Incompatible node-fetch version (peer dependency of addons-scanner-utils)

[marekvospel]

When installing web-ext with pnpm, I get the following warning

 WARN  Issues with peer dependencies found
.
└─┬ web-ext 7.4.0
  └─┬ addons-linter 5.23.0
    └─┬ addons-scanner-utils 8.1.0
      └── ✕ unmet peer node-fetch@2.6.7: found 3.3.0 in web-ext

after removing lockfile and installing again, this becomes an error

ERR_PNPM_PEER_DEP_ISSUES  Unmet peer dependencies

What is the point of making node-fetch a peer dependency if only one version is allowed?
https://github.com/mozilla/addons-scanner-utils/blob/d87cb1b2377d1b1711697c0cf1de4d028af400c6/package.json#L23

Version information (for bug reports)

• Firefox version: unnecessary
• Your OS and version: Arch linux 6.0.12-arch1-1

node --version && pnpm --version && web-ext --version
v18.6.0
7.9.0
7.4.0

[Rob--W]

This error is not raised by npm nor yarn. Why would pnpm complain loudly about this when the other two package managers don't? I wonder whether this is an issue with pnpm instead of this library.

[marekvospel]

This error is not raised by npm nor yarn. Why would pnpm complain loudly about this when the other two package managers don't? I wonder whether this is an issue with pnpm instead of this library.

This isn't issue with pnpm, rather I belive it is caused by how packages are hoisted. I do not know the internals of pnpm however, so it might be caused by something else.

As I mentioned before though, what is the point of making node-fetch a peer dependency if only one version is allowed? Why isn't node-fetch a direct dependency, or semver range isn't used?

[willdurand]

As I mentioned before though, what is the point of making node-fetch a peer dependency if only one version is allowed? Why isn't node-fetch a direct dependency, or semver range isn't used?

Because it is an optional peer dependency (and marked as such), part of the scanner-utils lib is irelevant for addons-linter but used by other (internal) projects. These projects require the correct node-fetch version. And semver only works if package authors carefully follow the spec, which isn't always the case, hence why we restrict to a single version.

[marekvospel]

As I mentioned before though, what is the point of making node-fetch a peer dependency if only one version is allowed? Why isn't node-fetch a direct dependency, or semver range isn't used?

Because it is an optional peer dependency (and marked as such), part of the scanner-utils lib is irelevant for addons-linter but used by other (internal) projects. These projects require the correct node-fetch version. And semver only works if package authors carefully follow the spec, which isn't always the case, hence why we restrict to a single version.

I see, I didn't notice it was an optional dependency.

[rootCircle]

I can confirm this occurs still too, but only with pnpm. I tried npm, yarn and bun, all three seem to work fine!
I want to ask, if there is any updates on this? I think this might be related to mozilla/addons-scanner-utils#271. But I still also don't think there is any upstream activity, to update deps there too.

Also, if you have any workarounds, then please share!