[BUG] Transitive dependency version in Shrinkwrap is not honored in global installs

[RaphaelDDL]

Is there an existing issue for this?

• [X] I have searched the existing issues
• There is a relevant existing issue which is similar but with few differences: https://github.com/npm/cli/issues/5349

This issue exists in the latest npm version

• [X] I am using the latest npm

Current Behavior

Issue is reproducible in v18.18.0 (npm 9.8.1) and latest v20.10.0 (npm v10.2.3)

Consider the following project package.json:

    {
    "name": "cli-example",
    "version": "1.0.0",
    "description": "",
    "scripts": {
        "prepack": "npm -v && npm shrinkwrap"
    },
    "overrides": {
        "istanbul-lib-instrument": "5.1.0"
    },
    "dependencies": {
        "babel-plugin-istanbul": "6.1.1"
    }
    }

installing and creating a npm-shrinkwrap.json will contains the correct version installed according to the overrides (aka 5.1.0):

    "node_modules/istanbul-lib-instrument": {
      "version": "5.1.0",
      "resolved": "https://registry.npmjs.org/istanbul-lib-instrument/-/istanbul-lib-instrument-5.1.0.tgz",
      "integrity": "sha512-czwUz525rkOFDJxfKK6mYfIs9zBKILyrZQxjz3ABhjQXhbhFsSbo1HW/BFcsDnfJYJWA6thRR5/TUY2qs5W99Q==",
      "dependencies": {
        "@babel/core": "^7.12.3",
        "@babel/parser": "^7.14.7",
        "@istanbuljs/schema": "^0.1.2",
        "istanbul-lib-coverage": "^3.2.0",
        "semver": "^6.3.0"
      },
      "engines": {
        "node": ">=8"
      }
    },

Now, when this package is published using npm publish (for the example, I'm using local registry w/ verdaccio), it lists correctly during publish:

    npm notice 📦  [email protected]
    npm notice === Tarball Contents ===
    npm notice 34.7kB npm-shrinkwrap.json
    npm notice 373B   package.json

If you npm i [email protected] in a project, it installs and you can verify in the package-lock.json that node_modules/istanbul-lib-instrument version is correct as 5.1.0 per configured in overrides.

The issue happens when installing said package globally, that is, npm i -g [email protected]. In this case, checking the global npm folder for cli-example, under node_modules/istanbul-lib-instrument, the installed version is 5.2.1, ignoring the shrinkwrap defined version and installing the latest version available (5.2.1, as of this issue report).

According to this comment, https://github.com/npm/cli/issues/4889#issuecomment-1142578884 if a dependency has shrinkwrap itself, overrides won't work, but this is not the case, I double checked the packages, they don't have shrinkwrap, so that specific scenario does not apply to here.

There's a related bug reported in Aug 2022 https://github.com/npm/cli/issues/5349 but in that one, it was demonstrated with a direct dependency rather than a transitive (though it does mention happening on transitive). My issue is similar, but in a way that this happens on global install, even if we lock the version on package (without ^).

This issue happened recently where a transitive dependency updated version and broke jest tests, therefore our CI pipelines were dead for the rest of the day due global installation updating it to latest, even though our package shrinkwrap had a lower version on it.

Expected Behavior

It is expected that a version number locked in package and shrinkwrap should be installed, instead of whichever number is latest, both in a direct installation (working as expected) and in global installations (this issue)

Steps To Reproduce

• Create a directory, touch package.json and paste following content

    {
    "name": "cli-example",
    "version": "1.0.0",
    "description": "",
    "scripts": {
        "prepack": "npm -v && npm shrinkwrap"
    },
    "overrides": {
        "istanbul-lib-instrument": "5.1.0"
    },
    "dependencies": {
        "babel-plugin-istanbul": "6.1.1"
    }
    }

• npm i
• verify in node_modules/istanbul-lib-instrument/package.json that installed version is 5.1.0
• npm shrinkwrap
• npm publish to the registry of choice (you can use verdaccio for local registry, remember to configure .npmrc)
• npm i -g [email protected]
• Go to npm installation folder, browse cli-example folder, verify in node_modules/istanbul-lib-instrument/package.json that installed version is NOT 5.1.0 (at the time of this issue, 5.2.1)

Environment

• npm: both 9.8.1 and 10.2.3
• Node.js: both 18.18.0 and 20.10.0
• OS Name: Mac OSX 12.3.1 Monterey
• System Model Name: Macbook Pro
• npm config:

; "user" config from /Users/raphael.oliveira/.npmrc

//localhost:4873/:_authToken = (protected)
registry = "http://localhost:4873/"

; node bin location = /Users/raphael.oliveira/.nvm/versions/node/v20.10.0/bin/node
; node version = v20.10.0
; npm local prefix = /Users/raphael.oliveira/Workspace/myCLI
; npm version = 10.2.3
; cwd = /Users/raphael.oliveira/Workspace/myCLI
; HOME = /Users/raphael.oliveira

[andrewdibiasio6]

This issue has been breaking my CI builds. Is there any workarounds for this? This happens for me without overrides. Shouldn't my dependencies in my shrinkwarp be honored?

[smcphail]

Also experiencing this. Adding overrides made no difference either. Current workaround is to add the transitive dependency as a direct dependency with the required version.

[chunwing-lam]

Also experiencing this. Adding overrides made no difference either. Current workaround is to add the transitive dependency as a direct dependency with the required version.

We also just faced the same issue. It broke our CI build suddenly because the transitive dependency has breaking changes in minor release.