Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[DOCS] Please document "The overrides key will only be considered when it is in the root package.json file for a project" #4517

Closed
2 tasks done
AlanSl opened this issue Mar 7, 2022 · 2 comments · Fixed by #7367
Closed
2 tasks done

[DOCS] Please document "The overrides key will only be considered when it is in the root package.json file for a project" #4517

AlanSl opened this issue Mar 7, 2022 · 2 comments · Fixed by #7367
Labels
config:overrides Issues dealing with the overrides feature Documentation documentation related issue Priority 2 secondary priority issue

Comments

@AlanSl
Copy link

AlanSl commented Mar 7, 2022
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

This is a CLI Docs Enhancement, not another kind of Docs Enhancement.

  • This is a CLI Docs Enhancement.

Description of Problem

The public documentation for the overrides package.json key doesn't mention any limitations regarding workspaces or monorepos.

However, it seems overrides don't work in workspace package.json files (from my testing they only work from the root package.json), and this appears to be by design - the RFC says:

Only Root Package May Contain Overrides

The overrides key will only be considered when it is in the root package.json file for a project. overrides in installed dependencies (including workspaces) will not be considered in dependency tree resolution. Thus, there is no cascading overrides between multiple different package.json files at any given time.

Published packages may dictate their resolutions by pinning dependencies or using an npm-shrinkwrap.json file.

Applying overrides for workspaces and installed dependencies may be considered in a future RFC. However, there are considerable challenges in the implementation, user expectations, and security of such an approach.

Most package.json keys work in both root and workspace files, so this is a specific limitation of overrides that should be documented in the overrides docs.

I certainly expected overrides to work in workspaces as well as the project root based on having read the documentation, and I only discovered the RFC note after browsing recent overrides-related issues and finding #4205

Potential Solution

  1. Add a line in the Overrides documentation saying something like:

In a monorepo with workspaces, overrides may only be defined in the project root package.json. Overrides within workspace package.json files are ignored.

  1. Maybe also log a warning or error on running npm install if a workspace's package.json has an overrides key, rather than the feature just failing silently? Like:

Warning: overrides found in workspace ${workspaceName}. Overrides may only be set in the project root.

Docs URL

https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
@AlanSl AlanSl added Documentation documentation related issue Needs Triage needs review for next steps labels Mar 7, 2022
@AlanSl AlanSl mentioned this issue Mar 7, 2022
Closed
2 tasks
@nlf nlf added Priority 2 secondary priority issue and removed Needs Triage needs review for next steps labels Mar 7, 2022
@nlf
Copy link
Contributor

nlf commented Mar 7, 2022

Add a line in the Overrides documentation saying something like:

this is a great idea, if you'd like you're welcome to submit a pull request adding this to the docs.

Maybe also log a warning or error on running npm install if a workspace's package.json has an overrides key, rather than the feature just failing silently? Like:

i like this idea a lot as well. i'm currently working on cleaning up some of the issues with overrides, and i'll keep this on my radar.

@mjrobinson86 mjrobinson86 mentioned this issue May 12, 2022
Open
@jattasNI jattasNI mentioned this issue Jun 6, 2022
Merged
1 task
jattasNI added a commit to ni/nimble that referenced this issue Jun 6, 2022
@jattasNI
Update some 3rd party dependencies to latest and re-enable 'npm audit' (
216f8bc 
#589)

# Pull Request

## 🤨 Rationale

Fixes #581. We had disabled `npm audit` in our pipelines because of the vulnerability, but beachball published a fix this weekend: microsoft/beachball#666. 

## 👩‍💻 Implementation

1. Install latest version of beachball
2. Re-enable `npm audit` commands in `main.yml`. This revealed new vulnerabilities in several `devDependencies`:  `ejs`, `event-source`, and `json-schema`.
3. Run `npm update` for each of the above dependencies and also `jsprim`, which was needed to get the fixed `json-schema` (`jsprim` pins its deps to exact versions)

I looked into [npm overrides](https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides) which are intended for this purpose but they're not ready for prime time ([poorly documented workspace support](npm/cli#4517) and bizarrely [not usable with an existing package-lock.json](npm/cli#4232) with our current npm version.

## 🧪 Testing

Relying on pipeline.

## ✅ Checklist


- [x] I have updated the project documentation to reflect my changes or determined no changes are needed.
@darcyclarke darcyclarke added the config:overrides Issues dealing with the overrides feature label Jul 11, 2022
@maunzCache
Copy link

maunzCache commented Dec 12, 2022
edited
Loading

Finally a thread that explains my pains. The ERR! on npm install is not nearly enough to consider why this does not work.
A workaround btw is to run it with --force or --legacy-peer-deps which i would not recommend.

Edit: Maybe we need a follow-up on some linters as they consider the "overrides" keyword a valid one in this context, but i would be glad if they were aware of the workspace and would notify it when found in my package.json.

@jonaskello jonaskello mentioned this issue Apr 14, 2023
Open
2 tasks
@sfc-gh-dszmolka sfc-gh-dszmolka mentioned this issue Jul 20, 2023
Closed
jamesscottbrown added a commit to Greater-London-Authority/ldn-viz-tools that referenced this issue Oct 9, 2023
@jamesscottbrown
fix dependency versions
de27db3 
Layercake 8.0.0 doesn't support Svelte 4.2.0.
Overrides for sub-dependency versions must be in top-level package.json file: npm/cli#4517
jamesscottbrown added a commit to Greater-London-Authority/ldn-viz-tools that referenced this issue Oct 9, 2023
@jamesscottbrown
fix dependency versions
aede7cc 
Layercake 8.0.0 doesn't support Svelte 4.2.0.
Overrides for sub-dependency versions must be in top-level package.json file: npm/cli#4517
@s100 s100 mentioned this issue Apr 11, 2024
Merged
wraithgar pushed a commit that referenced this issue Apr 11, 2024
@s100
docs: Document that overrides only work in the root package.json (#…
c16dd4e 
…7367)

<!-- What / Why -->
<!-- Describe the request in detail. What it does and why it's being
changed. -->
Add documentation explaining that the `package.json` `"overrides"` field
only takes effect at the root `package.json` of a project. Most of this
text is copied from [the
RFC](https://github.com/npm/rfcs/blob/main/accepted/0036-overrides.md#only-root-package-may-contain-overrides)
which originally described this feature.

## References
Fixes #4517.
@jwhitlock jwhitlock mentioned this issue Sep 11, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
config:overrides Issues dealing with the overrides feature Documentation documentation related issue Priority 2 secondary priority issue
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

docs: Document that overrides only work in the root package.json
4 participants
@maunzCache @nlf @darcyclarke @AlanSl