[BUG] subsequent installs breaks override dependencies in workspaces

[ivanvaccari]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

Npm overrides are not respected in subsequent installs.

Output log on installs:
First install. It adds the root node_module.

PS C:\Users\IvanVaccari\Desktop\test-ws> npm i
npm warn deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated connect@2.30.2: connect 2.x series is deprecated

added 135 packages, and audited 137 packages in 4s

23 vulnerabilities (2 moderate, 18 high, 3 critical)

To address issues that do not require attention, run:
 npm audit fix

To address all issues (including breaking changes), run:
 npm audit fix --force

Run `npm audit` for details.

Immediately re-run install. This changes the dependencies by adding node_module in the workspace module.
Was not expecting this.

PS C:\Users\IvanVaccari\Desktop\test-ws> npm i

added 65 packages, and audited 67 packages in 3s

12 packages are looking for funding
 run `npm fund` for details

found 0 vulnerabilities
PS C:\Users\IvanVaccari\Desktop\test-ws> npm i
npm warn deprecated mkdirp@0.5.1: Legacy versions of mkdirp are no longer supported. Please update to mkdirp 1.x. (Note that the API surface has changed to use Promises in 1.x.)
npm warn deprecated connect@2.30.2: connect 2.x series is deprecated

added 117 packages, removed 47 packages, and audited 137 packages in 7s

23 vulnerabilities (2 moderate, 18 high, 3 critical)

To address issues that do not require attention, run:
 npm audit fix

To address all issues (including breaking changes), run:
 npm audit fix --force

Run `npm audit` for details.

Expected Behavior

Running again npm install on a fresh-installed workspace should not change the dependency tree.

Steps To Reproduce

The target package is Express.
The workspace module onepackage requires express ^3.0.0
The root package.json declares overrides" express with version ^4.0.0

1. clone the test repo at https://github.com/ivanvaccari/npm-workspace-issue-demo
2. run npm install at root directory
3. Check the root node_module directory. It includes express ^4.0.0. No node_modules directory is present in onepackage
4. Run again npm install at root directory
5. A node_modules directory is created in onepackage. It includes express ^3.0.0.
6. This configuration does not respect the definition of overrides because now onepackage use the outdated version of express

Environment

• npm: 10.8.2
• Node.js: 18.20.4
• OS Name: Wikn 10
• npm config: default?

; "user" config from C:\Users\IvanVaccari\.npmrc

//registry.npmjs.org/:_authToken = (protected)

; node bin location = C:\Program Files\nodejs\node.exe   
; node version = v18.20.4
; npm local prefix = C:\Users\IvanVaccari\Desktop\test-ws
; npm version = 10.8.2
; cwd = C:\Users\IvanVaccari\Desktop\test-ws
; HOME = C:\Users\IvanVaccari
; Run `npm config ls -l` to show all defaults.

[lukekarrys]

I believe this is a duplicate of #5443

[ivanvaccari]

Ah yes i probably didn't found it with the keyword i used.

It's a bit sad to see it's still an issue after 2 years, it give me zero hope it will be solved.

You can close this issue.