firebase packages cause many duplicate tslib copies

[AviVahl]

[REQUIRED] Describe your environment

• Operating System version: Fedora 32
• Browser version: Firefox 75
• Firebase SDK version: 7.14.2
• Firebase Product: 12 of them (auth, database, storage, etc)

[REQUIRED] Describe the problem

@firebase/app (and 11 others) specifies tslib without a caret in its package.json.

When a patch version gets released (like just now), other requests get upgraded, and firebase packages each has a duplicate older version.

Steps to reproduce:

mkdir bug
cd bug
npm init -y
npm i firebase typescript tslib

look in node_modules/@firebase/*/node_modules/tslib <--- duplicates! many of them!

Relevant Code:

https://github.com/firebase/firebase-js-sdk/blob/master/packages/app/package.json#L36
(and all other package.json files specifying dependencies).

Suggested solution

Avoid pinning versions. It blocks downstream users from receiving bug fixes and security updates until you release a new version containing said updates. It is also a reason for many duplicates and generally known to be de-duping killer.

The risk of downstream users breaking from a 3rd party update is much lower when projects use lock files. And these pinned versions only work for the first level, so 4th party dependencies can still potentially break, rendering the pinning approach useless. imho, it causes more harm than good, and should be used with caution (I usually use it as a temporary workaround, only when breaks occur and when upstream isn't responsive).

Thank you. Your work is much appreciated.

[google-oss-bot]

I couldn't figure out how to label this issue, so I've labeled it for a human to triage. Hang tight.

[AviVahl]

Thanks!