[BUG] npm dedupe is broken when used in conjunction with workspaces for all versions >=7.20.3

[hzuo]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Inside an npm workspace, with packages package-a and package-z, if package-a depends on package-z, running npm dedupe will fail with the following error:

❯ npm dedupe
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/package-z - Not found
npm ERR! 404
npm ERR! 404  'package-z@*' is not in this registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm dedupe attempts to look up the sibling package in the remote npm registry rather than within the workspace itself.

Expected Behavior

npm should first look among the packages in the workspace before looking for a package in the remote registry.

Steps To Reproduce

Here's the repro for the bug:
https://github.com/hzuo/test-dedupe-workspaces

Simply run npm install and then npm dedupe to repro.

Environment

• npm: 8.3.0
• Node: 16.13.1
• OS: macOS Big Sur 11.6
• platform: Macbook Pro
• npm config:

; node bin location = /Users/hzuo/.nvm/versions/node/v16.13.1/bin/node
; cwd = /Users/hzuo/git/tmp/test-dedupe-workspaces
; HOME = /Users/hzuo

[hzuo]

Interestingly the issue seems to bisect back to 7.20.2 => 7.20.3:

❯ npm --version
7.20.2

test-dedupe-workspaces on 🌱 main is 📦 v0.1.0 via 🤖 v16.13.1
❯ npm dedupe

up to date, audited 5 packages in 541ms

found 0 vulnerabilities

test-dedupe-workspaces on 🌱 main is 📦 v0.1.0 via 🤖 v16.13.1
❯ npm install -g [email protected]

changed 18 packages, and audited 260 packages in 1s

11 packages are looking for funding
  run `npm fund` for details

8 vulnerabilities (7 moderate, 1 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Run `npm audit` for details.

test-dedupe-workspaces on 🌱 main is 📦 v0.1.0 via 🤖 v16.13.1
❯ npm dedupe
npm ERR! code E404
npm ERR! 404 Not Found - GET https://registry.npmjs.org/package-z - Not found
npm ERR! 404
npm ERR! 404  'package-z@*' is not in the npm registry.
npm ERR! 404 You should bug the author to publish it (or use the name yourself!)
npm ERR! 404
npm ERR! 404 Note that you can also install from a
npm ERR! 404 tarball, folder, http url, or git url.

npm ERR! A complete log of this run can be found in:
npm ERR!     /Users/hzuo/.npm/_logs/2021-12-13T23_58_40_642Z-debug.log

This issue seems likely related to #3637, but in this case the issue is with dedupe rather than install.

[hzuo]

If you rename package-z to package-b in the repro... npm dedupe will actually succeed!

I think this is because:

• https://www.npmjs.com/package/package-b exists
• https://www.npmjs.com/package/package-z does not exist

This is a pretty clear indication that dedupe is attempting to resolve against the remote registry first before looking at the local packages in the workspace.

[hzuo]

Confirmed that #4230 fixes this issue, released in v8.3.2