No duplicate dependencies in node_modules

ab-002043 · performance-deep-dive.regression-prevention.no-duplicate-dependencies

Severity: lowactive

Why it matters

Duplicate dependency versions — two installs of the same library at different patch versions — silently inflate node_modules and the final bundle. Projects with complex dependency trees can end up with lodash@4.17.19 and lodash@4.17.21 both installed, contributing duplicate code to the production bundle. ISO 25010:2011 resource-utilisation flags the storage and bandwidth waste; CWE-1104 (Use of Unmaintained Third-Party Components) applies when the older duplicate version has known vulnerabilities that the newer version has patched.

Severity rationale

Low because duplicate dependencies waste disk space and add bundle weight, but do not cause correctness failures — the impact is proportional to the size and count of the duplicated packages.

Remediation

Run npm ls --depth=0 or npx npm-check to identify duplicate versions. Then deduplicate with a single command.

# In project root — deduplicates hoistable packages in node_modules
npm dedupe

# For pnpm:
pnpm install --dedupe

# Verify no duplicates remain:
npm ls lodash react

If duplicates persist after deduplication, add a resolutions field to package.json (supported by Yarn and pnpm) to pin a single version.

Detection

ID: no-duplicate-dependencies
Severity: low
What to look for: Count all unique dependencies in package.json. Enumerate duplicate versions by checking the lock file or running npm ls. Run npm ls or pnpm why to detect duplicate versions of the same dependency. Look for disk space waste in node_modules (unusually large size). Check lock file for duplicate entries.
Pass criteria: No duplicate versions of the same dependency. npm ls or pnpm why shows no duplicates. node_modules size is minimal for the dependency list. Zero duplicate versions of any dependency over 50KB.
Fail criteria: Duplicate versions of dependencies installed (e.g., lodash@4.17.19 and lodash@4.17.21 both in node_modules). Accidental dual-installs detected.
Skip (N/A) when: Never — dependency deduplication applies to all projects.
Cross-reference: For bundle size impact of duplicates, see bundle-size-critical.
Detail on fail: "npm ls shows lodash 4.17.19 and 4.17.21 both installed — adds 500KB to node_modules" or "react 18.2.0 installed in two locations due to conflicting version constraints"

Remediation: Run npm dedupe or pnpm install to deduplicate dependencies.

# Run in project root to find and fix duplicates:
npm dedupe  # or: pnpm install --dedupe

External references

cwe · CWE-1104 — Use of Unmaintained Third-Party Components
slsa:1.0 · L2 — SLSA L2 — hosted build service; duplicate/unpinned deps weaken provenance
iso-25010:2011 · performance-efficiency.resource-utilization — Resource Utilisation (performance efficiency)

Taxons

performance supply-chain

History

2026-04-18·v1.0.0·Initial import from performance-deep-dive·automated