What you expected to see, versus what you actually saw
I don't expect dependabot to add duplicate sub-dependencies unless the top-level dependencies ask for conflicting versions. Usually this might not matter, but vitest has a declare module 'vite' that tries to override a vite type that's used in astro, and the multiple versions seem to cause Typescript not to apply the override, resulting in the error in https://github.com/vlach-cookbook/cookbook/actions/runs/9133264272/job/25116355292?pr=105.
Native package manager behavior
pnpm update astro vitest results in the same duplicate dependencies:
$ ls -l node_modules/{astro,vitest}/../vite
lrwxrwxrwx 1 node node 55 May 17 20:36 node_modules/astro/../vite -> ../../vite@5.2.11_@types+node@20.12.7/node_modules/vite
lrwxrwxrwx 1 node node 55 May 17 21:05 node_modules/vitest/../vite -> ../../vite@5.2.10_@types+node@20.12.7/node_modules/vite
pnpm dedupe deduplicates them to just 5.2.11. pnpm update with no package limitation doesn't create duplicates.
Images of the diff or a link to the PR, issue, or logs
jyasskin
commented
9 hours ago
Is there an existing issue for this?
Package ecosystem
npm
Package manager version
pnpm 9.0.6
Language version
node 20.12.0
Manifest location and content before the Dependabot update
https://github.com/vlach-cookbook/cookbook/blob/8ed987d83882b8299714555763237d0c3de3ec0a/webserver/pnpm-lock.yaml
1 version of vite, 5.2.10
dependabot.yml content
https://github.com/vlach-cookbook/cookbook/blob/8ed987d83882b8299714555763237d0c3de3ec0a/.github/dependabot.yml
Updated dependency
https://github.com/vlach-cookbook/cookbook/pull/105/files (created by dependabot) contains a pnpm-lock.yaml with 2 versions of vite:
5.2.10 at https://github.com/vlach-cookbook/cookbook/blob/e1deb61889ef282f7eb699d78e9e0112ef7d9725/webserver/pnpm-lock.yaml#L3256
5.2.11: https://github.com/vlach-cookbook/cookbook/blob/e1deb61889ef282f7eb699d78e9e0112ef7d9725/webserver/pnpm-lock.yaml#L3284
What you expected to see, versus what you actually saw
I don't expect dependabot to add duplicate sub-dependencies unless the top-level dependencies ask for conflicting versions. Usually this might not matter, but
vitesthas adeclare module 'vite'that tries to override avitetype that's used inastro, and the multiple versions seem to cause Typescript not to apply the override, resulting in the error in https://github.com/vlach-cookbook/cookbook/actions/runs/9133264272/job/25116355292?pr=105.Native package manager behavior
pnpm update astro vitestresults in the same duplicate dependencies:pnpm dedupededuplicates them to just 5.2.11.pnpm updatewith no package limitation doesn't create duplicates.Images of the diff or a link to the PR, issue, or logs
No response
Smallest manifest that reproduces the issue
No response