8000 two overrides from the same package only consider the previous one · Issue #9540 · pnpm/pnpm · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content

two overrides from the same package only consider the previous one #9540

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2 of 4 tasks
dougg0k opened this issue May 14, 2025 · 1 comment
Open
2 of 4 tasks

two overrides from the same package only consider the previous one #9540

dougg0k opened this issue May 14, 2025 · 1 comment
Labels
type: bug

Comments

@dougg0k
Copy link
dougg0k commented May 14, 2025
edited
Loading

Verify latest release

  • I verified that the issue exists in the latest pnpm release

pnpm version

10.10.0

Reproduction steps

Do a pnpm audit --fix twice for the same package in different versions with vulnerabilities found.

Describe the Bug

I applied two pnpm audit --fix that had two different issues at some point.

First, it added an entry, then later when I applied again, it added another, but it didnt do anything when I typed pnpm install, only after removing the previous one that it did.

"overrides": {
..
    "vite@>=6.2.0 <6.2.6": ">=6.2.6",
    "vite@>=6.3.0 <=6.3.3": ">=6.3.4"
},

Expected Behavior

To remove the older version and replace with new one or at least consider the latest.

Which Node.js version are you using?

Latest LTS

Which operating systems have you used?

  • macOS
  • Windows
  • Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

Arch
@dougg0k
Copy link
Author
dougg0k commented May 14, 2025
edited
Loading
5FBD

I just applied the audit in another project for the first time and it generated, two versions of the same package at once. Does this mean that one of the versions wont be properly fixed? Though I dont see any messages complainig about vulnerabilities of the package. Where in the other project it did.

So, maybe the issue is it being added out of order, if a previous one were already there?

Because in this one it generated the latest version before the older.

		"overrides": {
			"semver@<5.7.2": ">=5.7.2",
			"tar-fs@>=3.0.0 <3.0.7": ">=3.0.8",
			"tar-fs@>=2.0.0 <2.1.2": ">=2.1.2",
			"image-size@>=1.1.0 <1.2.1": ">=1.2.1"
		}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
type: bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dougg0k
0