[Feature] Support `yarn dedupe --strategy fewer`

[ocavue]

• I'd be willing to implement this feature (contributing guide)
• This feature is important to have in this repository; a contrib plugin wouldn't do

Describe the user story

I have a project which uses next and next-offline as dependencies. The package.json of these two packages are as below:

// next/package.json
{ "dependencies": { "webpack": "4.44.1" } }

// next-offline/package.json
{ "peerDependencies": { "webpack": "^4.19.1" } } 

next-offline has webpack in its peerDependencies, so I have to also add webpack into my project's package.json to avoid the warning from Yarn. Since I don't actually use webpack directly and I don't care which version of webpack I'm using, I simply write "webpack": "^4" in package.json

// my-project/package.json
{ 
  "dependencies": {
    "next": "^10.0.4",
    "next-offline": "^5.0.3",
    "webpack": "^4"
  }
}

The latest webpack@^4 version today is 4.44.2, which cause Yarn to install two version of webpack in my-project:

# my-project/yarn.lock
"webpack@npm:4.44.1":
  version: 4.44.1
  
"webpack@npm:^4":
  version: 4.44.2

Install two versions of the same package (not specifically webpack) could cause some issues.

Describe the solution you'd like

Implement yarn dedupe --strategy fewer. This command should update the yarn.lock above to:

# my-project/yarn.lock
"webpack@npm:^4, webpack@npm:4.44.1":
  version: 4.44.1

I'm using renovate to manage my dependencies, which can run npm dedupe or yarn dedupe after every update (docs). This means that I don't have to run yarn dedupe myself so this is an acceptable solution for me.

Describe the drawbacks of your solution

Please let me quota the document from yarn-deduplicate --strategy fewer:

Note that this may cause some packages to be downgraded. Be sure to check the changelogs between all versions and understand the consequences of that downgrade. If unsure, don't use this strategy.

Describe alternatives you've considered

There is a RFC to fix this kind of issue at #1001 (which has an almost identical example). However, it seems that this PRC hasn't been implemented.

why not make it a plugin

Because we already have yarn dedupe --strategy highest.

[aaronadamsCA]

I would use this feature.

We use Renovate to pin every package to an exact version so we can test every upgrade. Sometimes a transitive dependency will cause a newer version to be added to the lock file as well. These duplicate dependencies are a common cause of broken tests/builds.

I expect yarn dedupe --strategy fewer would hold back the newer transitive dependency versions until we upgraded ours.

We are currently using resolutions as a workaround; for example we define resolutions: { "webpack": "5.72.1" }, and Renovate keeps this in lockstep with our individual packages' Webpack versions, ensuring we only ever get one version of Webpack. Of course this isn't much fun to maintain, and can't be used in every case.

[christophehurpeau]

Hi, if anyone is interested I forked yarn-deduplicate and made it work with yarn berry. (npm here: https://www.npmjs.com/package/yarn-berry-deduplicate)

Usage:

yarn dlx yarn-berry-deduplicate

Default strategy is fewerHighest (similar to running fewer then highest strategies with yarn-deduplicate) as highest did not make sense because it works out of the box with yarn berry.
The best would be an implementation in yarn, but deduping can solve issues so this temporary solution could help !

[JounQin]

@christophehurpeau Can you open the issues option for the repo?

I'm meeting:

Error: Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead, which is now safe by default.
    at /Users/JounQin/Workspaces/GitHub/eslint-config-standard/node_modules/js-yaml/index.js:10:11
    at parseViaJsYaml (/Users/JounQin/Workspaces/GitHub/eslint-config-standard/node_modules/@yarnpkg/parsers/lib/syml.js:116:42)
    at Object.parseSyml (/Users/JounQin/Workspaces/GitHub/eslint-config-standard/node_modules/@yarnpkg/parsers/lib/syml.js:131:12)
    at parseYarnLock (/Users/JounQin/Workspaces/GitHub/eslint-config-standard/node_modules/yarn-berry-deduplicate/dist/yarnlock.js:6:45)
    at fixDuplicates (/Users/JounQin/Workspaces/GitHub/eslint-config-standard/node_modules/yarn-berry-deduplicate/dist/index.js:37:54)
    at Object.<anonymous> (/Users/JounQin/Workspaces/GitHub/eslint-config-standard/node_modules/yarn-berry-deduplicate/dist/cli.js:54:60)
    at Module._compile (node:internal/modules/cjs/loader:1734:14)
    at Object..js (node:internal/modules/cjs/loader:1899:10)
    at Module.load (node:internal/modules/cjs/loader:1469:32)
    at Function._load (node:internal/modules/cjs/loader:1286:12)

[christophehurpeau]

@JounQin I opened the issues thank you ! Please open an issue ideally with your node version and if you can add more details on how you ran the package (did you use yarn dlx ?) I'll take a look, thank you!

[JounQin]

@christophehurpeau I don't remember the reproduction place now, but I raised #6768 for it.