deno.lock impacts which version is used, despite explicit version import

[Amatewasu]

We noticed (in this issue: honojs/middleware#803) that when a dependency is listed several times with different versions in the deno.lock file, different versions are somehow used in different part of the code (see the error message of this comment: honojs/middleware#803 (comment)). Even if an only explicit version is used in the code.

Reproduction example:

import { z } from 'npm:[email protected]'

import { zValidator } from 'npm:@hono/[email protected]'
import { Hono } from 'npm:[email protected]'

const app = new Hono().put(
  '/posts',
  zValidator('json', z.object({ id: z.number() })),
  (c) => {
    const json = c.req.valid('json')
    return c.json({ status: 'ok' })
  },
)

If we remove the deno.lock file, the type of the json variable is well inferred. If we have a deno.lock file with different versions, the type will be wrongly inferred to never because different versions will be used (see in this comment hono is used in both versions 4.6.8 and 4.6.10).

I have noticed that if we only have one dependency in the deno.lock file, it works well:

  "specifiers": {
    "npm:@hono/[email protected]": "[email protected][email protected]",
    "npm:[email protected]": "3.23.8",
    "npm:[email protected]": "4.6.10"
  },

but if we have several times the dependency, it does not work:

  "specifiers": {
    "npm:@hono/[email protected]": "[email protected][email protected]",
    "npm:[email protected]": "3.23.8",
    "npm:[email protected]": "4.6.8",
    "npm:[email protected]": "4.6.10"
  },

$ deno --version
deno 2.0.6 (stable, release, x86_64-unknown-linux-gnu)
v8 12.9.202.13-rusty
typescript 5.6.2