[BUG] Incorrect dependency version in mono repo

[Klaasvaak]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

I originally posted this issue in Astro because I thought it was an Astro issue, but I think this is an npm issue.

Describe the Bug
In my mono repo using npm I have 2 apps:
apps/demo
apps/documentation

The documentation app uses astro with react, I followed the steps from the Astro documentation. This should use react version 19.
The demo app uses create react app with react version 17.

When I run the documentation app I get the error

Missing "./server.js" specifier in "react-dom" package

When I run npm ls react-dom in the root of my mono repo I get the following result showing astrojs/react is using react-dom version 17 instead of 19.

root
├─┬ demo@14.1.1 -> ./apps/demo
│ ├── react-dom@17.0.2
│ └─┬ react-router-dom@6.29.0
│   └── react-dom@17.0.2 deduped
└─┬ documentation@0.0.1 -> ./apps/documentation
  ├─┬ @astrojs/react@4.2.0
  │ └── react-dom@17.0.2 deduped
  └── react-dom@19.0.0

I added an overrides to my root package.json:

"overrides": {
    "@astrojs/react": {
      "react": "^19.0.0",
      "react-dom": "^19.0.0",
      "@types/react": "^19.0.10",
      "@types/react-dom": "^19.0.4"
    }
  }

Now when running npm ls react I get:

root
├─┬ demo@14.1.1 -> ./apps/demo
│ ├── react-dom@17.0.2 overridden
│ └─┬ react-router-dom@6.29.0
│   └── react-dom@17.0.2 deduped
└─┬ documentation@0.0.1 -> ./apps/documentation
  ├─┬ @astrojs/react@4.2.0 overridden
  │ └── react-dom@17.0.2 deduped invalid: "^19.0.0" from node_modules/@astrojs/react
  └── react-dom@19.0.0

None of this seem to solve the error. Any ideas?

Link to Minimal Reproducible Example
https://stackblitz.com/edit/github-bqrrwddb?file=package.json

Note about the stackblitz demo. I wasn't able to fully reproduce this, I'm not getting the error but I do get unexpected react-dom version when running npm ls react-dom in the root:

my-monorepo@ /home/projects/github-bqrrwddb
+-- demo@0.1.0 -> ./apps/demo
| `-- react-dom@17.0.2
`-- documentation@0.0.1 -> ./apps/documentation
  +-- @astrojs/react@4.2.0
  | `-- react-dom@18.3.1
  `-- react-dom@19.0.0

Expected Behavior

Use the correct react version.

Steps To Reproduce

1. https://stackblitz.com/edit/github-bqrrwddb?file=package.json
2. npm ls react-dom
3. See react-dom version is not as expected

Environment

• npm: 10.9.2
• Node.js: v22.14.0
• OS Name: MacOS
• System Model Name: Macbook Pro 2024

[revelt]

1. In lerna.json, you can use wildcards, "packages": ["apps/*"],
2. Same with package.json "workspaces": ["apps/*"]
3. Idea: rule out lerna, what happens if you remove it? Also, I checked your lerna.json, looks like mine mostly, so besides point no.1, all good. I hope you're installing from root level, with npm i.
4. Check, root package.json should typically have "private": true,, — not that it matters but still
5. Probably unrelated but see [BUG] workspace packages using different major versions of the same package causes issues #2783 (comment) the legacy-bundling=true
6. Don't trust package.json overrides, there are issues [BUG] Overrides are not applied correctly with workspaces #4834
7. I see you're using caret ranges in package.json, — this probably won't help, but try pinning exact versions (good practice anyway), delete carets.

Theoretically, all this npm installation is done on npm. In theory, you could switch to different package manager, let's say v1 yarn — wipe lockfile and node_modules and try that. The resolving algorithm might be different. More as a temp measure, but if it works it works...

Theoretically, if I was cornered in this position, I would script the desired setup, put correct things in correct places using fs, path et al. If you think, you can create symlinks using ln -s; hell, you can even create new folders, npm init -y and quickly install react, then take its folder from node_modules and place somewhere. I know it's brittle, but I did worse to support my eslint plugins which are not pure-esm, to exist in type:module monorepo (involved programmatically renaming, editing package.json last second before publishing etc). Just food for thought.

Sorry I can't fix npm cli. I came for my own problem with npm, saw yours, and thought I'll chip in my 2p quick. Best luck!

[reggi]

I was able to download the example code and both repos work:

➜  demo npm -v
11.1.0
➜  demo node -v
v22.9.0

The packages look to be installed properly, in their workflows.

Not sure the issue you're running into 🤔

[Klaasvaak]

@reggi Thanks for looking into this.

I'm also able to run the example. That is not the issue. The issue is that they don't use the correct versions as mentioned in their package.json

What do you get when you run npm ls react-dom ?

I get this:

├─┬ demo@14.1.1 -> ./apps/demo
│ ├── react-dom@17.0.2
│ └─┬ react-router-dom@6.29.0
│   └── react-dom@17.0.2 deduped
└─┬ documentation@0.0.1 -> ./apps/documentation
  ├─┬ @astrojs/react@4.2.0
  │ └── react-dom@17.0.2 deduped
  └── react-dom@19.0.0

But I expect @astrojs/react@4.2.0 -> react-dom to be version 19.0.0

[reggi]

i'm gonna close this one for now, feel free to repoen

[reggi]

@Klaasvaak sorry I closed without noticing your comment, I get this:

my-monorepo@ /Users/reggi/Downloads/github-bqrrwddb
├─┬ demo@0.1.0 -> ./apps/demo
│ └── react-dom@17.0.2
└─┬ documentation@0.0.1 -> ./apps/documentation
  ├─┬ @astrojs/react@4.2.0
  │ └── react-dom@18.3.1
  └── react-dom@19.0.0

and I know mine isn't dedouped because it's not hoisted

[reggi]

@Klaasvaak perhaps its your version of npm?

[reggi]

you can also delete all node_modules folders in your project and reinstall?

[Klaasvaak]

@reggi I don't know why you closed this issue. Your cli output clearly shows something is wrong as well:

  ├─┬ @astrojs/react@4.2.0
  │ └── react-dom@18.3.1

This should be react-dom@19.0.0

[Klaasvaak]

@reggi fyi, I don't have permission to reopen this issue.

[reggi]

@Klaasvaak https://github.com/withastro/astro/blob/%40astrojs/react%404.2.0/packages/integrations/react/package.json#L63

[reggi]

i got your issue now, you should have included overrides in the stackblitz example

[reggi]

workspaces are special and npm installs aren't idempotent, context matters and shapes how package-lock will look

that being said you may have originally npm installed your packages individually and built up the lock one way, and now you're stuck.

react-dom is a dev dep of astro's plugin it shouldn't have control over your version.

this all being said if you:

➜  github-bqrrwddb rm -rf ./apps/demo/node_modules
➜  github-bqrrwddb rm -rf ./apps/documentation/node_modules 
➜  github-bqrrwddb rm ./package-lock.json 
➜  github-bqrrwddb npm i

I believe you get what you want without overrides:

my-monorepo@ /Users/reggi/Downloads/github-bqrrwddb
├─┬ demo@0.1.0 -> ./apps/demo
│ └── react-dom@17.0.2
└─┬ documentation@0.0.1 -> ./apps/documentation
  └── react-dom@19.0.0

[Klaasvaak]

@reggi Thank you for looking further into this.

react-dom is a devDependency of astro, but it's also a peerDependency. I choose to use the latest (v19) react-dom instead of v18. Shouldn't astro therefor also use react-dom v19 in my example because that's what it says it supports in their peerDependencies and that's what I put as a version in the package.json?

[Klaasvaak]

There are no overrides in the stackblitz example, should there be?

When I remove all node_modules and the lockfile and run npm i again in the stackblitz example I get:

❯ npm ls react-dom
my-monorepo@ /home/projects/github-bqrrwddb
+-- demo@0.1.0 -> ./apps/demo
| `-- react-dom@17.0.2
`-- documentation@0.0.1 -> ./apps/documentation
  +-- @astrojs/react@4.2.0
  | `-- react-dom@18.3.1
  `-- react-dom@19.0.0

Still using v18. Is this the devDependency? But shouldn't it be the peerDependency? Which version will astro use now?