npm: how are dependencies managed?

Question

I installed express, mongodb, and mongoose. This is the result of my npm ls:

/home/merc/Bookings
├─┬ connect-mongo@0.1.9 
│ └─┬ mongodb@0.9.9-8 
│   └── bson@0.0.4 
├─┬ express@3.0.0rc2 
│ ├── commander@0.6.1 
│ ├─┬ connect@2.4.2 
│ │ ├── bytes@0.1.0 
│ │ ├── formidable@1.0.11 
│ │ ├── pause@0.0.1 
│ │ └── qs@0.4.2 
│ ├── cookie@0.0.4 
│ ├── crc@0.2.0 
│ ├── debug@0.7.0 
│ ├── fresh@0.1.0 
│ ├── methods@0.0.1 
│ ├── mkdirp@0.3.3 
│ ├── range-parser@0.0.4 
│ └─┬ send@0.0.3 
│   └── mime@1.2.6 
├─┬ jade@0.27.2 
│ ├── commander@0.6.1 
│ └── mkdirp@0.3.0 
├─┬ mongodb@1.1.2 
│ └── bson@0.1.1 
└─┬ mongoose@3.0.0 
  ├── hooks@0.2.1 
  ├─┬ mongodb@1.1.2 
  │ └── bson@0.1.1 
  └── ms@0.1.0 

You can clearly see that for some reason Jade is on the root directory (I assume this happened when I run "express". But then again, "mongodb" is available in different versions (0.9.9 and 1.1.2) and so is bson (0.1.1 and a worrying 0.0.4).

Hence my questions: how are dependencies managed with npm? Does every package simple install whatever they like, whichever version they pick?

I guess the question is: is this kind of duplication "normal", and "by design" so to speak?

Merc.

Answer 1

The short answer is, yes, this is by design. When you require a module from the node_modules directory, it uses the top-level directory--e.g., whichever one you specify in your package.json.

Other packages have their own package.json files, and are free to use whatever versions they want, and when they require them down in their own code, they will use their own node_modules folder.

Ideally, the modules you use have tests, etc. that ensure that versions (or even specify a range of versions, such as 0.9.x) of dependencies they specify work well, and seeing older versions of sub-dependencies in there doesn't necessarily mean danger, although new versions of these modules could of course potentially fix bugs and so forth. It may be worth finding a module you're concerned about on GitHub, downloading the repository, updating the package.json and dependencies yourself and running the tests to see if a new version works. If so, perhaps the author would be willing to accept a pull request with your update.