[BUG] npm update not respecting overrides in a workspace

[AlexanderOMara]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Unlike npm install, npm update is not respecting overrides in a workspace.

Expected Behavior

Expecting npm update to respect overrides the same way npm install does.

Steps To Reproduce

package.json

{
	"workspaces": [
		"alpha"
	],
	"overrides": {
		"react-strict-dom": {
			"react": "^19.1.0",
			"react-dom": "^19.1.0"
		}
	}
}

alpha/package.json

{
	"name": "alpha",
	"version": "0.0.0",
	"peerDependencies": {
		"react": "^19.1.0",
		"react-dom": "^19.1.0",
		"react-native": "^0.79.1",
		"react-strict-dom": "^0.0.34"
	}
}

$ npm install
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported

added 323 packages, and audited 325 packages in 10s

20 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm update
npm error code ERESOLVE
npm error ERESOLVE unable to resolve dependency tree
npm error
npm error While resolving: [email protected]
npm error Found: [email protected]
npm error node_modules/react
npm error   peer react@"^19.1.0" from [email protected]
npm error   alpha
npm error     [email protected]
npm error     node_modules/alpha
npm error       workspace alpha from the root project
npm error   peer react@"^19.1.0" from [email protected]
npm error   node_modules/react-dom
npm error     peer react-dom@"^19.1.0" from [email protected]
npm error     alpha
npm error       [email protected]
npm error       node_modules/alpha
npm error         workspace alpha from the root project
npm error   1 more (react-native)
npm error
npm error Could not resolve dependency:
npm error peer react@"^18.2.0" from [email protected]
npm error node_modules/react-strict-dom
npm error   peer react-strict-dom@"^0.0.34" from [email protected]
npm error   alpha
npm error     [email protected]
npm error     node_modules/alpha
npm error       workspace alpha from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /Users/user/.npm/_logs/2025-04-25T22_13_08_681Z-eresolve-report.txt
npm error A complete log of this run can be found in: /Users/user/.npm/_logs/2025-04-25T22_13_08_681Z-debug-0.log

2025-04-25T22_13_08_681Z-debug-0.log
2025-04-25T22_13_08_681Z-eresolve-report.txt

Compared to when not using a workspace, overrides works fine:

{
	"name": "alpha",
	"version": "0.0.0",
	"peerDependencies": {
		"react": "^19.1.0",
		"react-dom": "^19.1.0",
		"react-native": "^0.79.1",
		"react-strict-dom": "^0.0.34"
	},
	"overrides": {
		"react-strict-dom": {
			"react": "^19.1.0",
			"react-dom": "^19.1.0"
		}
	}
}

$ npm install
npm warn deprecated [email protected]: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm warn deprecated [email protected]: Rimraf versions prior to v4 are no longer supported
npm warn deprecated [email protected]: Glob versions prior to v9 are no longer supported

added 322 packages, and audited 323 packages in 3s

20 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

$ npm update

up to date, audited 323 packages in 1s

20 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

Environment

• npm: 11.3.0
• Node.js: v23.11.0
• OS Name: macOS
• System Model Name: MBP M1
• npm config:

; "user" config from /Users/user/.npmrc

update-notifier = false

; node bin location = /Users/user/Library/Application Support/fnm/node-versions/v23.11.0/installation/bin/node
; node version = v23.11.0
; npm local prefix = /Users/user
; npm version = 11.3.0
; cwd = /Users/user
; HOME = /Users/user
; Run `npm config ls -l` to show all defaults.

[AlexanderOMara]

Not sure if related, but looks like #applyRootOverridesToWorkspaces never gets called when doing an update of all packages (when this[_updateAll] is true).

cli/workspaces/arborist/lib/arborist/build-ideal-tree.js

Lines 286 to 298 in a96d8f6

	} else if (!this[_usePackageLock] || this[_updateAll]) {
	return Shrinkwrap.reset({
	path: this.path,
	lockfileVersion: this.options.lockfileVersion,
	resolveOptions: this.options,
	}).then(meta => Object.assign(root, { meta }))
	} else {
	return this.loadVirtual({ root })
	.then(tree => {
	this.#applyRootOverridesToWorkspaces(tree)
	return tree
	})
	}

Adding an argument for a package to update does call that method, but a "could not resolve" error still happens.

Another possible hint, on the Node class the updateOverridesEdgeInAdded method is called with undefined for child packages like @react-native/virtualized-lists but in non-monorepo it would be OverrideSet.

I suspect the property isn't getting propagated down into the workspace packages, but it is too complex to debug.

[nabe1653]

I was happy to see the override fix: #5850

But for this reason I can't benefit from it yet....

In my case, reproduced on windows11 (on Windows native and Ubuntu with WSL2 both). Both have npm 11.3.0 and node v22.15.0.