Duplicate dependency versions — two installs of the same library at different patch versions — silently inflate node_modules and the final bundle. Projects with complex dependency trees can end up with lodash@4.17.19 and lodash@4.17.21 both installed, contributing duplicate code to the production bundle. ISO 25010:2011 resource-utilisation flags the storage and bandwidth waste; CWE-1104 (Use of Unmaintained Third-Party Components) applies when the older duplicate version has known vulnerabilities that the newer version has patched.
Low because duplicate dependencies waste disk space and add bundle weight, but do not cause correctness failures — the impact is proportional to the size and count of the duplicated packages.
Run npm ls --depth=0 or npx npm-check to identify duplicate versions. Then deduplicate with a single command.
# In project root — deduplicates hoistable packages in node_modules
npm dedupe
# For pnpm:
pnpm install --dedupe
# Verify no duplicates remain:
npm ls lodash react
If duplicates persist after deduplication, add a resolutions field to package.json (supported by Yarn and pnpm) to pin a single version.
ID: performance-deep-dive.regression-prevention.no-duplicate-dependencies
Severity: low
What to look for: Count all unique dependencies in package.json. Enumerate duplicate versions by checking the lock file or running npm ls. Run npm ls or pnpm why to detect duplicate versions of the same dependency. Look for disk space waste in node_modules (unusually large size). Check lock file for duplicate entries.
Pass criteria: No duplicate versions of the same dependency. npm ls or pnpm why shows no duplicates. node_modules size is minimal for the dependency list. Zero duplicate versions of any dependency over 50KB.
Fail criteria: Duplicate versions of dependencies installed (e.g., lodash@4.17.19 and lodash@4.17.21 both in node_modules). Accidental dual-installs detected.
Skip (N/A) when: Never — dependency deduplication applies to all projects.
Cross-reference: For bundle size impact of duplicates, see bundle-size-critical.
Detail on fail: "npm ls shows lodash 4.17.19 and 4.17.21 both installed — adds 500KB to node_modules" or "react 18.2.0 installed in two locations due to conflicting version constraints"
Remediation: Run npm dedupe or pnpm install to deduplicate dependencies.
# Run in project root to find and fix duplicates:
npm dedupe # or: pnpm install --dedupe