[BUG] overrides doesn't replace all instances of dependency #4322
Labels
Bug
thing that needs fixing
Priority 1
high priority issue
Release 8.x
work is associated with a specific npm 8 release
Is there an existing issue for this?
This issue exists in the latest npm version
Current Behavior
Override replaces some but not all instances of overriden dependency. In this example, I have a dependency on a package which has a dependency on
npm
which contains a vulnerable version ofansi-regex
. I tried to fix this via an override butnpm audit
still complains and searching through package-lock.json shows various version numbers before my overriden value.Expected Behavior
According to docs,
overrides
should ensure all installed instances of a dependency conform to the given value so I expect my override version 5.0.1 only to exist.Steps To Reproduce
npm install
npm audit
and see that vulnerable older versions ofansi-regex
still exist..Environment
The text was updated successfully, but these errors were encountered: