Dependency deduplication seems not to work

[pmb0]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

8.7.6

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

https://github.com/pmb0/pnpm-peer-deduplication-not-working/tree/main

Reproduction steps

git clone https://github.com/pmb0/pnpm-peer-deduplication-not-working
pnpm i
pnpm test

Describe the Bug

When using NestJS dependencies in own monorepo libs, @nestjs/core is installed multiple times, which leads to runtime errors in NestJS. pnpm dedupe and dedupe-peer-dependents=true seem to have no effect. This problem occurred in the past but not in pnpm@8.6.0 and after upgrading to any version after 8.6.0 it reappeared.

As far as I know, the problem can only be solved by installing the NestJS dependencies in the root package (resolve-peers-from-workspace-root=true), which is a workaround.

Expected Behavior

NestJS dependencies such as @nestjs/platform-express define their dependencies as follows:

  "devDependencies": {
    "@nestjs/core": "10.2.5"
  },
  "peerDependencies": {
    "@nestjs/core":"^10.0.0"
  }

If my own libs do the same, I expect only one copy of @nestjs/core to exist afterwards.

Which Node.js version are you using?

v18.16.0

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

[gentoo90]

One more reproduction with PNPM 8.8.0 and nodejs 20.5.1 on Linux:

git clone https://github.com/gentoo90/pnpm-dedupe-bug-repro
pnpm i
pnpm build

It's an empty Angular 16 project with a custom webpack config that uses webpack-manifest-plugin.
It has the same issue with webpack and esbuild that was described in #6153.
As a workaround (in workaround branch) add esbuild to webpack-manifest-plugin peer dependencies via readPackage hook in .pnpmfile.cjs:

function readPackage(pkg, context) {
  if (pkg?.name == 'webpack-manifest-plugin') {
    context.log(`Fixing dependencies of ${pkg.name}`);
    pkg.peerDependencies['esbuild'] = '0.18.17';
  }
  return pkg;
}

module.exports = {
  hooks: {
    readPackage,
  }
};

[pmb0]

I think #7163 is the same issue

[shry]

We do have the same issue in a big NestJS monorepo. A clean install with pnpm@8.6.0 version works fine, newer versions are failing with the deduplication.

[pmb0]

Probably #6605 has reintroduced the problem in pnpm@8.6.1.

[pmb0]

@zkochan is there a chance to get multiple copies of same deps fixed?

[zkochan]

This is not high priority right now. You can install @nestjs/microservices and @nestjs/platform-express in the root of the workspace and you'll get a single version of @nestjs/core.

In any case, dedupe-peer-dependents is just a dirty workaround. It symlinks dependencies used by other workspace projects, which breaks isolation between projects. It better to handle it manually as I suggested.

The easiest way to fix this would be probably to use dependencies from any workspace projects, when resolving peer dependencies (not just dependencies of the real dependent workspace project).