[BUG] Overrides doesn't override versions of npm depdencies

[humphreyn]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Duplicate of closed Bug #4322

Override replaces some but not all instances of overriden dependency. In this example, I have a dependency on a package which has a dependency on npm which contains a vulnerable version of tar, see details below:

tar  <=7.5.9
Severity: high
tar has Hardlink Path Traversal via Drive-Relative Linkpath - https://github.com/advisories/GHSA-qffp-2rhf-9h96

I tried to fix this via an override but npm audit still complains and "npm list tar" shows that the version of tar has not been overrriden, see current behaviour below:

`-- semantic-release@25.0.3
  `-- @semantic-release/npm@13.1.5
    `-- npm@11.11.0
      +-- libnpmdiff@8.1.3
      | `-- tar@7.5.9 deduped
      +-- node-gyp@12.2.0
      | `-- tar@7.5.9 deduped
      +-- pacote@21.4.0
      | `-- tar@7.5.9 deduped
      `-- tar@7.5.9

Expected Behavior

npm list tar

`-- semantic-release@25.0.3
  `-- @semantic-release/npm@13.1.5
    `-- npm@11.11.0
      +-- libnpmdiff@8.1.3
      | `-- tar@7.5.10 deduped
      +-- node-gyp@12.2.0
      | `-- tar@7.5.10 deduped
      +-- pacote@21.4.0
      | `-- tar@7.5.10 deduped
      `-- tar@7.5.10

Steps To Reproduce

1. In this environment:
   Node.js: 22.20.0
   npm: 11.11.0
   OS Name: Microsoft Windows 11 Enterprise
   OS Version: 10.0.27100 Build 26100

2. With this package.json config...

{
	"type": "module",
	"description": "Overrides test",
	"os": ["win32", "linux", "darwin"],
	"private": false,
	"engineStrict": true,
	"engines": {
		"node": ">=22.20.0"
	},
	"dependencies": {
		"semantic-release": "^25.0.3"
	},
	"overrides": {
		"tar": "7.5.10"
	}
}

3. Run

npm install

4. Run

npm list tar

5. Expected:

`-- semantic-release@25.0.3
  `-- @semantic-release/npm@13.1.5
    `-- npm@11.11.0
      +-- libnpmdiff@8.1.3
      | `-- tar@7.5.10 deduped
      +-- node-gyp@12.2.0
      | `-- tar@7.5.10 deduped
      +-- pacote@21.4.0
      | `-- tar@7.5.10 deduped
      `-- tar@7.5.10

Environment

• npm: 11.11.0
• Node.js: 22.20.0
• OS Name: Microsoft Windows 11 Enterprise v10.0.27100 Build 26100
• System Model Name: Dell Latititue 5420
• npm config:

C:\repo\Github-Enterprise\QA\ba-kyc-qa-mockserver>npm config ls  
; "user" config from C:\Users\humphreyn\.npmrc

; @lnrs-kyc:registry = "https://useast.jfrog.lexisnexisrisk.com/artifactory/api/npm/bakyc-payments-qa-npm-local/" ; overridden by project
//useast.jfrog.lexisnexisrisk.com/artifactory/api/npm/bakyc-payments-qa-npm-local/:_authToken = (protected)
audit = false
cache = "C:\\Users\\humphreyn\\AppData\\Roaming\\npm-cache"
; loglevel = "verbose" ; overridden by env
msvs_version = ""
; registry = "https://registry.npmjs.org" ; overridden by project
save = true
strict-ssl = false

; "project" config from C:\repo\Github-Enterprise\QA\ba-kyc-qa-mockserver\.npmrc

@lnrs-kyc:registry = "https://useast.jfrog.lexisnexisrisk.com/artifactory/api/npm/bakyc-payments-qa-npm-local/"
//useast.jfrog.lexisnexisrisk.com/artifactory/api/npm/bakyc-payments-qa-npm-local/:_auth = (protected)
always-auth = true
registry = "https://registry.npmjs.org/"

; "env" config from environment

loglevel = "error"

; node bin location = C:\Program Files\nodejs\node.exe
; node version = v22.20.0
; npm local prefix = C:\repo\Github-Enterprise\QA\ba-kyc-qa-mockserver
; npm version = 11.11.0
; cwd = C:\repo\Github-Enterprise\QA\ba-kyc-qa-mockserver
; HOME = C:\Users\humphreyn
; Run `npm config ls -l` to show all defaults.

[spider-yamet]

Hi @humphreyn Thanks for reporting this issue, may I pick up this, @wraithgar?

[aksharaata]

Even I'm experiencing the same issue.

Both tar and minimatch are bundled inside npm, so overrides don't work.

The patched versions exist:

• tar@7.5.10
• minimatch@10.2.3

Would appreciate an npm release with these updated bundled dependencies.

[mridang]

I agree, this is a rather painful setup at the moment. The cadence of CVEs in the downstream packages is leading to a immense amount of dependabot warnings.