. Add react@17 to the package.json of the NextJS app
  4. Add react-dom@17 to the package.json of the NextJS app
  5. Add @apollo/[email protected] to the package.json of the NextJS app
  6. Note that @apollo/[email protected] has an optional peerDependency of "react": "^16.8.0 || ^17.0.0"
  7. Run npm install in the root of the project

Environment:

  • OS: MacOSX 10.13.6
  • Node: 14.15.4
  • npm: 7.5.2

bradbarrow avatar Feb 05 '21 05:02 bradbarrow

@bradbarrow can you try to reproduce on the latest version of npm? (ie. npm i -g npm)

darcyclarke avatar Feb 26 '21 19:02 darcyclarke

I believe I'm seeing this same behavior with npm v8.9.0.

@bradbarrow Did you end up finding a workaround for this?

jamesbvaughan avatar May 06 '22 00:05 jamesbvaughan

Update: The below might be the expected result for a peer dependency stated with an exact version (e.g. 1.1.0 instead of ^1.1.0).

Original message

I’m pretty sure I’m seeing this behavior with v10.5.2.

I have [email protected] appear in my lock file as a direct dependency of workspace-1. A corresponding lock file entry for node_modules/[email protected] exists. package-a appears a few more times as a peer dependency on a generally different (older) version in some of my workspaces’ dependencies (e.g. in workspace-2). For this version, additional lock file entries for packages/workspace-2/node_modules/[email protected] are created.

As a consequence, in those workspaces, the module resolution finds the older version of package-a ([email protected]).

In this case, the peer dependency isn’t missing; it’s already installed because a workspace package directly depends on it. Why is npm installing two versions of this package?

Seeing that npm dedupe package-a doesn’t remove the duplicated entry, it looks like npm thinks the entry is required to satisfy workspace-2’s peer dependency.

kleinfreund avatar Apr 15 '24 11:04 kleinfreund