Skip to content

fix: corrects peer dependency flag propagation #8579

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
owlstronaut merged 1 commit into from
Sep 19, 2025
Merged

fix: corrects peer dependency flag propagation #8579

owlstronaut merged 1 commit into from
Sep 19, 2025

Conversation

@owlstronaut
Copy link
Contributor

@owlstronaut owlstronaut commented Sep 17, 2025
edited
Loading

Summary

Fixes peer dependency flag propagation in npm's dependency resolution system by correcting how "peer": true flags are calculated and applied.

Problem

Peer dependency flags were inconsistently and incorrectly calculated, leading to incorrect or missing "peer": true flags in the ideal tree, which could cause dependency resolution issues.

#8431 revealed a number of bugs, the worst of which appears to be that many packages in an ideal tree were marked peer when they shouldn't have been. If they were also optional, they were being removed by this pruning. This is my attempt to make a forward-fix instead of revert the aforementioned correct but also (through no fault of its own) disruptive PR #8431 .

This doesn't solve the problem of legitimate peerOptionals being uninstallable even with npm i <peer-optional-package>. It both makes sense for that to be pruned, but also for people that do it to have it either install or warn them. Right now it silently moves along. We could allow it to not be pruned that 1 time by using explicitRequests, but would subsequently be pruned on further installs.

Related:
#8464
#8431
#8489

@owlstronaut owlstronaut force-pushed the owlstronaut/fix-peer-flag-calc branch 4 times, most recently from 90d9c5e to bcd771f Compare September 17, 2025 21:13
@owlstronaut owlstronaut marked this pull request as ready for review September 17, 2025 21:48
@owlstronaut owlstronaut requested a review from a team as a code owner September 17, 2025 21:48
@owlstronaut
Copy link
Contributor Author

owlstronaut commented Sep 17, 2025

@G-Rath @jenseng Would love your take on this if you find time. I'm attempting to fix-foreward rather than revert, but this stuff is pretty meaty.

@jenseng
Copy link
Contributor

jenseng commented Sep 17, 2025

@owlstronaut I've confirmed that this fixes my simple repro here ... npm install succeeds, and the lockfile no longer marks those deps as "peer": true 🥳

@jenseng
Copy link
Contributor

jenseng commented Sep 17, 2025
edited
Loading

The fix also works in our internal repos whose installs failed under npm@11.5.x 🚀

@wraithgar
Copy link
Member

wraithgar commented Sep 18, 2025

Thank you so much for reviewing this @jenseng it really helps when folks with domain knowledge do this.

@wraithgar wraithgar self-assigned this Sep 18, 2025
wraithgar
wraithgar reviewed Sep 18, 2025
View reviewed changes
wraithgar
wraithgar reviewed Sep 18, 2025
View reviewed changes
wraithgar
wraithgar reviewed Sep 18, 2025
View reviewed changes
wraithgar
wraithgar reviewed Sep 18, 2025
View reviewed changes
@owlstronaut owlstronaut force-pushed the owlstronaut/fix-peer-flag-calc branch from 6623b75 to cb986c5 Compare September 18, 2025 22:10
wraithgar
wraithgar reviewed Sep 19, 2025
View reviewed changes
package-lock.json
"integrity": "sha512-UlLAnTPrFdNGoFtbSXwcGFQBtQZJCNjaN6hQNP3UPvuNXT1i82N26KL3dZeIpNalWywr9IuQuncaAfUaS1g6sQ==",
"dev": true,
"license": "MIT",
"peer": true,
Copy link
Member

@wraithgar wraithgar Sep 19, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just wanted to double check some of these and the very first one is good. This is being correctly flagged as a peer, from npm explain @babel/core@7.28.0:

peer @babel/core@"^7.0.0" from @babel/helper-module-transforms@7.27.3

This was referenced Sep 19, 2025
Merged
Merged
@owlstronaut owlstronaut merged commit d389614 into latest Sep 19, 2025
33 checks passed
@owlstronaut owlstronaut deleted the owlstronaut/fix-peer-flag-calc branch September 19, 2025 16:10
@github-actions github-actions bot mentioned this pull request Sep 19, 2025
Merged
@npm-cli-bot npm-cli-bot mentioned this pull request Sep 25, 2025
Merged
@AviVahl AviVahl mentioned this pull request Sep 27, 2025
Closed
2 tasks
@dynamictulip dynamictulip mentioned this pull request Sep 28, 2025
Open
2 tasks
@torokati44 torokati44 mentioned this pull request Sep 30, 2025
Merged
@broksonic21 broksonic21 mentioned this pull request Sep 30, 2025
Closed
1 task
@marcustyphoon marcustyphoon mentioned this pull request Oct 1, 2025
Merged
1 task
@otaviojacobi otaviojacobi mentioned this pull request Oct 1, 2025
Open
2 tasks
@liamcmitchell liamcmitchell mentioned this pull request Oct 5, 2025
Merged
@TrevorBurnham TrevorBurnham mentioned this pull request Oct 5, 2025
Closed
@oleksandr-danylchenko oleksandr-danylchenko mentioned this pull request Oct 6, 2025
Merged
wraithgar pushed a commit that referenced this pull request Oct 13, 2025
@liamcmitchell
fix: dep flag calculation (#8645)
b1aee62 
- reverts pruning added in #8431, which
incorrectly prunes deps flagged as `peer` and `optional` - these flags
don't mean that this node is an optional peer!
- reverts much of #8579, which I think
mistakenly changed peer dep calculation logic
- rewrites calcDepFlags
- adds logic to avoid unsetting `extraneous` when following optional
peer edges (how #8431, should have been
fixed)
- updates my prev fix to avoid looking for missing optional peer deps
(`if ((!edge.to && edge.type !== 'peerOptional') || !edge.valid) {`)
- refactors dep flag unsetting and resetting into Node methods
- removes `shake out Link target timing issue` test, which was testing
code
[removed](2db6c08#diff-6778dbd4bbfddaeb827a8d2aa7248d4c9b329229f69e407d5fd487abe16dd942L333)
a while back
- avoids omitting flaky`selflink` fixture when writing snapshots

Fixes #8535
@LitoMore LitoMore mentioned this pull request Oct 17, 2025
Merged
@mctylr-gh mctylr-gh mentioned this pull request Oct 17, 2025
Merged
This was referenced Oct 18, 2025
Merged
Merged
@pplancq pplancq mentioned this pull request Oct 30, 2025
Open
@mgermerie mgermerie mentioned this pull request Nov 4, 2025
Merged
@LitoMore LitoMore mentioned this pull request Nov 16, 2025
Merged
fbezagu added a commit to betagouv/anssi-demain-specialiste-cyber that referenced this pull request Nov 17, 2025
@fbezagu
[CI] Corrige les dépendances pour Node 24.11
60ddc39 
...GitHub utilise désormais la nouvelle version de node (24.11.1) et npm (11.6.2) qui introduit une correction dans la résolution des dépendances. (npm/cli#8579) Cette correction a introduit un bug dans notre installation de dépendances (avec @parcel/watcher non trouvé).
@fbezagu fbezagu mentioned this pull request Nov 17, 2025
Merged
fbezagu added a commit to betagouv/anssi-demain-specialiste-cyber that referenced this pull request Nov 17, 2025
@fbezagu
[CI] Corrige les dépendances pour Node 24.11
420e195 
...GitHub utilise désormais la nouvelle version de node (24.11.1) et npm (11.6.2) qui introduit une correction dans la résolution des dépendances. (npm/cli#8579) Cette correction a introduit un bug dans notre installation de dépendances (avec @parcel/watcher non trouvé).
@felixweinberger felixweinberger mentioned this pull request Nov 20, 2025
Merged
cmenon12 added a commit to Capgemini/gov-prototype-by-prompt that referenced this pull request Nov 27, 2025
@cmenon12
Set npm version to v11.6.1
4d96ea7 
This release corrects the peer dependency flag propagation.
See https://docs.npmjs.com/cli/v11/using-npm/changelog#1161-2025-09-23 and npm/cli#8579
cmenon12 added a commit to Capgemini/gov-prototype-by-prompt that referenced this pull request Nov 27, 2025
@dependabot @cmenon12
Set npm version to v11.6.1, bump the minor-updates group across 2 dir…
5005e21 
…ectories with 4 updates (#91)

* Bump the minor-updates group across 2 directories with 4 updates

Bumps the minor-updates group with 4 updates in the / directory: [hmrc-frontend](https://github.com/hmrc/hmrc-frontend), [openai](https://github.com/openai/openai-node), [prettier](https://github.com/prettier/prettier) and [typescript-eslint](https://github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint).
Bumps the minor-updates group with 1 update in the /data/zip-download directory: [hmrc-frontend](https://github.com/hmrc/hmrc-frontend).


Updates `hmrc-frontend` from 6.100.0 to 6.103.0
- [Release notes](https://github.com/hmrc/hmrc-frontend/releases)
- [Changelog](https://github.com/hmrc/hmrc-frontend/blob/main/CHANGELOG.md)
- [Commits](hmrc/hmrc-frontend@v6.100.0...v6.103.0)

Updates `openai` from 6.8.1 to 6.9.1
- [Release notes](https://github.com/openai/openai-node/releases)
- [Changelog](https://github.com/openai/openai-node/blob/master/CHANGELOG.md)
- [Commits](openai/openai-node@v6.8.1...v6.9.1)

Updates `prettier` from 3.6.2 to 3.7.0
- [Release notes](https://github.com/prettier/prettier/releases)
- [Changelog](https://github.com/prettier/prettier/blob/main/CHANGELOG.md)
- [Commits](prettier/prettier@3.6.2...3.7.0)

Updates `typescript-eslint` from 8.46.0 to 8.48.0
- [Release notes](https://github.com/typescript-eslint/typescript-eslint/releases)
- [Changelog](https://github.com/typescript-eslint/typescript-eslint/blob/main/packages/typescript-eslint/CHANGELOG.md)
- [Commits](https://github.com/typescript-eslint/typescript-eslint/commits/v8.48.0/packages/typescript-eslint)

Updates `hmrc-frontend` from 6.100.0 to 6.103.0
- [Release notes](https://github.com/hmrc/hmrc-frontend/releases)
- [Changelog](https://github.com/hmrc/hmrc-frontend/blob/main/CHANGELOG.md)
- [Commits](hmrc/hmrc-frontend@v6.100.0...v6.103.0)

Updates `hmrc-frontend` from 6.100.0 to 6.103.0
- [Release notes](https://github.com/hmrc/hmrc-frontend/releases)
- [Changelog](https://github.com/hmrc/hmrc-frontend/blob/main/CHANGELOG.md)
- [Commits](hmrc/hmrc-frontend@v6.100.0...v6.103.0)

Updates `hmrc-frontend` from 6.100.0 to 6.103.0
- [Release notes](https://github.com/hmrc/hmrc-frontend/releases)
- [Changelog](https://github.com/hmrc/hmrc-frontend/blob/main/CHANGELOG.md)
- [Commits](hmrc/hmrc-frontend@v6.100.0...v6.103.0)

---
updated-dependencies:
- dependency-name: hmrc-frontend
  dependency-version: 6.103.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: openai
  dependency-version: 6.9.1
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: prettier
  dependency-version: 3.7.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: typescript-eslint
  dependency-version: 8.48.0
  dependency-type: direct:development
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: hmrc-frontend
  dependency-version: 6.103.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: hmrc-frontend
  dependency-version: 6.103.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
- dependency-name: hmrc-frontend
  dependency-version: 6.103.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: minor-updates
...

Signed-off-by: dependabot[bot] <support@github.com>

* Update ESLint config

See https://github.com/typescript-eslint/typescript-eslint/releases/tag/v8.46.4 and typescript-eslint/typescript-eslint#11333

* Set npm version to v11.6.1

This release corrects the peer dependency flag propagation.
See https://docs.npmjs.com/cli/v11/using-npm/changelog#1161-2025-09-23 and npm/cli#8579

* Upgrade npm to v11.6.1 in code-quality.yml

---------

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Christopher Menon <16004217+cmenon12@users.noreply.github.com>
This was referenced Dec 1, 2025
Open
Draft
domoscargin added a commit to alphagov/govuk-design-system that referenced this pull request Dec 8, 2025
@domoscargin
Update package-lock.json
7ed6e4f 
We've recently updated to Node 24, using at least npm v11.6.0.

In npm v11.6.1, there was some work to improve the tagging of dependencies with `"peer": true`.

npm/cli#8579

This PR updates our package-lock.json file to reflect these changes by running:

1. `nvm use`
2. `npm install`
@domoscargin domoscargin mentioned this pull request Dec 8, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wraithgar wraithgar wraithgar approved these changes

Assignees

@wraithgar wraithgar

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@owlstronaut @jenseng @wraithgar