Sinon 9.0.0 installs duplicate dependencies

[asapach]

Describe the bug
sinon@9.0.0 depends on @sinonjs/formatio@5.0.0 directly, but also on @sinonjs/formatio@4.0.1 transitively via nise. Similar for @sinonjs/samsam@5.0.1 and @sinonjs/samsam@4.2.2

To Reproduce
Steps to reproduce the behavior:

1. npm i -D sinon
2. npm ls
3. See output and notice that not all packages have been deduped.

`-- sinon@9.0.0
  +-- @sinonjs/commons@1.7.1
  | `-- type-detect@4.0.8
  +-- @sinonjs/fake-timers@6.0.0
  | `-- @sinonjs/commons@1.7.1 deduped
  +-- @sinonjs/formatio@5.0.0    <--here
  | +-- @sinonjs/commons@1.7.1 deduped
  | `-- @sinonjs/samsam@4.2.2    <--here
  |   +-- @sinonjs/commons@1.7.1 deduped
  |   +-- lodash.get@4.4.2 deduped
  |   `-- type-detect@4.0.8 deduped
  +-- @sinonjs/samsam@5.0.1    <--here
  | +-- @sinonjs/commons@1.7.1 deduped
  | +-- lodash.get@4.4.2
  | `-- type-detect@4.0.8 deduped
  +-- diff@4.0.2
  +-- nise@4.0.1
  | +-- @sinonjs/commons@1.7.1 deduped
  | +-- @sinonjs/fake-timers@6.0.0 deduped
  | +-- @sinonjs/formatio@4.0.1    <--here
  | | +-- @sinonjs/commons@1.7.1 deduped
  | | `-- @sinonjs/samsam@4.2.2    <--here
  | |   +-- @sinonjs/commons@1.7.1 deduped
  | |   +-- lodash.get@4.4.2 deduped
  | |   `-- type-detect@4.0.8 deduped
  | +-- @sinonjs/text-encoding@0.7.1
  | +-- just-extend@4.0.2
  | `-- path-to-regexp@1.8.0
  |   `-- isarray@0.0.1
  `-- supports-color@7.1.0
    `-- has-flag@4.0.0

Expected behavior
There should be no duplicate dependencies.

• Library version: 9.0.0

[fatso83]

Does this cause issues for you? Although we do try to keep these versions in sync, there is strictly speaking no need to. One downside is that browser builds might be a tad bit larger, but it's not a library that is included for production builds anyway, so ... 🤷‍♂

[asapach]

It does not present any immediate issues, other than the inconvenience of wasted resources, but in the future it could produce inconsistent results since those package versions will eventually deviate.

[mroderick]

In the PRs listed above, I've updated the libraries that Sinon depends on, so they can be deduped properly.

When installing Sinon, I now see this:

$ npm ls
scratch@1.0.0 /Users/morgan/code/scratch
└─┬ sinon@9.0.0
  ├─┬ @sinonjs/commons@1.7.1
  │ └── type-detect@4.0.8
  ├─┬ @sinonjs/fake-timers@6.0.0
  │ └── @sinonjs/commons@1.7.1 deduped
  ├─┬ @sinonjs/formatio@5.0.1
  │ ├── @sinonjs/commons@1.7.1 deduped
  │ └── @sinonjs/samsam@5.0.2 deduped
  ├─┬ @sinonjs/samsam@5.0.2
  │ ├── @sinonjs/commons@1.7.1 deduped
  │ ├── @sinonjs/formatio@5.0.1 deduped
  │ ├── lodash.get@4.4.2
  │ └── type-detect@4.0.8 deduped
  ├── diff@4.0.2
  ├─┬ nise@4.0.2
  │ ├── @sinonjs/commons@1.7.1 deduped
  │ ├── @sinonjs/fake-timers@6.0.0 deduped
  │ ├── @sinonjs/formatio@5.0.1 deduped
  │ ├── @sinonjs/text-encoding@0.7.1
  │ ├── just-extend@4.0.2
  │ └─┬ path-to-regexp@1.8.0
  │   └── isarray@0.0.1
  └─┬ supports-color@7.1.0
    └── has-flag@4.0.0

[asapach]

@mroderick, thanks for addressing this. I've left a comment in the nise repo

[fatso83]

it could produce inconsistent results

I am not convinced of this. Each package depends on a separate version, and runs tests against that version, so no surprises should happen. And it has never occurred AFAIK this far in the history of Sinon. So yeah, wasted resourced (2kb) is the only thing that could present a minor nuisance AFAIK.

[mantoni]

There is a potential issue with matchers. The isMatcher detection is based on the matcher prototype and that's a different instance for different versions. So if there is a case where isMatcher is called on one version of samsam with a matcher created by another version, the check would fail.