v1: dependencies are pinned to exact versions, causing conflicts

[dobesv]

Initial checklist

• I read the support docs
• I read the contributing guide
• I agree to follow the code of conduct
• I searched issues and couldn’t find anything (or linked relevant results below)

Affected packages and versions

@mdx-js/mdx@npm:1.6.22

Link to runnable example

No response

Steps to reproduce

Visit https://github.com/mdx-js/mdx/blob/v1/packages/mdx/package.json

Notice how the dependencies of various packages are specified as exact versions instead of ranges:

"dependencies": {
"@babel/core": "7.12.9",
"@babel/plugin-syntax-jsx": "7.12.1",
"@babel/plugin-syntax-object-rest-spread": "7.8.3",
"@mdx-js/util": "1.6.22",
"babel-plugin-apply-mdx-type-prop": "1.6.22",
"babel-plugin-extract-import-names": "1.6.22",
"camelcase-css": "2.0.1",
"detab": "2.0.4",
"hast-util-raw": "6.0.1",
"lodash.uniq": "4.5.0",
"mdast-util-to-hast": "10.0.1",
"remark-footnotes": "2.0.0",
"remark-mdx": "1.6.22",
"remark-parse": "8.0.3",
"remark-squeeze-paragraphs": "4.0.0",
"style-to-object": "0.3.0",
"unified": "9.2.0",
"unist-builder": "2.0.3",
"unist-util-visit": "2.0.3"
}

This is a problem because having multiple versions of the same package installed can cause some issues. So this may be forcing users to that specific version of the package to avoid the issue. But then if there were two libraries doing this same thing, you might not be able to use them together.

I believe for babel in particular they are assuming all the core babel packages are kept in sync.

Expected behavior

Libraries should publish with version ranges.

Pinning to exact versions is only recommended for projects that are not published as libraries.

Actual behavior

Exact dependency versions are installed, potentially conflicting with dependencies from other packages and creating redudant copies.

Runtime

Node v16

Package manager

yarn v2

OS

Linux

Build and bundle tools

webpack

[ChristianMurphy]

@dobesv Thanks for reaching out.
I'd highly recommend trying out version 2, which does use version ranges, and has quite a few other improvements.

I'm not sure if this will be addressed in version 1 for a couple reasons:

1. I'm unsure if there are plans to add features or make potentially breaking changes to version 1, now that version 2 is a release candidate and will soon be generally available.
2. It's unclear that there is actually an issue, you don't provide a specific example of where this is happening. Which leads me to think that versions are currently pinned to synced versions.

also see this previous discussion for version 1 #865

[dobesv]

I'm not actually an mdx user, but I'm using storybook which has a dependency on mdx. And as a result of these dependencies, I have an extra copy of everything babel in my dependencies.

[ChristianMurphy]

Is there an actual error being thrown due to duplicates?
If so could you share what it is?

If not, I believe #865 (comment) still holds true.
On version 1 unpinning dependencies can cause runtime breakage.

I'm using storybook which has a dependency on mdx

Storybook 7 plans to include mdx 2 storybookjs/storybook#13491

[dobesv]

Not an error, no. Just wasting space with extra copies. But it sounds like this issue might be moot soon.