Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support npm overrides #4122

Open
pombredanne opened this issue Jan 25, 2025 · 3 comments · May be fixed by #4130
Open

Support npm overrides #4122

pombredanne opened this issue Jan 25, 2025 · 3 comments · May be fixed by #4130

Comments

@pombredanne
Copy link
Member

These are similar to Go replace.
See https://docs.npmjs.com/cli/v11/configuring-npm/package-json#overrides

overrides

If you need to make specific changes to dependencies of your dependencies, for example replacing the version of a dependency with a known security issue, replacing an existing dependency with a fork, or making sure that the same version of a package is used everywhere, then you may add an override.

Overrides provide a way to replace a package in your dependency tree with another version, or another package entirely. These changes can be scoped as specific or as vague as desired.

Overrides are only considered in the root package.json file for a project. Overrides in installed dependencies (including workspaces) are not considered in dependency tree resolution. Published packages may dictate their resolutions by pinning dependencies or using an npm-shrinkwrap.json file.

We should design how to handle these, as they do not apply to a detected package, but to other packages in the dependency tree and only in specific conditions.
@divizbansal
Copy link

I’d like to work on adding support for npm overrides. Does anyone have guidance or a preferred approach before I begin?

@divizbansal
Copy link

divizbansal commented Feb 4, 2025
edited
Loading

In the issue, you mentioned:

"We should design how to handle these [overrides], as they do not apply to a detected package, but to other packages in the dependency tree and only in specific conditions."

I have a few questions regarding this:

1. Should we only capture the raw overrides data, or should we also apply it to the final dependency graph so that sub- dependency versions are replaced?
2. Would it be better to represent an override as a DependentPackage with a special scope (e.g., scope="overrides"), or should we store it in package.extra_data['overrides'] as raw JSON?
3. Is there an example test file or any existing approach for Go’s replace feature that I could model for npm overrides?

@divizbansal divizbansal linked a pull request Feb 4, 2025 that will close this issue
Open
6 tasks
@divizbansal
Copy link

divizbansal commented Feb 4, 2025
edited
Loading

Update: I’ve added support for npm overrides in package.json within ScanCode Toolkit. Specifically, the NpmPackageJsonHandler now detects an "overrides" field (if present) and stores it in the package’s extra_data. I also added a dedicated test (test_parse_npm_package_json_with_overrides) to confirm this behavior and updated the .expected file for the alias test to ensure all tests pass.
At this stage, we’re not applying overrides to the dependency graph—only capturing them for reference. If you’d like me to integrate overrides further into the dependency resolution logic, please let me know, and I can work on that next!

divizbansal added a commit to divizbansal/scancode-toolkit that referenced this issue Feb 4, 2025
@divizbansal
Add overrides parsing (Fix aboutcode-org#4122)
56aa1e7 
Signed-off-by: Diviz Bansal <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add basic npm overrides parsing to package.json divizbansal/scancode-toolkit
2 participants
@pombredanne @divizbansal