-
Notifications
You must be signed in to change notification settings - Fork 3.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[BUG] peerDependencies not preferred over dependencies when both are present #7106
Comments
What I would expect in this case, and what I believe npm has always done, is to install the "dependencies" range, but if it does not agree with the peerDependencies range, Typically whenever I have a peer dep listed, I put the identical range either in deps, or devDeps. With your example, what does npm 6 do? Does it install |
It does the expected behavior, it looks like npm >= 7 regressed/changed things. The only extra module installed in
This isn't safe though. We want to have a pinned version specified as a safe, integration-tested default with the client able to install a greater version if they choose as long as it falls within the allowed semver range specified in |
It's quite safe; that's what a lockfile is for. Nothing should be pinned in package.json, ideally. |
What's allowed in All I'm trying to get across is that there are scenarios where they can't match and if you review the NPM RFC I linked in the OP (I know you were part of the conversation way back when but it's been a while), Isaac agreed that peer dependency entries should take precedence if both are specified. |
That wouldn't be nonsense in deps at all; I do exactly that quite often and it works fine. |
Ok, what about the second paragraph though. |
While I still feel that the dep/devDep range should be used for installation instead of the peerDep range, as I indicated in #7106 (comment), I do agree with you that the closed and accepted RFC you linked suggests that things should work as you indicated. |
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Here is a configuration for the styled-components package.json that I'm testing:
The design goal of this is to provide a dependency version specified by us, but allow it to be overridden by peerDependency in client projects if their installed version is greater than ours. Looking at this RFC that was closed as completed, it seems like this is meant to work in npm. However, both versions are currently installed. Here is an example repo demonstrating the current behavior: https://github.com/quantizor/styled-components-repro
I did an analysis of other package managers like yarn and pnpm, and they both seem to honor
peerDependencies
as an override overdependencies
if both are specified in a library being consumed by a client application.You can see this in action for the supplied reproduction repository by following these instructions after cloning:
node_modules
andpackage-lock.json
yarn install
node_modules/styled-components
that no extranode_modules
folder is addedExpected Behavior
If a package declared in both
dependencies
andpeerDependencies
,peerDependencies
should "win" if a compliant higher version is installed in the client application.Steps To Reproduce
cd
into the directorynpm i
node_modules/styled-components/node_modules
has a duplicated module forpostcss
(there is a higher version also installed atnode_modules/postcss
)Environment
The text was updated successfully, but these errors were encountered: