Opening a new issue since #4232 is getting crowded with other possibly unreleated bug reports. But this one I have confirmed.
From: #4232 (comment)
Note that the INITIAL install will abide by the override rules set, and the subsequent installs (e.g., run npm install twice) will ignore overrides.
I can confirm this is the behavior in the latest npm@8.19.2. This can be reproduced easily with the following package.json:
{
"name": "test",
"version": "1.0.0",
"engines": {
"npm": ">=8.3.0"
},
"dependencies": {
"json-server": "^0.17.0"
},
"overrides": {
"json-server": {
"package-json": "7.0.0"
}
}
}
npm install in the folder containing only the above package.json --> 0 vulnerabilities
- Subsequent
npm install right after the previous (so node_modules and package-lock.json exists) --> 5 vulnerabilities
npm update --> 0 vulnerabilities
rm -rf node_modules/ && npm install --> 5 vulnerabilities
rm package-lock.json && npm install --> 5 vulnerabilities
rm -rf node_modules/ && rm package-lock.json && npm install --> 0 vulnerabilities
From the above it can be concluded that the overrides property is only honored when running npm install first time (i.e. without package-lock.json and node_modules present) and when running npm update.
Opening a new issue since #4232 is getting crowded with other possibly unreleated bug reports. But this one I have confirmed.
From: #4232 (comment)
I can confirm this is the behavior in the latest
npm@8.19.2. This can be reproduced easily with the followingpackage.json:{ "name": "test", "version": "1.0.0", "engines": { "npm": ">=8.3.0" }, "dependencies": { "json-server": "^0.17.0" }, "overrides": { "json-server": { "package-json": "7.0.0" } } }npm installin the folder containing only the abovepackage.json--> 0 vulnerabilitiesnpm installright after the previous (sonode_modulesandpackage-lock.jsonexists) --> 5 vulnerabilitiesnpm update--> 0 vulnerabilitiesrm -rf node_modules/ && npm install--> 5 vulnerabilitiesrm package-lock.json && npm install--> 5 vulnerabilitiesrm -rf node_modules/ && rm package-lock.json && npm install--> 0 vulnerabilitiesFrom the above it can be concluded that the
overridesproperty is only honored when runningnpm installfirst time (i.e. withoutpackage-lock.jsonandnode_modulespresent) and when runningnpm update.