Lockfile peer dependency flip-flops as different workspace packages are updated

[anomiex]

pnpm version:

9.12.0, 10.0.0-alpha.2, 10.6.3

Code to reproduce the issue:

.npmrc:

dedupe-peer-dependents = false

pnpm-workspace.yaml:

packages:
  - 'a'
  - 'b'

a/package.json:

{
  "dependencies": {
    "terser-webpack-plugin": "5.2.4",
    "webpack": "5.61.0",
    "webpack-cli": "4.9.1"
  }
}

b/package.json:

{
  "dependencies": {
    "terser-webpack-plugin": "5.2.4",
    "webpack": "5.61.0"
  }
}

Steps to reproduce:

1. Run pnpm install.
2. In a, run pnpm update.
3. Save a copy of pnpm-lock.yaml.
4. In b, run pnpm update.
5. Save a copy of pnpm-lock.yaml.

Expected behavior:

Saved copies of pnpm-lock.yaml are identical, as nothing has changed in the updates.

Actual behavior:

Saved copies differ. When update was last run in a, "terser-webpack-plugin@5.2.4(webpack@5.61.0)" shows a dependency on "webpack: 5.61.0(webpack-cli@4.9.1)". When last run in b, it shows "webpack: 5.61.0" instead.

Additional information:

• node -v prints: v20.17.0
• Windows, macOS, or Linux?: Linux

Notes:

terser-webpack-plugin has a peer dependency on webpack but not webpack-cli, which makes sense since it doesn't actually depend on the latter. webpack itself has an optional peer dependency on webpack-cli.

We've seen something similar with react-with-styles-interface-css, which has a peer dependency on react-with-styles but not react or react-dom, while react-with-styles itself does have peer deps on react and react-dom.

In our code in these two cases this doesn't seem to actually break anything, it just clutters our git diffs.

[anomiex]

Tested this with pnpm 7.28.0 (and node v18.13.0) since the release notes said a similar bug was fixed in that version. This bug is still present.

The dedupe-peer-dependents option I see in the 7.29.0-1 prerelease doesn't help either, although that seems to be a bug of its own.

[jasononeil]

I'm seeing a similar issue, with lockfile diffs like this, when the only package changed had no relationship with ts-node or @types/node

-        version: 29.3.1(@types/node@18.11.9)(ts-node@10.9.1)
+        version: 29.3.1(@types/node@18.11.9)

It seems to happen for any change I'm making from the root of the workspace, regardless of which packages should be affected. It sounds like a similar issue to what's going on here.

[zkochan]

This one should be fixed in v9.0.0-alpha.4 via #7606

[anomiex]

At a quick test, I had to set dedupe-peer-dependents = false now but could reproduce in 9.0.0-alpha.1, while I cannot reproduce with 9.0.0-alpha.4. Thanks!

[anomiex]

This issue has reappeared with 9.12.0. I've updated the description of this issue for that version.

@zkochan It appears that the fix in #8584 somehow caused this. If I comment out the .resolve() call added there, this problem goes away. That probably brings back the other bug, of course.

[anomiex]

I think the real problem probably goes back to #8457, where you intentionally broke the strict structuring of peers added in #7606. First that resulted in #8570 (presumably because there are now cycles not reflected in the graph), and when you tried to fix that it brought back this. I wonder if it also brought back #7444.

[zkochan]

Why do you need to set dedupe-peer-dependents to false?

[anomiex]

The bug doesn't reproduce without that. The deduping avoids the problem.

Or if you're asking why we have that set in our repo, one of the things we really like about pnpm is the avoiding of phantom dependencies, and deduping the peer deps could mean for example that forgetting one peer's optional dep would be phantom-fulfilled by the deduplication.