Skip to content

fix(arborist): apply overrides across a file:/workspace link boundary#9671

Merged
owlstronaut merged 2 commits into
npm:latestfrom
manzoorwanijk:fix/override-across-file-link
Jun 26, 2026
Merged

fix(arborist): apply overrides across a file:/workspace link boundary#9671
owlstronaut merged 2 commits into
npm:latestfrom
manzoorwanijk:fix/override-across-file-link

Conversation

@manzoorwanijk

Copy link
Copy Markdown
Contributor

A root overrides entry targeting a transitive dependency was silently dropped when the path to that dependency crossed a file:/workspace link, so the dependency resolved to its un-overridden version and the lockfile pinned the wrong version. It reproduced under both the hoisted and linked install strategies, while the same override applied correctly when the dependency was reached without crossing a link.

Override rules propagate through dependency edges, but a Link and its target are not edge-connected, so they are bridged by forwarding the Link's OverrideSet to its target. That forwarding ran while the target's subtree was still unbuilt, so its guard found no matching rule and never forwarded, leaving the target and its descendant edges without the rule.

buildIdealTree now forwards a link's overrides to its target before the target's subtree is resolved, so descendant edges inherit the rule as they are added, matching how a registry node always inherits its ancestor's OverrideSet. loadActual now repropagates overrides through links once all edges are resolved, so a transitive override reached through a file: link is reported as overridden rather than invalid by npm ls.

References

Fixes #9659

…IdealTree

A root override for a transitive dep was dropped when the path to that dep crossed a file:/workspace link boundary, so the dep resolved to its un-overridden version. The link target's overrides were never forwarded before its subtree resolved. Forward them in #resolveLinks so descendant edges inherit the rule.
…Actual

A file: link target's subtree resolves late, so repropagating overrides before edges were resolved missed the transitive match and npm ls reported the overridden edge as invalid. Run repropagation once all edges are resolved.
@manzoorwanijk manzoorwanijk marked this pull request as ready for review June 26, 2026 05:58
@manzoorwanijk manzoorwanijk requested review from a team as code owners June 26, 2026 05:58
@owlstronaut owlstronaut merged commit 968e42f into npm:latest Jun 26, 2026
24 checks passed
@manzoorwanijk manzoorwanijk deleted the fix/override-across-file-link branch June 26, 2026 13:30
@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Backport to release/v11 failed.

This usually means the cherry-pick had conflicts. Please create a manual backport:

git fetch origin release/v11
git checkout -b backport/v11/9671 origin/release/v11
git cherry-pick -x 968e42fbd62eb3a6f446466359c9431f41d76b2b
# resolve any conflicts, then:
git push origin backport/v11/9671
Error details
Command failed: git cherry-pick -x 968e42fbd62eb3a6f446466359c9431f41d76b2b
error: could not apply 968e42fbd... fix(arborist): apply overrides across a file:/workspace link boundary (#9671)
hint: After resolving the conflicts, mark them with
hint: "git add/rm <pathspec>", then run
hint: "git cherry-pick --continue".
hint: You can instead skip this commit with "git cherry-pick --skip".
hint: To abort and get back to the state before "git cherry-pick",
hint: run "git cherry-pick --abort".
hint: Disable this message with "git config set advice.mergeConflict false"

@manzoorwanijk

Copy link
Copy Markdown
Contributor Author

Creating a manual backport...

@manzoorwanijk

Copy link
Copy Markdown
Contributor Author

Here you go #9673

owlstronaut pushed a commit that referenced this pull request Jun 26, 2026
…v11) (#9673)

Backport of #9671 to `release/v11`.

A root `overrides` entry targeting a transitive dependency was silently
dropped when the path to that dependency crossed a `file:`/workspace
link, so the dependency resolved to its un-overridden version and the
lockfile pinned the wrong version. It reproduced under both the
`hoisted` and `linked` install strategies, while the same override
applied correctly when the dependency was reached without crossing a
link.

`buildIdealTree` now forwards a link's overrides to its target before
the target's subtree is resolved, so descendant edges inherit the rule
as they are added, matching how a registry node always inherits its
ancestor's `OverrideSet`. `loadActual` now repropagates overrides
through links once all edges are resolved, so a transitive override
reached through a `file:` link is reported as `overridden` rather than
`invalid` by `npm ls`.

Backport notes: clean cherry-pick except for the `#repropagateOverrides`
comment, which conflicted only because `release/v11` does not have the
adjacent `#applyPackageExtensions` method; resolved by keeping the v11
structure and applying the comment update.

## References

Fixes #9659
Backport of #9671
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] overrides for a transitive dependency are dropped when it is reached through a file:/workspace link

2 participants