Having installed @codemirror/lang-markdown into a project a while ago, and upgraded it a few times since then, I notice that the installed version of @lezer/markdown is still at v1.0.1 rather than the latest v1.0.2.
This makes sense, because @codemirror/lang-markdown only specifies "@lezer/markdown": "^1.0.0" as a dependency, but I wonder what the recommended method should be for keeping these kinds of sub-dependencies updated.
Should we install them independently into the project (i.e. treat @lezer/markdown as a peer dependency), or should @codemirror/lang-markdown have a more specific dependency on the latest version of @lezer/markdown?
npm is, unfortunately, rather dumb about transitive dependencies. When upgrading, killing the package lock and recreating it from scratch is usually the safest, but I guess on very large projects with some dependencies that they want to keep locked, that might be difficult as well.
This particular example was indirectly fixed by needing to import an extension from @lezer/markdown, which made it a direct dependency anyway.
For future reference, I found that npm update @lezer/markdown made the appropriate update to package-lock.json, so that would have been an acceptable solution.
I keep struggling with this as well. Updating one CodeMirror package often results in having to update all of them to avoid the dreaded “multiple CodeMirror state versions” error. This problem gets more pronounced since we have a monorepo with multiple packages using CodeMirror along with some third party extensions that seem to use their own dependencies.
One annoying but effective approach is to add resolutions to the main package.json with all the actual package versions you want. Seems to work but a pain to keep updated.