[BUG] npm dedupe is not running during npm install

[trusktr]

❯ npm -v
6.14.4

What

I ran npm install in a project, then my npm ls output showed:

❯ npm ls solid-js
@lume/create@ /home/trusktr/src/lume+create
├─┬ @lume/[email protected]
│ ├─┬ @lume/[email protected]
│ │ └── [email protected] 
│ └── [email protected] 
└── [email protected] 

Notice it does not say deduped anywhere.

Then I had to manually run npm dedupe for things to be deduped:

❯ npm dedupe
removed 2 packages and audited 1254 packages in 0.798s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

                                                                                                                                       
❯ npm ls solid-js
@lume/create@ /home/trusktr/src/lume+create
├─┬ @lume/[email protected]
│ ├─┬ @lume/[email protected]
│ │ └── [email protected]  deduped
│ └── [email protected]  deduped
└── [email protected] 

And now deduped appeared in the npm ls output.

Steps to Reproduce

I am unable to reproduce at the moment, but what I described above is exactly what I observed.

If I encounter it again, I will come back.

Expected Behavior

npm install should dedupe things.

[ljharb]

Deduping isn't always a safe operation; npm install shouldn't dedupe by default. If you want that, run npm ci.

[trusktr]

@ljharb The reason I can't reproduce this at the moment is because npm install (and npm install @lume/package if I start without that package listed in package.json) are actually deduping by default. It seems like it does dedupe by default, just as I always have expected. But I'm not sure why in the above case it didn't (just this one time).

If I start without @lume/element in my package.json, the following output shows that npm does dedupe by default like I normally expect (except the one time I reported above):

❯ npm i
added 136 packages from 120 contributors and audited 1222 packages in 1.482s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities


❯ npm ls solid-js
@lume/create@ /home/trusktr/src/npm+cli
└── (empty)


❯ npm i @lume/element
+ @lume/[email protected]
added 17 packages from 30 contributors and audited 1253 packages in 2.878s

2 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities


❯ npm ls solid-js
@lume/create@ /home/trusktr/src/npm+cli
└─┬ @lume/[email protected]
  ├─┬ @lume/[email protected]
  │ └── [email protected]  deduped
  └── [email protected]

Note the deduped.

That's always the case. Otherwise I'd have ran into many issues by now with libs exporting singletons (React, Solid, etc).

[trusktr]

If npm install behaves significantly different than npm ci in deduping vs not deduping, that'll cause headaches.

[trusktr]

Anywho, npm is back to normal, deduping things a I normally expect, so I'll just close this for now.