[BUG] presence of overrides breaks ability to downgrade un-hoisted workspace dependencies

[jenseng]

Is there an existing issue for this?

• I have searched the existing issues

This issue exists in the latest npm version

• I am using the latest npm

Current Behavior

If the root package.json defines any overrides, if you attempt to downgrade an un-hoisted workspace dependency via the CLI (e.g. npm install <specifierWithOlderVersion> --save-exact -w <workspace>), the command may succeed without actually doing anything. In npm <11.2 this affected all such downgrades, as of npm 11.2 it only affects certain ones (see the repro and notes). This only affects downgrades, you can always upgrade to a newer version.

Related to #7018 and exacerbated by #7019

Expected Behavior

Invoking the CLI to install a package should either 1. install the package or 2. display an error message explaining why it could not be installed.

Steps To Reproduce

Given package.json:

{
  "workspaces": [
    "packages/*"
  ],
  "overrides": {
    "doesnt-matter-can-be-anything": "1.2.3"
  }
}

And packages/my-cool-package/package.json:

{}

And packages/another-cool-package/package.json:

{}

Run:

1. npm i [email protected] --save-exact -w my-cool-package (hoisted to node_modules/tiny-invariant)
2. npm i [email protected] --save-exact -w another-cool-package (un-hoisted to packages/another-cool-package/node_modules/tiny-invariant)
3. npm i [email protected] --save-exact -w another-cool-package
4. Note that the un-hoisted 0.0.3 is still installed, and the package*.json files are unchanged since step 2

Other notes

Given the repro above:

• If you set --prefer-dedup in step 3, then it does dedup correctly.
• If you downgrade to a different version in step 3 (e.g. 0.0.1), then it does update correctly
• However if you remove my-cool-package entirely, then you can't downgrade tiny-invariant to any version in another-cool-package

Environment

• npm: 11.2.0
• Node.js: 20.18.3
• OS Name: Mac OS Sequoia
• System Model Name: Macbook Pro
• npm config:

registry = "https://registry.npmjs.org/"

[alpharder]

Same here, I'm using workspaces with install-strategy=shallow at .npmrc and any records at overrides are effectively ignored for dependencies of dependencies.

[jenseng]

This is still an issue in npm 11.2, though since #7019 is now fixed it's will be harder to find yourself in this unhoisted state. I'll see if I can update the repro accordingly

[owlstronaut]

This is still an issue in npm 11.2, though since #7019 is now fixed it's will be harder to find yourself in this unhoisted state. I'll see if I can update the repro accordingly

Great! Let me know when you have an updated repro, I'm working through these override issues

[jenseng]

Ok updated the repro for 11.2, and added an "Other Notes" section to cover some additional nuances