[BUG] overrides doesn't replace all instances of dependency

[melink14]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Override replaces some but not all instances of overriden dependency. In this example, I have a dependency on a package which has a dependency on npm which contains a vulnerable version of ansi-regex. I tried to fix this via an override but npm audit still complains and searching through package-lock.json shows various version numbers before my overriden value.

Expected Behavior

According to docs, overrides should ensure all installed instances of a dependency conform to the given value so I expect my override version 5.0.1 only to exist.

Steps To Reproduce

1. Clone https://github.com/melink14/rikaikun
2. Modify package.json with:

"overrides": {
    "ansi-regex": "5.0.1",
  },

3. Delete package-lock.json and run npm install
4. Run npm audit and see that vulnerable older versions of ansi-regex still exist..

Environment

• npm: 8.3.2
• Node.js: 16
• OS Name: WSL Pengwin
• System Model Name:
• npm config:

; node bin location = /home/espeed/n/bin/node
; cwd = /home/espeed/projects/rikaikun
; HOME = /home/espeed
; Run `npm config ls -l` to show all defaults.

[dbjorge]

Probably a duplicate of #4232

[melink14]

I didn't think it was a dupe of #4232 since that one was specifically about needing to delete package-lock.json to get any updates to happen. This issue was even if you do that, the updates are incomplete.

They could probably be merged if the other issue was updated to be more broad.

[melink14]

In 8.6, after deleting package-lock.json and node_modules it seems like everything got removed correctly.

Not sure if it's supposed to be able to update a legacy tree to a new tree but hopefully it will be fine going forward now.

[nlf]

closing as this should be fixed as of npm@8.6.0

if anyone continues to encounter this problem, feel free to open a new issue.