What you expected to see, versus what you actually saw
I don't expect dependabot to add duplicate sub-dependencies unless the top-level dependencies ask for conflicting versions. Usually this might not matter, but vitest has a declare module 'vite' that tries to override a vite type that's used in astro, and the multiple versions seem to cause Typescript not to apply the override, resulting in the error in https://github.com/vlach-cookbook/cookbook/actions/runs/9133264272/job/25116355292?pr=105.
Native package manager behavior
pnpm update astro vitest results in the same duplicate dependencies:
$ ls -l node_modules/{astro,vitest}/../vite
lrwxrwxrwx 1 node node 55 May 17 20:36 node_modules/astro/../vite -> ../../vite@5.2.11_@types+node@20.12.7/node_modules/vite
lrwxrwxrwx 1 node node 55 May 17 21:05 node_modules/vitest/../vite -> ../../vite@5.2.10_@types+node@20.12.7/node_modules/vite
pnpm dedupe deduplicates them to just 5.2.11. pnpm update with no package limitation doesn't create duplicates.
Images of the diff or a link to the PR, issue, or logs
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
pnpm 9.0.6
Language version
node 20.12.0
Manifest location and content before the Dependabot update
https://github.com/vlach-cookbook/cookbook/blob/8ed987d83882b8299714555763237d0c3de3ec0a/webserver/pnpm-lock.yaml
1 version of vite, 5.2.10
dependabot.yml content
https://github.com/vlach-cookbook/cookbook/blob/8ed987d83882b8299714555763237d0c3de3ec0a/.github/dependabot.yml
Updated dependency
https://github.com/vlach-cookbook/cookbook/pull/105/files (created by dependabot) contains a pnpm-lock.yaml with 2 versions of vite:
5.2.10 at https://github.com/vlach-cookbook/cookbook/blob/e1deb61889ef282f7eb699d78e9e0112ef7d9725/webserver/pnpm-lock.yaml#L3256
5.2.11: https://github.com/vlach-cookbook/cookbook/blob/e1deb61889ef282f7eb699d78e9e0112ef7d9725/webserver/pnpm-lock.yaml#L3284
What you expected to see, versus what you actually saw
I don't expect dependabot to add duplicate sub-dependencies unless the top-level dependencies ask for conflicting versions. Usually this might not matter, but
vitest
has adeclare module 'vite'
that tries to override avite
type that's used inastro
, and the multiple versions seem to cause Typescript not to apply the override, resulting in the error in https://github.com/vlach-cookbook/cookbook/actions/runs/9133264272/job/25116355292?pr=105.Native package manager behavior
pnpm update astro vitest
results in the same duplicate dependencies:pnpm dedupe
deduplicates them to just 5.2.11.pnpm update
with no package limitation doesn't create duplicates.Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response