I’m working on a node project that involves an SDK and then a parent project consuming the SDK. In Java, maven or gradle will pick transitive dependency with the highest version number but how does that work in npm?
From the screenshot below, the SDK imports debug package with version 4.3.4 which is what I want to see in the parent project. However, npm picked the version 2.6.9 instead. I have tried defining the library version from dependencies or overrides section from SDK, none of them works.
I know that I can add an overide from parent project to force the newer version but am I doing something wrong that causes this or overriding dependency from parent project is the only way to resolve this? Is there something I can do in the SDK to enforce this library version from the consuming parent projects?
Base on the package-lock.json file, I looked into the actual debug package json file under the node_modules folder and confirmed that it is at version 2.6.9
2
Answers
That is indeed one of the big differences between npm and Maven/gradle, regarding management of dependencies:
node_modulesfolder, containing its own dependencies and specific version. It can still share dependencies though: Node walks up the folder tree until it finds anode_modulescontaining the dependency; this way it factorizes compatible versions.overridesfield enables forcing a different version of such transitive dependenciesThis is what you see in your case:
[email protected]requires the exact[email protected]versionsailpoint-oss/[email protected]specifies an override ofdebug@^4.3.4npm ls debugandpackage-lock.jsonshow the initial transitive version of 2.6.9, you can see that it says "deduped": it was actually not installed, and another version higher up the tree is used instead: 4.3.4 in your case.Therefore if you inspect your actual folder structure, there should be no [email protected], only 4.3.4
Downgrade the node (npm) version to the required stable version and use
npm updatein terminal of visual Studio code.