cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago verified publisher icon npm

[BUG] subsequent installs breaks override dependencies in workspaces

Open ivanvaccari opened this issue 7 months ago • 2 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

This issue exists in the latest npm version

  • [X] I am using the latest npm

Current Behavior

Npm overrides are not respected in subsequent installs.

Output log on installs: First install. It adds the root node_module.

PS C:\Users\IvanVaccari\Desktop\test-ws> npm i
npm warn deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated [email protected]: connect 2.x series is deprecated

added 135 packages, and audited 137 packages in 4s

23 vulnerabilities (2 moderate, 18 high, 3 critical)

To address issues that do not require attention, run:
 npm audit fix

To address all issues (including breaking changes), run:
 npm audit fix --force

Run `npm audit` for details.

Immediately re-run install. This changes the dependencies by adding node_module in the workspace module. Was not expecting this.

PS C:\Users\IvanVaccari\Desktop\test-ws> npm i

added 65 packages, and audited 67 packages in 3s

12 packages are looking for funding
 run `npm fund` for details

found 0 vulnerabilities
PS C:\Users\IvanVaccari\Desktop\test-ws> npm i
npm warn deprecated [email protected]: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated [email protected]: connect 2.x series is deprecated

added 117 packages, removed 47 packages, and audited 137 packages in 7s

23 vulnerabilities (2 moderate, 18 high, 3 critical)

To address issues that do not require attention, run:
 npm audit fix

To address all issues (including breaking changes), run:
 npm audit fix --force

Run `npm audit` for details.

Expected Behavior

Running again npm install on a fresh-installed workspace should not change the dependency tree.

Steps To Reproduce

The target package is Express. The workspace module onepackage requires express ^3.0.0 The root package.json declares overrides" express with version ^4.0.0

  1. clone the test repo at https://github.com/ivanvaccari/npm-workspace-issue-demo
  2. run npm install at root directory
  3. Check the root node_module directory. It includes express ^4.0.0. No node_modules directory is present in onepackage
  4. Run again npm install at root directory
  5. A node_modules directory is created in onepackage. It includes express ^3.0.0.
  6. This configuration does not respect the definition of overrides because now onepackage use the outdated version of express

Environment

  • npm: 10.8.2
  • Node.js: 18.20.4
  • OS Name: Wikn 10
  • npm config: default?
; "user" config from C:\Users\IvanVaccari\.npmrc

//registry.npmjs.org/:_authToken = (protected)

; node bin location = C:\Program Files\nodejs\node.exe   
; node version = v18.20.4
; npm local prefix = C:\Users\IvanVaccari\Desktop\test-ws
; npm version = 10.8.2
; cwd = C:\Users\IvanVaccari\Desktop\test-ws
; HOME = C:\Users\IvanVaccari
; Run `npm config ls -l` to show all defaults.

ivanvaccari avatar Jul 18 '24 08:07 ivanvaccari