[BUG] npm 8.x allows incorrect peer dependencies with no warning nor error

[jluxenberg]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Consider the following dependency structure:

Current behavior:

• Running npm install in "app" works without error.

Expected Behavior

I expect an error because "react: ^17.0.2" is incompatible with app's "react@18.0.0" dependency.

Steps To Reproduce

In this project:
npm-peer-deps-issue.tgz

With two packages app and dep1 and this directory structure:

npm-peer-deps-issue/app
npm-peer-deps-issue/app/package-lock.json
npm-peer-deps-issue/app/package.json
npm-peer-deps-issue/dep1
npm-peer-deps-issue/dep1/package-lock.json
npm-peer-deps-issue/dep1/package.json

app has this package.json:

{
  "name": "npm-peer-deps-issue",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "dependencies": {
    "dep1": "file:../dep1",
    "react": "^18.0.0"
  },
  "author": "",
  "license": "ISC"
}

dep1 has this package.json:

{
  "name": "dep1",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "peerDependencies": {
    "react": "^17.0.2"
  },
  "author": "",
  "license": "ISC"
}

Run npm install from app; notice that with npm@9.x we get an error (as expected) and with npm@8.x we do not get an error:

app $ npx npm@8.x --version
8.19.2
app $ npx npm@8.x install

up to date, audited 6 packages in 188ms

found 0 vulnerabilities

app $ npx npm@9.x --version
9.0.1
app $ npx npm@9.x install
npm ERR! code ERESOLVE
npm ERR! ERESOLVE unable to resolve dependency tree
npm ERR!
npm ERR! While resolving: npm-peer-deps-issue@1.0.0
npm ERR! Found: react@18.2.0
npm ERR! node_modules/react
npm ERR!   react@"^18.0.0" from the root project
npm ERR!
npm ERR! Could not resolve dependency:
npm ERR! peer react@"^17.0.2" from dep1@1.0.0
npm ERR! node_modules/dep1
npm ERR!   dep1@"file:../dep1" from the root project
npm ERR!
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR!
npm ERR!
npm ERR! For a full report see:
npm ERR! /Users/jared/.npm/_logs/2022-10-26T23_18_16_168Z-eresolve-report.txt

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/jared/.npm/_logs/2022-10-26T23_18_16_168Z-debug-0.log

Environment

• npm: broken in 8.19.2; seems to work in 9.0.1
• Node.js: v16.14.0
• OS Name: MacOS Monterey (12.6)
• System Model Name: M1 Macbook
• npm config:

$ npx npm@8.x config ls
; "env" config from environment

cache = "/Users/jared/.npm"
global-prefix = "/Users/jared/.nvm/versions/node/v16.14.0"
init-module = "/Users/jared/.npm-init.js"
local-prefix = "/Users/jared/workspace/spikes/npm-peer-deps-issue/app"
node-gyp = "/Users/jared/.nvm/versions/node/v16.14.0/lib/node_modules/npm/node_modules/node-gyp/bin/node-gyp.js"
prefix = "/Users/jared/.nvm/versions/node/v16.14.0"
user-agent = "npm/8.19.2 node/v16.14.0 darwin arm64 workspaces/false"
userconfig = "/Users/jared/.npmrc"

; node bin location = /Users/jared/.nvm/versions/node/v16.14.0/bin/node
; node version = v16.14.0
; npm local prefix = /Users/jared/workspace/spikes/npm-peer-deps-issue/app
; npm version = 8.19.2
; cwd = /Users/jared/workspace/spikes/npm-peer-deps-issue/app
; HOME = /Users/jared
; Run `npm config ls -l` to show all defaults.```

[jluxenberg]

Might be related to #5051 ; but this is a separate issue because it's not related to upgrading a lockfile.

[yunnysunny]

dep1 with peer dependency react of ^17.0.2 to tell app to install an react version >= 17.0.0 and < 18.0.0，but app install a react version greater than 18.0.0, so the incompatible error occurred.