[BUG] Fresh npm install abides by overrides but subsequent installs revert

[melink14]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

1. Doing an npm i with new overrides does not completely override all dependencies. It seems deeper dependencies are more likely to not be updated.
2. Deleting package-locka and node_modules then running npm i does override all deps as expected.
   1. npm ls reports invalid versions in this state and npm ci reports out of sync until an npm i runs again.
   2. npm audit reports clean pass
3. Upon running npm i again, the 'invalid' nodes get updated in package-lock.json but are still listed as invalid by npm i
   1. npm audit reports failure.

Aftert fresh install with overrides:

rikaikun@2.3.2 /home/espeed/projects/rikaikun                                                                                                                                                                                                                     
├─┬ eslint@8.13.0                                                                                                                                                                                                                                                 
│ └── glob-parent@6.0.2                                                                                                                                                                                                                                           
├─┬ snowpack@3.8.8                                                                                                                                                                                                                                                
│ └─┬ chokidar@3.5.3                                                                                                                                                                                                                                              
│   └── glob-parent@6.0.2 deduped                                                                                                                                                                                                                                 
├─┬ stylelint@14.6.1                                                                                                                                                                                                                                              
│ └─┬ fast-glob@3.2.11                                                                                                                                                                                                                                            
│   └── glob-parent@6.0.2 deduped invalid: "^5.1.2" from node_modules/fast-glob                                                                                                                                                                                   
└─┬ ts-lit-plugin@1.2.1                                                                                                                                                                                                                                           
  └─┬ lit-analyzer@1.2.1                                                                                                                                                                                                                                          
    └─┬ fast-glob@2.2.7                                                                                                                                                                                                                                           
      └── glob-parent@6.0.2 deduped invalid: "^5.1.2" from node_modules/fast-glob, "^3.1.0" from node_modules/lit-analyzer/node_modules/fast-glob   

After subsequetn npm i

rikaikun@2.3.2 /home/espeed/projects/rikaikun                                                                                                                                                                                                                     
├─┬ eslint@8.13.0                                                                                                                                                                                                                                                 
│ └── glob-parent@6.0.2                                                                                                                                                                                                                                           
├─┬ snowpack@3.8.8                                                                                                                                                                                                                                                
│ └─┬ chokidar@3.5.3                                                                                                                                                                                                                                              
│   └── glob-parent@6.0.2 deduped                                                                                                                                                                                                                                 
├─┬ stylelint@14.6.1                                                                                                                                                                                                                                              
│ └─┬ fast-glob@3.2.11                                                                                                                                                                                                                                            
│   └── glob-parent@5.1.2 invalid: ">5.1.2" from node_modules/fast-glob                                                                                                                                                                                           
└─┬ ts-lit-plugin@1.2.1                                                                                                                                                                                                                                           
  └─┬ lit-analyzer@1.2.1                                                                                                                                                                                                                                          
    └─┬ fast-glob@2.2.7                                                                                                                                                                                                                                           
      └── glob-parent@3.1.0 invalid: ">5.1.2" from node_modules/lit-analyzer/node_modules/fast-glob

Expected Behavior

After adding overrides and running npm i, all packages should be overriden even if it's not fresh install.

Steps To Reproduce

1. Checkout https://github.com/melink14/rikaikun
2. Add override so final block looks like:

  "overrides": {
    "esbuild": "0.14.0",
    "glob-parent": ">5.1.2"
  },

3. Follow steps above to note problems.

Environment

• npm: 8.6.0
• Node.js: v16.13.0
• OS Name: Pengwin running on Windows 10
• System Model Name: Custom PC

[melink14]

See #4232 (comment) for separate report of this issue on old bug.

[melink14]

I'm hoping this is also fixed by #4709 but the other bugs referenced by that don't really talk about this exact behavior so I wanted to open it specifically.

I do note that the out of sync error after npm ci is the same so that is at least a good sign.

[melink14]

Can no longer reproduce this in 8.7!

Great work and thanks for including this. Will make handling downstream violations much easier!

[Especially]

Re-opening this as this does not seem to be fixed in 8.12.x