[BUG] npm dedupe breaks dependencies with individual installs

[JacobLey]

What / Why

npm dedupe is used to bring common modules down the dependency tree. It should not do it so much that it breaks any dependency though.

When installing packages one-by-one (e.g. npm install <package-name> rather than npm i) that share common sub-dependencies but require different versions, running npm dedupe afterwards breaks some dependencies.

The easiest way to show is by example. I have created a basic example package https://github.com/JacobLey/cli/tree/dedupeExample that is able to recreate errors.

The notable dependency tree looks like:

 dedup-example
├─┬ express-openapi-validator@3.16.7
│ └── path-to-regexp@6.1.0
└─┬ tar-dep@1.0.0
  └─┬ express@4.17.1
    └── path-to-regexp@0.1.7

(these packages have many other dependencies but we are focusing on path-to-regexp here. It is my belief this is an issue with npm rather than any of these packages, it is just a combination that successfully recreates issue)

When

In the example repo, after running:

npm i
npm i tar-dep
npm dedupe

multiple dependency issue happen.

Skipping the explicit npm i tar-dep step prevents errors. Similarly prior to npm dedupe there are no detectable dependency issues.

Where

Example repo: https://github.com/JacobLey/cli/tree/dedupeExample
Go to dedupe-example directory

node --version -> v12.16.3
npm --version -> 6.14.5

How

Somehow breaking the install into several steps causes dedupe to screw up the dependency tree.

Current Behavior

See Why/When.
Running dedupe after explicit installs can break dependency tree, if there are sub dependencies that must be different versions.

Steps to Reproduce

# from working cli directory
git remote add jacob-dedupe git@github.com:JacobLey/cli.git
git pull jacob-dedupe dedupeExample
git co dedupeExample
cd ./dedupe-example
./dedupe.sh

After script has finished, inspect before-dedupe.txt and after-dedupe.txt for errors.

Expected Behavior

Assuming that all dependencies are already installed without error (before-dedupe.txt has no UNMET_DEPENDENCY errors), then npm dedupe should remove any "extraneous" packages, as well as pull packages down that do not cause a conflict.

References

https://docs.npmjs.com/cli/dedupe
https://docs.npmjs.com/cli/install

[darcyclarke]

npm v6 is no longer in active development; We will continue to push security releases to v6 at our team's discretion as-per our Support Policy.

If your bug is preproducible on v7, please re-file this issue using our new issue template.

If your issue was a feature request, please consider opening a new RRFC or RFC. If your issue was a question or other idea that was not CLI-specific, consider opening a discussion on our feedback repo

Closing: This is an automated message.