[BUG] Can't dedupe deps in workspaces/links with lockfiles

[ruyadorno]

What / Why

When trying to deduplicate versions of a module in a linked dependency, running npm install will not work as expected.

When

Given a package with a dep@ conflicting with a dep@ in a linked dependency, e.g:

root
├──  abbrev@^1.1.1
└─┬  file:a
  └── abbrev@=1.0.3

Updating a/package.json to list a dependency on abbrev@^1.0.0 will not result in a deduplicated install tree.

How

Before manually deduping dep

commit b2e106eedb40119c12e33a893e417f3763a7edcc
Author: Ruy Adorno <ruyadorno@hotmail.com>
Date:   Thu Mar 11 15:23:02 2021 -0500

    Added duplicate versions

diff --git a/a/package.json b/a/package.json
new file mode 100644
index 0000000..3de068e
--- /dev/null
+++ b/a/package.json
@@ -0,0 +1,7 @@
+{
+  "name": "a",
+  "version": "1.0.0",
+  "dependencies": {
+    "abbrev": "=1.0.3"
+  }
+}
diff --git a/package-lock.json b/package-lock.json
new file mode 100644
index 0000000..abd3fd5
--- /dev/null
+++ b/package-lock.json
@@ -0,0 +1,59 @@
+{
+  "name": "dedupe-after-lock",
+  "version": "1.0.0",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {
+    "": {
+      "version": "1.0.0",
+      "license": "MIT",
+      "dependencies": {
+        "a": "file:a",
+        "abbrev": "^1.1.1"
+      }
+    },
+    "a": {
+      "version": "1.0.0",
+      "dependencies": {
+        "abbrev": "=1.0.3"
+      }
+    },
+    "a/node_modules/abbrev": {
+      "version": "1.0.3",
+      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.3.tgz",
+      "integrity": "sha1-qgScln+ZkiKqQuFENPDFYu9GgkE=",
+      "engines": {
+        "node": "*"
+      }
+    },
+    "node_modules/a": {
+      "resolved": "a",
+      "link": true
+    },
+    "node_modules/abbrev": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
+      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
+    }
+  },
+  "dependencies": {
+    "a": {
+      "version": "file:a",
+      "requires": {
+        "abbrev": "=1.0.3"
+      },
+      "dependencies": {
+        "abbrev": {
+          "version": "1.0.3",
+          "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.0.3.tgz",
+          "integrity": "sha1-qgScln+ZkiKqQuFENPDFYu9GgkE="
+        }
+      }
+    },
+    "abbrev": {
+      "version": "1.1.1",
+      "resolved": "https://registry.npmjs.org/abbrev/-/abbrev-1.1.1.tgz",
+      "integrity": "sha512-nne9/IiQ/hzIhY6pdDnbBtz7DjPTKrY00P/zvPSm5pOFkl6xuGrGnXn/VtTNNfNtAfZ9/1RtehkszU9qcTii0Q=="
+    }
+  }
+}
diff --git a/package.json b/package.json
index 8af937d..4ccb1bf 100644
--- a/package.json
+++ b/package.json
@@ -1,12 +1,16 @@
 {
   "name": "dedupe-after-lock",
   "version": "1.0.0",
   "description": "",
   "main": "index.js",
   "scripts": {
     "test": "echo \"Error: no test specified\" && exit 1"
   },
   "keywords": [],
   "author": "Ruy Adorno <ruyadorno@hotmail.com> (https://ruyadorno.com/)",
-  "license": "MIT"
+  "license": "MIT",
+  "dependencies": {
+    "a": "file:a",
+    "abbrev": "^1.1.1"
+  }
 }

After manually trying to dedupe and running npm install

commit 723ef71520be1ae358ad68b6379405c776fb140b
Author: Ruy Adorno <ruyadorno@hotmail.com>
Date:   Thu Mar 11 15:24:41 2021 -0500

    Deduplicate range definitions

diff --git a/a/package.json b/a/package.json
index 3de068e..6cb97f1 100644
--- a/a/package.json
+++ b/a/package.json
@@ -2,6 +2,6 @@
   "name": "a",
   "version": "1.0.0",
   "dependencies": {
-    "abbrev": "=1.0.3"
+    "abbrev": "^1.0.0"
   }
 }
diff --git a/package-lock.json b/package-lock.json
index abd3fd5..b099fe9 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15,7 +15,7 @@
     "a": {
       "version": "1.0.0",
       "dependencies": {
-        "abbrev": "=1.0.3"
+        "abbrev": "^1.0.0"
       }
     },
     "a/node_modules/abbrev": {
@@ -40,7 +40,7 @@
     "a": {
       "version": "file:a",
       "requires": {
-        "abbrev": "=1.0.3"
+        "abbrev": "^1.0.0"
       },
       "dependencies": {
         "abbrev": {

Expected Behavior

I expect running npm install OR npm dedupe after manually tweaking dep version ranges in my package.json files to produced a deduplicated install tree.

[glen-84]

Is this the same reason why I have:

api@ D:\Programming\Projects\x\v4\api
├─┬ @x/type-graphql-extensions@1.0.0 -> .\..\type-graphql-extensions
│ ├─┬ graphql-parse-resolve-info@4.12.0
│ │ └── graphql@15.8.0
├── graphql@15.8.0

(simplified)

After running dedupe?

This is a big issue, since graphql fails to run when more than one version exists:

Ensure that there is only one instance of "graphql" in the node_modules directory.

Is there any workaround?

[glen-84]

@ruyadorno Is there a workaround for this issue? I'm quite blocked by not being able to dedupe graphql.

[glen-84]

I wonder if this will be fixed by #4745.