[BUG] Override doesn't update version number in `packages` section of lockfile

[jklingen]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

When using the overrides feature to mitigate a vulnerable transient dependency, the version number of the overridden package is not updated in the packages section of the lockfile.

Example

Excerpt from package.json

  "dependencies": {
    "svg2sprite-cli": "^2.0.1"
  },
  "overrides": {
    "trim-newlines": "^3.0.1"
  }

Excerpt from package-lock.json in packages > node-modules/meow > dependencies

        "trim-newlines": "^1.0.0"

This entry seems to raise a false-positive in a tool we use for checking for vulnerable dependencies.

Expected Behavior

I expect the vulnerable version no longer to appear in the lock file after it was overwritten.

In case this is actually intended behavior, is there any technical documentation on how the overrides feature should affect the contents of the lockfile?

Steps To Reproduce

1. On a local development machine, run npm install for the package.json file below.
2. Inspect the lockfile at packages > node-modules/meow > dependencies > trim-newlines

{
  "name": "npm-overrides-issue",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "svg2sprite-cli": "^2.0.1"
  },
  "overrides": {
    "trim-newlines": "^3.0.1"
  }
}

Environment

• npm: 8.6.0 and 8.5.5
• Node.js: v16.14.0
• OS Name: macOS
• System Model Name: MacBook Pro 2021
• npm config:

; "user" config from /Users/redacted/.npmrc

; redacted: custom registry configuration for internal dependencies, not related

; node bin location = /Users/redacted/.nvm/versions/node/v16.14.0/bin/node
; cwd = /Users/redacted/dev/npm-overrides-issue
; HOME = /Users/redacted
; Run `npm config ls -l` to show all defaults.

[klaframboise]

I had setup a quick example and was going to create an issue, but I'll share here instead in case more examples are helpful. Example repo

All the overridden dependencies have vulnerabilities in the versions used by node-heap-gc-cloudwatch. After install, the audit passes for aws-sdk and merge, but not for ini, minimist or tar.

[nlf]

i was able to reproduced this, and i believe #4709 fixes the last of these bugs.

i would note, however, that the dependencies field of the package that requires the overridden package will never be overwritten. the package itself, however, should reflect the actually installed version. the relevant bit of the lock file from the original issue here:

    "node_modules/meow": {
      "version": "3.7.0",
      "license": "MIT",
      "dependencies": {
        "camelcase-keys": "^2.0.0",
        "decamelize": "^1.1.2",
        "loud-rejection": "^1.0.0",
        "map-obj": "^1.0.1",
        "minimist": "^1.1.3",
        "normalize-package-data": "^2.3.4",
        "object-assign": "^4.0.1",
        "read-pkg-up": "^1.0.1",
        "redent": "^1.0.0",
        "trim-newlines": "^1.0.0"
      },
    },
    "node_modules/trim-newlines": {
      "version": "3.0.1",
      "resolved": "https://registry.npmjs.org/trim-newlines/-/trim-newlines-3.0.1.tgz"
    },

[nlf]

I had setup a quick example and was going to create an issue, but I'll share here instead in case more examples are helpful. Example repo

All the overridden dependencies have vulnerabilities in the versions used by node-heap-gc-cloudwatch. After install, the audit passes for aws-sdk and merge, but not for ini, minimist or tar.

this is a different issue. the ini, minimist, and tar packages in your tree are all being brought in by node-pre-gyp. the problem is gc-stats defines node-pre-gyp as a bundled dependency, which means its dependencies also get included in the bundle. because of this, the vulnerable versions of those dependencies are already present. we don't currently allow overriding of bundled dependencies, but it's something we can certainly discuss if you'd like to open an RRFC issue at https://github.com/npm/rfcs

[jklingen]

Thanks a lot for looking into this

the dependencies field of the package that requires the overridden package will never be overwritten

so that means that my expectation was wrong and everything works as designed - as far as I am concerned we can close this bug then.

[leschdom]

Just to add to the discussion what we noticed is that npm audit still reports vulnerable versions, which are explicitly stated in the overrides section (e.g. trim@0.0.1 while we use overrides with "trim": "0.0.3") - that wasn't the case before. Not sure if it relates to the issue mentioned in the description.

[jklingen]

So, the other issue I had was resolved with 8.7.0 - and my misconception above was corrected by @nlf's feedback.

For my part, this ticket can be closed. However, I haven't seen the npm audit problem mentioned above, so I assume it is not related. @leschdom If the problem persists, you might prefer to create a dedicated issue for better visibility?

[leschdom]

Hi @jklingen - I was also not able to re-produce the issue since I changed to npm 8.7.0 - so at least from my side this issue can also be closed 👍