npm Community Forum (Archive)

The npm community forum has been discontinued.

To discuss usage of npm, visit the GitHub Support Community.

git dependencies with #semver: don't seem to resolve and dedup correctly

What I Wanted to Do

If you use ssh+git://url#semver: in two different projects, they won’t dedup unless the versions specified in the #semver: is exactly the same.

What Happened Instead

Two identical copies of a module is installed. even ‘npm dedup’ does not remove the copy

Reproduction Steps

Take a look a this example I setup:
There are three small projects (p1, p2, p3).
p1 is on version 1.0.2 and has a git tag “v1.0.2” point to that version.

p2 depends on p1 using the following:
“p1”: “git+^1.0.0

p3 depends on p1 and p2 using the following:
“p1”: “git+^1.0.1”,
“p2”: “git+^1.0.0

if you clone p3 ( and call “npm install”, you will see that p1@1.0.2 is repeated twice. That means both “p1.git#semver:^1.0.1” and “p1.git#semver:^1.0.0” correctly resolve to the “v1.0.2” tag of p1, but p1 is duplicated in the tree. Even calling “npm dedup” does not remove it.

However, if p3’s package.json references p1 exactly same way as p2 using the following, p1 is dedupped properly:
“p1”: “git+^1.0.0”,

seems like semantic version is not properly applied to these dependencies.


Platform Info

$ npm --versions
{ p3: '1.0.0',
  npm: '6.4.1',
  ares: '1.15.0',
  cldr: '34.0',
  http_parser: '2.8.0',
  icu: '63.1',
  modules: '67',
  napi: '3',
  nghttp2: '1.34.0',
  node: '11.3.0',
  openssl: '1.1.0j',
  tz: '2018e',
  unicode: '11.0',
  uv: '1.23.2',
  v8: '',
  zlib: '1.2.11' }

<!-- paste output here -->
$ node -p process.platform
<!-- paste output here -->

I made a PR: