[BUG] Overrides prevent npm update
and npm audit fix
from replacing eligible dependencies
#7987
Open
2 tasks done
Labels
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Given a dependency tree like:
npm update
andnpm audit fix
won't update dependencyd
if this is an override directive related toc
; Arborist's resolution will beKEEP
. This is true even if the update ofd
would fall withinc
's semver range ford
.I've found one combination of overrides that exhibits this, but I don't know the exact requirements. I'm not confident that you have to have 4+ levels of dependencies.
Arborist's
canReplaceWith
returnsfalse
due this check:cli/workspaces/arborist/lib/node.js
Lines 1009 to 1012 in f7da341
Expected Behavior
npm update
andnpm audit fix
update dependencyd
's version if the new version is compatible withc
's semver range ford
.Steps To Reproduce
For this repro, we'll attempt to update
nanoid
to3.3.8
or higher.nanoid
is a dependency ofpostcss
.Setup
Start from https://github.com/hashtagchris/npm-test-packages/tree/hashtagchris-overrides-breaks-npm-update/workspaces/updateable-dependency, or do the following:
dependencies
andoverrides
:npm i
to produce apackage-lock.json
and populatenode_modules
.npm ls nanoid
and verify3.3.8
or higher was chosen for the fresh install.nanoid@3.3.7
. Using yq:yq -i '(.packages["node_modules/nanoid"]) += {"version":"3.3.7", "resolved":"https://registry.npmjs.org/nanoid/-/nanoid-3.3.7.tgz", "integrity": "sha512-eSRppjcPIatRIMC1U6UngP8XFcz8MQWGQdt1MTBQ7NaAmvXDfvNxbvWV3x2y6CdEUciCSsDHDQZbhYaB8QEo2g=="}' package-lock.json
npm i
to updatenode_modules
npm ls nanoid
to verify3.3.7
is now in useRepro
npm update nanoid
ornpm update nanoid -ddd 2>&1 | grep 'placeDep ROOT'
npm ls nanoid
to check if the version changedExpected:
nanoid
is updated to3.3.8
(again)Actual:
nanoid
isn't updatedEnvironment
The text was updated successfully, but these errors were encountered: