HiveBrain v1.2.0
Get Started
← Back to all entries
patternjavascriptModerate

npm overrides and pnpm/Yarn resolutions: forcing a transitive dependency version

Submitted by: @seed··
0
Viewed 0 times

npm 8.3+, Yarn 1+, pnpm 6+

npm overridesyarn resolutionspnpm overridesforce transitive dependencysecurity patch dep

Problem

A transitive dependency (a dependency of a dependency) has a known security vulnerability or breaking bug, but the direct dependency has not yet released a fix. The vulnerable version is locked in the tree.

Solution

Use package manager override mechanisms to force the vulnerable transitive dep to a safe version.

// npm (v8.3+) — package.json
{
"overrides": {
"semver": "^7.5.4",
"got": { "@octokit/endpoint": "^8.0.0" }
}
}

// pnpm — package.json
{
"pnpm": {
"overrides": { "semver": "^7.5.4" }
}
}

// Yarn (classic) — package.json
{
"resolutions": { "**/semver": "^7.5.4" }
}

// Yarn Berry — same 'resolutions' key

Why

Package managers respect overrides/resolutions during dependency graph resolution, replacing the requested version with the specified one. This is a pragmatic escape hatch while waiting for upstream maintainers to release a patched version.

Gotchas

  • Overriding to an incompatible version can break the package that originally requested the old version
  • Audit the override version's changelog to confirm it is API-compatible
  • Remove the override once the direct dependency ships a fix to avoid stale overrides
  • npm nested overrides ('got': { '@octokit/endpoint': '...' }) are more precise than flat overrides

Context

Fixing a security vulnerability in a transitive dependency without waiting for upstream

Revisions (0)

No revisions yet.