[BUG] non-previosly seen peer-dependency errors popping up in 8.6.0

[azatoth]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

After upgrading from 8.5.5 to 8.6.0 I'm starting to get peer dependency issues that are not present when running under 8.5.5.

I don't see anything apparent in https://github.com/npm/cli/blob/latest/CHANGELOG.md#v860-2022-03-31 to account for this change. While it's possible these errors were present before, but hidden; the lack of changelog entry to account for this speaks against that.

$ npm i -g npm@8.5.5

changed 14 packages, and audited 201 packages in 1s

10 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ npm i

up to date, audited 1180 packages in 2s

130 packages are looking for funding
  run `npm fund` for details

4 vulnerabilities (2 moderate, 2 high)

To address all issues, run:
  npm audit fix

Run `npm audit` for details.
$ npm i -g npm@8.6.0

changed 30 packages, and audited 201 packages in 1s

10 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities
$ npm i
npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: @shiftcoders/dynamo-easy@7.1.0
npm ERR! Found: tslib@2.3.0
npm ERR! node_modules/tslib
npm ERR!   tslib@"^2.1.0" from the root project
npm ERR!   tslib@"^2.0.0" from @aws-sdk/abort-controller@3.20.0
npm ERR!   node_modules/@aws-sdk/abort-controller
npm ERR!     @aws-sdk/abort-controller@"3.20.0" from @aws-sdk/node-http-handler@3.21.0
npm ERR!     node_modules/@aws-sdk/node-http-handler
npm ERR!       @aws-sdk/node-http-handler@"3.21.0" from @aws-sdk/client-sso@3.21.0
npm ERR!       node_modules/@aws-sdk/client-sso
npm ERR!         @aws-sdk/client-sso@"3.21.0" from @aws-sdk/credential-provider-sso@3.21.0
npm ERR!         node_modules/@aws-sdk/credential-provider-sso
npm ERR!       1 more (@aws-sdk/client-sts)
npm ERR!   46 more (@aws-sdk/client-sso, @aws-sdk/client-sts, ...)
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer tslib@"^1.10.0" from @shiftcoders/dynamo-easy@7.1.0
npm ERR! node_modules/@shiftcoders/dynamo-easy
npm ERR!   dev @shiftcoders/dynamo-easy@"^7.1.0" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: tslib@1.14.1
npm ERR! node_modules/tslib
npm ERR!   peer tslib@"^1.10.0" from @shiftcoders/dynamo-easy@7.1.0
npm ERR!   node_modules/@shiftcoders/dynamo-easy
npm ERR!     dev @shiftcoders/dynamo-easy@"^7.1.0" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /home/azatoth/.npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /home/azatoth/.npm/_logs/2022-04-01T10_02_06_637Z-debug-0.log

Expected Behavior

I expect 8.6.0 to not error out on these peer-dependency issues.

Steps To Reproduce

No response

Environment

• npm: 8.6.0
• Node.js: v14.19.0
• OS Name: Ubuntu 21.10
• System Model Name:
• npm config:

; "user" config from /home/azatoth/.npmrc

//npm.pkg.github.com/:_authToken = (protected) 
//registry.npmjs.org/:_authToken = (protected) 

; "project" config from /home/azatoth/Project/(protected)/.npmrc

@(protected):registry = "https://npm.pkg.github.com/" 

; node bin location = /home/azatoth/.nvm/versions/node/v14.19.0/bin/node
; cwd = /home/azatoth/Project/(protected)
; HOME = /home/azatoth
; Run `npm config ls -l` to show all defaults.

[jeroennoten]

Same problem here. No problems on 8.5.5, errors regarding peer dependencies on 8.6.0.

[piccit]

I'm seeing this problem too but it's when running npm ci (after having installed some specific packages using --legacy-peer-deps)

[aldeed]

To be clear about how big this bug is, everybody with a CI step that does npm i -g npm && npm i (or npm ci), that step is now suddenly erring (assuming they have ever previously ignored peer dep errors, which most projects have). The workaround is to pin to npm@8.5.5 but to prevent opening the floodgates of confusion you may want to fix or revert ASAP.

[johanholmerin]

Git bisect shows it to be caused by bd96ae4. Reproduction at johanholmerin/npm-4664

[neogibson]

Yup we are seeing the same error in our CI with 8.6.0, reverting to 8.5.5 works for now though.

[ruyadorno]

hi @johanholmerin thanks so much for taking the time to bisect and sending a reproduction, super handy and we super appreciate it! ❤️

It looks like what most folks here are seeing here is a legitimate ERESOLVE error (which began throwing as of v7) that got stored to the lockfile via using either npm i --force or npm i --legacy-peer-deps to generate that file. This should have always been an error and the fix included in v8.6.0 is actually just surfacing these problems in the context of npm ci.

I apologize for the extra churn this fix seems to be inflicting in some users, we're taking the extra steps of specifically documenting that in the npm ci help page, ref: #4666

How to fix it:

In your project folder, run:

npm config set legacy-peer-deps=true --location=project

Then npm ci should be able to install your project again without errors.

[wSedlacek]

This should have always been an error and the fix included in v8.6.0 is actually just surfacing these problems in the context of npm ci.

So just to confirm it is not expected behavior to have installs done with --force to continue working on future installs without --force?