[BUG] overrides in packages not honoured at the top level

[Stono]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Hello,
I've been doing quite a bit of searching, I think what I have here is a bug... although happy to be told otherwise.

What i'm observing is that if a package we depend on specifies an overrides section, then it is ignored when we install that package.

So take the following hierarchy as an example (which is our exact use case):

our-application:
  -> our-internal-package
    -> some-public-package
      -> some-public-package-dependency

In our-internal-package we have:

  "dependencies": {
    "some-public-package": "version"
  },
  "overrides": {
    "some-public-package@version": {
      "some-public-package-dependency": "2.0.0"
    }
  }

When working on our-internal-package, doing an npm ls --tree correctly shows the override at 2.0.0.

However when we install our-internal-package into our-application, the override appears to be ignored, and the latest version of some-public-package-dependency is installed (2.1.0). some-public-package references that with: ^2.0.0.

Expected Behavior

nested overrides to be honoured in the installation tree

Steps To Reproduce

see current behaviour. happy to build a small app to demonstrate this if the info above is not sufficient, and the behaviour is confirmed to be a bug.

Environment

Versions:

• Node: v18.12.1
• NPM: 8.19.3

[s100]

We're seeing this issue too (Node 18.14.0, npm 9.3.1). Here is a concrete example.

npm install [email protected]

If you inspect swagger-client's package.json you will see:

{
  "overrides": {
    "@swagger-api/apidom-reference": {
      "@swagger-api/apidom-ns-asyncapi-2": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-api-design-systems-json": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-api-design-systems-yaml": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-asyncapi-json-2": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-asyncapi-yaml-2": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-json": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-openapi-json-3-0": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-openapi-json-3-1": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-openapi-yaml-3-0": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-openapi-yaml-3-1": "npm:[email protected]",
      "@swagger-api/apidom-parser-adapter-yaml-1-2": "npm:[email protected]"
    }
  }
}

swagger-client has a production dependency on @swagger-api/apidom-reference, which in turn has optional production dependencies on these various other @swagger-api/* packages. The overrides shown here are intended to make it so that swagger-client effectively "opts out" of these optional dependencies - they are replaced with version 0.0.1 of the tiny no-op package, -. When we inspect e.g. ./node_modules/@swagger-api/apidom-ns-asyncapi-2, what we should see is the (trivial) source code for -.

In practice, we find that these overrides fail. In ./node_modules/@swagger-api/apidom-ns-asyncapi-2 we see the full code of that package, and similarly for all the others.