set the overrides but it looks like not work

[lanmch]

pnpm version:

6.17.0

Code to reproduce the issue:

Recently, out project change from yarn to pnpm because of its speed. But when I install the modules, I find it not like what we expected.(Maybe I think the overrides property is like yarn resolution) Here is the package.json code

{
    "dependencies": {
        "@editor-kit/core": "3.37.0-rc.0"
    }
    "pnpm": {
        "overrides": {
                "@editor-kit/core": "3.37.0-rc.0"
        }
    }
}

Here is the node_modules Topology in .pnpm folder after pnpm install

Also in pnpm-lock.yaml file, I find the same version package(@editor-kit/core) with different hash.

Expected behavior:

Just one package will be install when I set the overrides

Actual behavior:

Many package, and these package have same version with different hash. Really expecting a reply!

Additional information:

Old and large project, there is too much dependencies

• node -v prints: 14.16.0
• Windows, macOS, or Linux?: macOS

[IlyaSemenov]

Note that overrides seem to be ignored in workspaces. If you use workspaces, what will help is if you move overrides to the root package.json (possibly create empty one first).

[lingxiao-Zhu]

same problems in pnpm workspace，version 6.15.1

[lanmch]

same problems in pnpm workspace，version 6.15.1

你在packageExtension里面设置一下，把peerdependencies设置成*，就可以避免这个问题了。可以在lark上交流

[sionzee]

~Something is definitely wrong,~ Check // Edit 2

in my case I had this in package.json:

  "pnpm": {
    "overrides": {
      "jsdom": "^19.0.0"
    }
  },

I have modified the file by opening it and writting there semantic-release ...:

  "pnpm": {
    "overrides": {
      "jsdom": "^19.0.0",
      "semantic-release": "^19.0.2"
    }
  },

Then ran pnpm install which said:

pnpm i
Scope: all 5 workspace projects
Lockfile is up-to-date, resolution step is skipped
Already up-to-date

but

pnpm-lock.yaml says:

lockfileVersion: 5.3

overrides:
  jsdom: ^19.0.0

importers:
....

Sounds like it somehow ignored the newly added overriden value?

pnpm -v 6.32.3

// Edit I have tried to remove the overrides property from the package.json and after pnpm install it is still listed in the pnpm-lock.yaml file under overrides tab.

Even when I removed the pnpm-lock.yaml file, the pnpm install recreates it with overrides property inside.

// Edit 2 Nevermind, looks like my package.json was not updating properly, IDE was showing updated values but cat in CLI shown unmodified variant of the file.

[CobyPear]

Hello, I believe I'm also running into this issue. (Or quite possibly I'm misunderstanding how overrides work)

I'm seeing the override set in both package.json and pnpm-lock.yaml after running pnpm audit --fix, and pnpm install, however the version of the dependency in the lockfile still shows the old version (in this case minimist 1.2.5), but the override is asking for >=1.2.6. A few other dependencies have the same problem.

Running pnpm audit shows no vulns tho.

TLDR: it seems overrides are not being applied to pnpm-lock.yaml

[lanmch]

您好，我已收到您的邮件，我会尽快给您回复。

[413n]

Any update/solution found?

[bestickley]

Does deleting all your node_modules and then reinstalling help? I'm also running into this issue.

[lanmch]

您好，我已收到您的邮件，我会尽快给您回复。

[samuelpetroline]

Note that overrides seem to be ignored in workspaces. If you use workspaces, what will help is if you move overrides to the root package.json (possibly create empty one first).

This solution worked for me. Also, make sure to regenerate your lockfile pnpm install --fix-lockfile

[morriswinkler]

pnpm --version
7.8.0

root folder package.json

  "pnpm": {
        "overrides": {
            "terser@>=5.0.0 <5.14.2": ">=5.14.2"
        }
    }

pnpm-lock.yaml after pnpm install

overrides:
  terser@>=5.0.0 <5.14.2: '>=5.14.2'

  /@nrwl/node/14.1.9_rxth3vu7uqsqsbv3sw45o5zan4:
    resolution: {integrity: sha512-p3TxPZxMTCAF1P4JT/THWwqY3q8f/Pfpy0iAK9bjQ/y8sf89yuEQGPIL+ZdFbhB9tSPGB+Z/KArtyOBrcvBUVA==}
    dependencies:
      '@nrwl/devkit': [email protected]
      '@nrwl/jest': 14.1.9_zyjyql4vrws2e3dlcmculsfl64
      '@nrwl/js': 14.1.9_fsqoc4b7rvscsk67gqchq7wfwy
      '@nrwl/linter': 14.1.9_do52n5atlgggvlg34rjob6rbam
      '@nrwl/workspace': 14.1.9_fiqdsaqwobgw6ewevb2b22olhq
      chalk: 4.1.0
      copy-webpack-plugin: [email protected]
      enhanced-resolve: 5.9.3
      fork-ts-checker-webpack-plugin: 6.2.10_emg3wltpsrflttkk66ka66uori
      fs-extra: 10.1.0
      glob: 7.1.4
      license-webpack-plugin: [email protected]
      rxjs: 6.6.7
      rxjs-for-await: [email protected]
      source-map-support: 0.5.19
      terser-webpack-plugin: [email protected]
      tree-kill: 1.2.2
      ts-loader: 9.3.0_fz3vkvdtk4wrv742s4dvevasza
      ts-node: [email protected]
      tsconfig-paths: 3.14.1
      tsconfig-paths-webpack-plugin: 3.5.2
      tslib: 2.3.0
      webpack: 5.72.1
      webpack-merge: 5.8.0
      webpack-node-externals: 3.0.0
    transitivePeerDependencies:
      - '@swc/core'
      - bufferutil
      - canvas
      - esbuild
      - eslint
      - node-notifier
      - nx
      - prettier
      - supports-color
      - typescript
      - uglify-js
      - utf-8-validate
      - vue-template-compiler
      - webpack-cli
    dev: true


  /terser/5.13.1:
    resolution: {integrity: sha512-hn4WKOfwnwbYfe48NgrQjqNOH9jzLqRcIfbYytOXCOv46LBfWr9bDS17MQqOi+BWGD0sJK3Sj5NC/gJjiojaoA==}
    engines: {node: '>=10'}
    dependencies:
      acorn: 8.7.1
      commander: 2.20.3
      source-map: 0.8.0-beta.0
      source-map-support: 0.5.21
    dev: true

still broken for workspaces

[lanmch]

您好，我已收到您的邮件，我会尽快给您回复。

[ssijak]

It would be great having this work for workspaces

[chrisspiegl]

I just used the override feature in a workspace and it appears to be working when you apply the override in the root package.json file.

This is with version pnpm v7.29.3.

[zkochan]

Probably back when this issue was created, overrides did not override direct dependencies. This was changed.

Also, as it was already mentioned, the overrides only work if they are declared in the root of the workspace (in the root of the monorepo).

[dtothefp]

It seems counterintuitive that overrides would not work for workspaces because I was under the impression that workspaces can be used as a feature to coordinate a monorepo containing multiple applications and not just multiple packages. For example I might have the structure:

.pnpmfile.cjs
package.json
pnpm-lock.yaml
pnpm-workspace.yaml
apps
├── app-a
          ├── package.json
├── app-b
          ├── package.json
 packages
├── package-a
          ├── package.json
├── package-b
          ├── package.json

and my pnpm-workspace.yaml looks like this

packages:
  - apps/**
  - packages/**

It seems advantageous in a large monorepo where apps are owned by different teams that dependency overrides could be specified at the app workspace level. For example if app-a and app-b both depended upon lib-a which is consumed as a workspace and not as a published package, if lib-a has react as a dependency, and app-a wants to upgrade to react@18 whereas app-b wants to stay on react@17 it would seem useful to be able to specify app workspace level overrides rather than global overrides at the root package.json level. I'm wondering what you would suggest as best practice here @zkochan if it would be better for lib-a to specify react as a peerDependency or if there is a way to specify package versions for specific workspaces using something like the PNPM hooks?

Seems like one potential solution in yarn for this is no-hoist

[zhanzizhen]

when you set shared-workspace-lockfile=false, you should set overides in workspaces's package.json. Otherwise, set it in root package.json.

[lanmch]

您好，我已收到您的邮件，我会尽快给您回复。

[cassepipe]

@dtothefp I don't understand where you get the information that they don't work in workspaces, @chrisspiegl 's message above yours say they do.

Who is right ?

[lanmch]

您好，我已收到您的邮件，我会尽快给您回复。