[BUG] package-lock.json should reevaluate consistently when overrides change #8986
Description
Is there an existing issue for this?
- I have searched the existing issues
This issue exists in the latest npm version
- I am using the latest npm
Current Behavior
Context
This issue here vitest-dev/vitest#9487
relates to an issue where dependencies don't play nicely together and the overrides property can be used to solve it.
I reproduce the issue here:
https://github.com/dwjohnston/vitest-4-storybook-issue
I'm not looking to solve that issue here - but debugging and reproducing that issue is more fiddly than it needs to be, because of the issue that I'm encountering here.
When a user adds some overrides and runs npm i, the package-json is reevaulated and the overrides are respected.
When the user now removes the overrides, we now get a dependency tree that is in a different state to what it previously was.
This could lead to some confusion. The scenario I can imagine is that overrides are added to solve some issue. Later a developer comes along, sees the overrides, wonders what they're doing, removes them, everything is fine, because the fix is baked into the package-lock. But it's conceivable that some point someone is going to rm the package-lock, or, I'm not exactly sure how this is going to play with dependency updates, and that override information is lost.
Expected Behavior
Adding and then removing overrides should take you back to the same dependency tree.
Steps To Reproduce
Reproduction of the npm issue
https://github.com/dwjohnston/vitest-4-storybook-issue/tree/branch-for-npm-issue
Commit 1 - Initial state
dwjohnston/vitest-4-storybook-issue@43af5a4
We start here - I enforce npm@11.10.0 and I run npm i to regenerate the package-lock.
If we run npm test here, the tests fail - they are encountering the vitest issue.
Running npm list @vitest/expect shows
├─┬ storybook@10.1.11
│ └── @vitest/expect@3.2.4
└─┬ vitest@4.0.17
└── @vitest/expect@4.0.17
Commit 2 - Add overrides
dwjohnston/vitest-4-storybook-issue@77437c6
I now add overrides
Commit 3 - regenerate package lock
dwjohnston/vitest-4-storybook-issue@6378c57
And run npm i to regenerate the package-lock
We we run npm test here, the tests pass - we have fixed the vitest issue.
Running npm list @vitest/expect shows:
├─┬ storybook@10.1.11
│ └── @vitest/expect@4.0.17 overridden
└─┬ vitest@4.0.17
└── @vitest/expect@4.0.17 deduped
Commit 4 - Remove overrides
We now remove the overrides
dwjohnston/vitest-4-storybook-issue@264d7ca
Commit 5 - Regenerate package lock (should be in original state)
dwjohnston/vitest-4-storybook-issue@26e82ac
And run npm i to regenerate the package-lock
At this point I would expect that we are back to where we were in the first step - but we are not. Running npm i causes the test to still pass.
Running npm list @vitest/expect shows
├─┬ storybook@10.1.11
│ └── @vitest/expect@3.2.4
└─┬ vitest@4.0.17
└── @vitest/expect@4.0.17
If I run
git diff 43af5a44ad8d03c2c248aabc81a4bb281f58af31 26e82ac0048005389778a68b541b1d675d607f6b -- ./package-lock.json
We get the following diff
Environment
- npm: 11.10.0
- Node.js: 22.22.0
- OS Name: MacOS Tahoe 26.2