npm does not dupe modules after install causing invalid node_modules tree #5465

Raynos opened this Issue Jun 11, 2014 · 3 comments

2 participants


When you npm install a module A, npm install may dedupe any of module A's dependencies if they already exist in the node_modules tree.

Now if you were to install a newer version of the deduped module in the tree npm does not go and find all the locations where it deduped the module deeper in the tree and install the old version if its a semver range mismatch


cd ~/tmp
mkdir foobar
cd foobar
npm init
npm i negotiator@0.2.5 -S
npm i st -S
npm i negotiator@latest -S
npm ls
echo $?; 1

Expected output

any npm install --save should not cause an npm ls to fail after the install. (assuming npm ls worked before the install)

Suggested fix

  • we can update npm install {{module}}@version so that it searches the entire dependency tree (based on package.json, not node_modules) for all references to {{module}}. We can then manually check that each referenced range matches the new version and if it does not invoke npm install {{module}}@range in that location in the node_modules tree
  • we can remove the deduping feature from npm install

cc @isaacs @othiym23


Other suggested fix:

  • make npm ls point very concretely at the problem. it just says invalid negotiator without saying that "there is a conflict between st and negotiator".

Also @isaacs this is an example of dependency hell, we are not supposed to have version conflicts ever.

@iarna iarna added this to the multi-stage install milestone Sep 19, 2014
@iarna iarna added the bug label Sep 19, 2014
npm member

This is going to be fixed by #6912 and #6913. As such, I'm going to close this ticket and any further discussion should occur in them.

@iarna iarna closed this Dec 12, 2014
@iarna iarna locked and limited conversation to collaborators Jun 24, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.