Allow certain packages to be excluded from fixers and the check

[gluxon]

Hey @ocavue, I'm hoping to roll this tool out to my team. Thanks for making it!

One problem we hit pretty quickly was a significant typing change in a minor version of @types/lodash. After pnpm-deduplicate removed earlier versions of @types/lodash from our monorepo, I spent a few hours attempting to update the existing code for these changes. Finishing this out would be a multi-day effort.

I'd like to require pnpm-deduplicate check to pass on CI before builds are merged into the main branch. This would prevent developers from introducing further duplicates in pnpm-lock.yaml while we handle the existing duplicates.

Would adding an ignore config for certain dependencies be reasonable?

[gluxon]

Using json5 to allow comments in the new config file. I'd like to write the reason some packages are excluded from the fixer/check.

[gluxon]

Let me know if we should just use runtypes or ajv. Avoided that since it can be a large dependency, but maybe it's worthwhile to have.

[gluxon]

There's a bit of duplicate code between listDuplicates and fixDuplicates. Is that something we'd want to factor out?

[ocavue]

If you just write this fixed version number of @types/lodash in your package.json (i.e. without the ^ prefix), does pnpm-deduplicate produce the correct result?

[gluxon]

That would probably work locally. What if it's desirable to publish with the ^ version specifier though? We could use publishConfig, but I think that config would get out of sync easily as developers forget to update it.

There's also the case of dependencies that only appear in the dependency graph through non-direct transitive dependencies. In that case it'd be difficult (or hacky at the last) to rewrite those version specifiers since they're not declared in package.json files checked into the repo.

[ocavue]

If you see type declarations as part of an API, then it is the fault of @types/lodash for releasing a minor version with breaking changes. If you know that a package does not follow semantic versioning, it's not a good idea to use the ^ specifier, even for a public package. For example, if your public package relies on @types/lodash@^4.0.0, then someone who installs your package will get the latest version of @types/lodash, which could lead to type errors because the type declarations in your package don't match the ones in the most recent @types/lodash.

If the packages only appear in the dependency graph through non-direct transitive dependencies, then pnpm.overrides should be able to fix the issue.

(I do know that It's generally more difficult to maintain backward compatibility for TS declarations than JS implementations. Therefore, it's common for a minor version update to include type declaration breaking changes, especially for @types/* packages, since the declaration and the implementation are maintained by different people.)

I view pnpm-deduplicate as a temporary solution to the lack of a built-in pnpm dedupe command, and I don't want to exceed the scope of pnpm dedupe. Since yarn dedupe and npm dedupe don't have a --ignored option, it's unlikely that pnpm dedupe will have this option, so I think pnpm-deduplicate should not have it either. But I am grateful for you using this project and submitting a pull request.

[gluxon]

You made a good point that yarn dedupe and npm dedupe do not have an --ignored option, and it's unlikely the eventual pnpm dedupe command would either. I see how this PR conflicts with the goal of the repo given those factors.

Thanks for explaining politely and thoroughly. Appreciate the work you've done to create this CLI as-is. 🙂