fix(arborist): apply overrides across a file: link (backport release/v11)#9673
Merged
owlstronaut merged 1 commit intoJun 26, 2026
Conversation
…npm#9671) (backport release/v11) A root `overrides` entry targeting a transitive dependency was silently dropped when the path to that dependency crossed a `file:`/workspace link, so the dependency resolved to its un-overridden version and the lockfile pinned the wrong version. It reproduced under both the `hoisted` and `linked` install strategies, while the same override applied correctly when the dependency was reached without crossing a link. Override rules propagate through dependency edges, but a Link and its target are not edge-connected, so they are bridged by forwarding the Link's `OverrideSet` to its target. That forwarding ran while the target's subtree was still unbuilt, so its guard found no matching rule and never forwarded, leaving the target and its descendant edges without the rule. `buildIdealTree` now forwards a link's overrides to its target before the target's subtree is resolved, so descendant edges inherit the rule as they are added, matching how a registry node always inherits its ancestor's `OverrideSet`. `loadActual` now repropagates overrides through links once all edges are resolved, so a transitive override reached through a `file:` link is reported as `overridden` rather than `invalid` by `npm ls`. Fixes npm#9659 (cherry picked from commit 968e42f)
manzoorwanijk
changed the title
owlstronaut
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #9671 to
release/v11.A root
overridesentry targeting a transitive dependency was silently dropped when the path to that dependency crossed afile:/workspace link, so the dependency resolved to its un-overridden version and the lockfile pinned the wrong version. It reproduced under both thehoistedandlinkedinstall strategies, while the same override applied correctly when the dependency was reached without crossing a link.buildIdealTreenow forwards a link's overrides to its target before the target's subtree is resolved, so descendant edges inherit the rule as they are added, matching how a registry node always inherits its ancestor'sOverrideSet.loadActualnow repropagates overrides through links once all edges are resolved, so a transitive override reached through afile:link is reported asoverriddenrather thaninvalidbynpm ls.Backport notes: clean cherry-pick except for the
#repropagateOverridescomment, which conflicted only becauserelease/v11does not have the adjacent#applyPackageExtensionsmethod; resolved by keeping the v11 structure and applying the comment update.References
Fixes #9659
Backport of #9671