-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[DOCS] Please document "The overrides key will only be considered when it is in the root package.json file for a project" #4517
Comments
this is a great idea, if you'd like you're welcome to submit a pull request adding this to the docs.
i like this idea a lot as well. i'm currently working on cleaning up some of the issues with overrides, and i'll keep this on my radar. |
#589) # Pull Request ## 🤨 Rationale Fixes #581. We had disabled `npm audit` in our pipelines because of the vulnerability, but beachball published a fix this weekend: microsoft/beachball#666. ## 👩💻 Implementation 1. Install latest version of beachball 2. Re-enable `npm audit` commands in `main.yml`. This revealed new vulnerabilities in several `devDependencies`: `ejs`, `event-source`, and `json-schema`. 3. Run `npm update` for each of the above dependencies and also `jsprim`, which was needed to get the fixed `json-schema` (`jsprim` pins its deps to exact versions) I looked into [npm overrides](https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides) which are intended for this purpose but they're not ready for prime time ([poorly documented workspace support](npm/cli#4517) and bizarrely [not usable with an existing package-lock.json](npm/cli#4232) with our current npm version. ## 🧪 Testing Relying on pipeline. ## ✅ Checklist - [x] I have updated the project documentation to reflect my changes or determined no changes are needed.
Finally a thread that explains my pains. The ERR! on npm install is not nearly enough to consider why this does not work. Edit: Maybe we need a follow-up on some linters as they consider the "overrides" keyword a valid one in this context, but i would be glad if they were aware of the workspace and would notify it when found in my package.json. |
Layercake 8.0.0 doesn't support Svelte 4.2.0. Overrides for sub-dependency versions must be in top-level package.json file: npm/cli#4517
Layercake 8.0.0 doesn't support Svelte 4.2.0. Overrides for sub-dependency versions must be in top-level package.json file: npm/cli#4517
…7367) <!-- What / Why --> <!-- Describe the request in detail. What it does and why it's being changed. --> Add documentation explaining that the `package.json` `"overrides"` field only takes effect at the root `package.json` of a project. Most of this text is copied from [the RFC](https://github.com/npm/rfcs/blob/main/accepted/0036-overrides.md#only-root-package-may-contain-overrides) which originally described this feature. ## References Fixes #4517.
Is there an existing issue for this?
This is a CLI Docs Enhancement, not another kind of Docs Enhancement.
Description of Problem
The public documentation for the
overrides
package.json key doesn't mention any limitations regarding workspaces or monorepos.However, it seems
overrides
don't work in workspacepackage.json
files (from my testing they only work from the rootpackage.json
), and this appears to be by design - the RFC says:Most package.json keys work in both root and workspace files, so this is a specific limitation of
overrides
that should be documented in theoverrides
docs.I certainly expected overrides to work in workspaces as well as the project root based on having read the documentation, and I only discovered the RFC note after browsing recent overrides-related issues and finding #4205
Potential Solution
npm install
if a workspace's package.json has anoverrides
key, rather than the feature just failing silently? Like:Docs URL
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
The text was updated successfully, but these errors were encountered: