[BUG] npm possibly installs wrong dependencies

[doberkofler]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Based on the discussion with the maintainer of the typescript-eslint project in the SR typescript-eslint/typescript-eslint#8732, npm 10.5.0 wrongly resolves a dependency.

If you check the version listed in ./node_modules/@typescript-eslint/utils/package.json it should be v7
If it's v5 then double check ./node_modules/typescript-eslint - it should contain its own ./node_modules/@typescript-eslint/utils which is v7.
If you don't have a v7 version of the utils package - then that's the cause - npm is doing the wrong thing.

Expected Behavior

No response

Steps To Reproduce

Install:

{
	"name": "test",
	"type": "commonjs",
	"devDependencies": {
		"@eslint/js": "8.57.0",
		"cross-env": "7.0.3",
		"eslint": "8.57.0",
		"eslint-plugin-jest": "27.9.0",
		"typescript": "5.4.2",
		"typescript-eslint": "7.3.1"
	}
}

Environment

• npm: 10.5.0
• Node.js: 20.11.0
• OS Name: macOS
• System Model Name: Macbook Pro
• npm config:

//registry.npmjs.org/:_authToken = (protected)
audit = false
fund = false

[milaninfy]

@doberkofler I tried to replicate the issue and ran npm ls @typescript-eslint/utils which appears to be correct and looks like it's not a problem with npm.

└─┬ eslint-plugin-jest@27.9.0
  ├─┬ @typescript-eslint/eslint-plugin@7.3.1
  │ ├─┬ @typescript-eslint/type-utils@7.3.1
  │ │ └── @typescript-eslint/utils@7.3.1
  │ └── @typescript-eslint/utils@7.3.1
  └── @typescript-eslint/utils@5.62.0

[bradzacher]

What you've got is the following:

• typescript-eslint@7.3.1 has a dependency on @typescript-eslint/eslint-plugin@7.3.1
• eslint-plugin-jest@27.9.0 has a peer dependency on @typescript-eslint/eslint-plugin@^7.0.0
• eslint-plugin-jest@27.9.0 has a dependency on @typescript-eslint/utils@^5.10.0
• @typescript-eslint/eslint-plugin@7.3.1 has a dependency on @typescript-eslint/utils@7.3.1
• @typescript-eslint/eslint-plugin@7.3.1 has a dependency on @typescript-eslint/type-utils@7.3.1
• @typescript-eslint/type-utils@7.3.1 has a dependency on @typescript-eslint/utils@7.3.1

So we can see that @typescript-eslint/utils@7.3.1 is depended on twice and `@typescript-eslint/utils@^5.10.0 is depended on once.

So I would expect an install that looks like this:

• node_modules
  • @typescript-eslint/eslint-plugin@7.3.1
  • @typescript-eslint/utils@7.3.1
  • typescript-eslint@7.3.1
  • eslint-plugin-jest@27.9.0
    • @typescript-eslint/utils@5.62.0

I.e. Npm installs the most commonly depended on version at the root to have the smallest install.

But instead you get this install:

• node_modules
  • @typescript-eslint/eslint-plugin@7.3.1
    • @typescript-eslint/utils@7.3.1
  • @typescript-eslint/type-utils@7.3.1
    • @typescript-eslint/utils@7.3.1
  • @typescript-eslint/utils@5.62.0
  • typescript-eslint@7.3.1
  • eslint-plugin-jest@27.9.0

I.e. Npm has installed a the lest commonly depended on version at the root and has the largest install.

This seems like incorrect behaviour - npm is preferring the install with most duplication by default.

For comparison:

• yarn@1.19.1 installs the second, deduplicated install
• yarn@3.7.0 (with nodeLinker: node-modules) installs the second, deduplicated install
• pnpm@8.15.5
  • with node-linker=hoisted - installs the second, deduplicated install
  • with node-linker=isolated - installs the first, duplicated install