Dependencies duplicates management

Our projects relies heavily on many NPM libraries for the apps and the UI, the coin integrations, the various hardware wallet transports,... This reliance often leads to duplicated dependencies in our system. Over time, these duplicates accumulate as an unintended consequence of using pnpm-lock.yaml. While pnpm-lock.yaml is instrumental in locking and securing our dependencies, it does come with trade-offs. In certain situations, manual intervention is necessary. Below are some tips to address these issues.

Occasionally, the pnpm-lock.yaml file may diverge, causing the application to malfunction with sneaky bugs / grow in size / lower in performance. This often occurs after attempts to add/update dependencies or resolving conflicts.

We have put in place non regression automation that will always compare your PR against the target (e.g; develop) to check for possible introduction of duplicates.

There is usually a solution to deduplicate libraries and here are some tips to deal with these.

(1) Safely Recovering a Broken pnpm-lock.yaml

To safely regenerate the pnpm-lock.yaml, follow these steps:

1. Retrieve the pnpm-lock.yaml from the develop branch:

git checkout origin/develop pnpm-lock.yaml

2. Run the pnpm install command:

pnpm i

(2) Manually Deduplicating a Library for Safe Updating

When a dependency, denoted as <dep>, is used by multiple packages with specified dependency patterns (e.g., 1.2.*), and these packages have locked versions at slightly different points (e.g., 1.2.3 and 1.2.4), you can instruct pnpm to unify them under a single version, such as 1.2.4. Execute the following command for the desktop project, or use pnpm -r to apply it across all libraries:

pnpm -r up <dep>