-
Notifications
You must be signed in to change notification settings - Fork 2.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document that package.json overrides are not used when a package is installed as a dependency. #975
Comments
Yes, this is 1000% by design. Overrides are for apps, not packages. |
I can take a stab at updating docs tomorrow. Should npm publish warn if a package has overrides? |
Any time an npm feature affects published packages it can infect the ecosystem very rapidly - even if there's an argument to be made that it should work that way, the risk of doing it wrong vastly outweighs the harm of doing nothing. In this case, it's simply not your place to override anything in a dependency, unless you're the end user (who can do anything they like). If package A wants to claim it only supports lodash 3, then that means that every single transitive end user of package A either is forced to stick to lodash 3, or, override to lodash 4. The solution for you to wrap that into a package is to fork it, not to override it. |
But in a sense my library is the end user. Npm and node_modules support hiding dependencies. B could override it's A>lodash edge without affecting other lodash or A>lodash edges. |
No library is an end user :-) only an application is. |
I'm pretty sure this explains the behavior I'm seeing, but I couldn't find it documented anywhere.
package.json overrides are only applied from the root package. If a dependency have overrides they are ignored, they aren't even applied to that package's subtree.
Here's an example
There's some package A that depends on lodash 3.
Your package B depends on a, but overrides lodash to 4. You're confident that a actually works with 4, at least in your use case.
You have some consumer C that uses your library.
C will still install lodash 3, ignoring overrides in B.
I'm guessing this is by design? If so it should be documented. I'd also like to hear a short justification.
I checked these pages as well as searching for overrides
I maintain a package that depends on axios and aws4-axios, but aws4-axios has an incorrect peer dependency that I have to override. I realized that overrrides are not transitive when they fixed my package, but not a test consumer.
I naïvely expected the overrides to apply to the sub-tree of my package, as if C declared
The text was updated successfully, but these errors were encountered: