`npm dedupe` after `npm install --global-style` dedupes incorrectly

What I Wanted to Do

I have a package whose dependencies were previously installed with --global-style. Among these dependencies, some reference different version of a specific dependency. I want to dedupe my package and expect everything to resolve correctly.

What Happened Instead

Some sub-dependencies are deduped and eventually resolved incorrectly. An example minimal repo will be provided.

Reproduction Steps

  1. Clone https://github.com/IanSavchenko/npm-dedupe-issue - it has a minimal package.json with two git dependencies.
{
  "dependencies": {
    "aws-util-firecloud": "git://github.com/tobiipro/aws-util-firecloud.git#semver:~1.5.5",
    "lodash-firecloud": "git://github.com/tobiipro/lodash-firecloud.git#semver:~0.2.0"
  }
}
  1. Run
npm install

(it will use global style, as set in .npmrc)

npm list --depth=0

should show something like

dedupe_test@1.0.0 /Users/isao/code/test/dedupe_test
├── aws-util-firecloud@1.5.6 (git://github.com/tobiipro/aws-util-firecloud.git#64585a405f3ec2217e3d3ef13c0395e8f236e05c)
└── lodash-firecloud@0.2.15 (git://github.com/tobiipro/lodash-firecloud.git#a62de48dfa114035e700474d6cd82290c667b1f4)
  1. Run npm dedupe - dependency tree gets flattened

  2. Check node_modules/lodash_firecloud/package.json - it has version 0.2.15, as per root package.json (~0.2.0) - CORRECT

  3. Check node_modules/minlog/package.json - it has a dependency on lodash-firecloud to be ~0.3.0, but instead does not have node_modules dir included, so will use the one from root node_modules - WRONG.

Note: minlog is a dependency of aws-util-firecloud

  1. Check node_modules/aws-util-firecloud/package.json - it has a dependency on lodash-firecloud to be ~0.3.1. Then it gets correctly resolved from node_modules/aws-util-firecloud/node_modules/lodash-firecloud and has version 0.3.15 - CORRECT

Details

One thing that can be noted: running npm install without global style ends up installing packages correctly.

Platform Info

$ npm --versions
{
  dedupe_test: '1.0.0',
  npm: '6.9.0',
  ares: '1.15.0',
  brotli: '1.0.7',
  cldr: '35.1',
  http_parser: '2.8.0',
  icu: '64.2',
  llhttp: '1.1.1',
  modules: '72',
  napi: '4',
  nghttp2: '1.38.0',
  node: '12.1.0',
  openssl: '1.1.1b',
  tz: '2019a',
  unicode: '12.1',
  uv: '1.28.0',
  v8: '7.4.288.21-node.16',
  zlib: '1.2.11'
}
$ node -p process.platform
darwin