Skip to content

Package overrides don't apply with new versions of npm #7242

Description

@domoscargin

What

We recently noticed that the overrides in our package.json file weren't being respected in the lock file.

We removed these overrides, as they all relate to sassdoc, which is an internal build tool that we feel isn't a high risk vector.

However, @colinrotherham then pointed out that this is a long-running npm bug that's now affecting newer versions. The regressions have snuck in during routine npm jobs for unrelated work as we're now using npm 11.16.0, largely.

We have several options:

  1. Revert to an older version of npm temporarily, reinstate the overrides, then add a unit test to ensure we don't accidentally add the regressions back when we move back to a recent npm version - this could be annoying, as we're likely to generate these fairly regularly.
  2. Ignore the sassdoc vulnerabilities and leave the overrides out - it's a devDependency and won't affect users
  3. Fork sassdoc - but we don't really want to maintain it
  4. Find an alternative to sassdoc
  5. Hope npm fix the bug

We also briefly talked about moving away from workspaces, as they seem to cause dependency management tools problems (dependabot is regularly stumped by our dependencies).

Who needs to work on this

Developer

Who needs to review this

Developer

Done when

  • We've picked an approach to handling these failed overrides
  • We've implemented it

Metadata

Metadata

Assignees

No one assigned

    Labels

    dependenciesPull requests that update a dependency file🐛 bugSomething isn't working the way it should (including incorrect wording in documentation)

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions