it would be way easier if dependencies were a flat list and not a graph, aka peer in npm parlance. I believe that’s what go does. A library only need to say that it depends 1.x.x or 1.2.x and it’s up to the application to provide it. Conflict is handled manually.

The onus is on libraries developers to cleanup their act. Start vendoring code instead of depending on hundreds tiny libraries.