Package installation doesn't always optimize duplicate packages

The str dependency inside of quick should be skipped, since ^1.0.0 is satisfied by 1.0.0 A regression in the code is not using the semantic version from the quick box.json correctly. This is just an example, it could affect any package.