npm does not dupe modules after install causing invalid node_modules tree

[Raynos]

When you npm install a module A, npm install may dedupe any of module A's dependencies if they already exist in the node_modules tree.

Now if you were to install a newer version of the deduped module in the tree npm does not go and find all the locations where it deduped the module deeper in the tree and install the old version if its a semver range mismatch

Example

cd ~/tmp
mkdir foobar
cd foobar
npm init
npm i negotiator@0.2.5 -S
npm i st -S
npm i negotiator@latest -S
npm ls
echo $?; 1

Expected output

any npm install --save should not cause an npm ls to fail after the install. (assuming npm ls worked before the install)

Suggested fix

• we can update npm install {{module}}@version so that it searches the entire dependency tree (based on package.json, not node_modules) for all references to {{module}}. We can then manually check that each referenced range matches the new version and if it does not invoke npm install {{module}}@range in that location in the node_modules tree
• we can remove the deduping feature from npm install

cc @isaacs @othiym23

[Raynos]

cc @domenic

[Raynos]

Other suggested fix:

• make npm ls point very concretely at the problem. it just says invalid negotiator without saying that "there is a conflict between st and negotiator".

Also @isaacs this is an example of dependency hell, we are not supposed to have version conflicts ever.

[iarna]

This is going to be fixed by #6912 and #6913. As such, I'm going to close this ticket and any further discussion should occur in them.