Skip to content
Latchkey

npm "overrides" Not Applied - Fix Ignored package.json Overrides in CI

An overrides block forces a transitive dependency to a specific version, but it only takes effect once the lockfile is regenerated by an npm version that supports it. A stale lock or old npm silently ignores it.

What this error means

You added an overrides entry to pin a transitive dependency, yet CI still installs the old version - an audit or ERESOLVE still references the version you tried to override.

package.json / npm output
// package.json
"overrides": { "semver": "7.5.4" }

# but CI still resolves the old one:
$ npm ls semver
app@1.0.0
└─┬ some-dep@2.0.0
  └── semver@6.3.0   # override not applied

Common causes

Lockfile not regenerated after adding overrides

overrides change the resolved tree, so the lockfile must be regenerated. npm ci installs strictly from a stale lock that predates the override and ignores it.

An npm version too old to honor overrides

overrides require npm 8.3+. An older npm in the CI image silently ignores the field.

How to fix it

Regenerate the lockfile with a supporting npm

Run a fresh install so the override is baked into the lockfile, then commit it.

Terminal
npm --version          # ensure >= 8.3
rm -f package-lock.json
npm install
npm ls semver          # confirm the override took
git add package-lock.json

Verify the overrides syntax

  1. Confirm the package name and nesting in overrides match the actual dependency.
  2. Use the nested form ("parent": { "child": "x" }) when scoping to one parent.
  3. Run npm ls <pkg> after install to confirm the resolved version.

How to prevent it

  • Regenerate and commit the lockfile whenever overrides change.
  • Keep npm >= 8.3 in CI so overrides are honored.
  • Assert the resolved version with npm ls in CI.

Related guides

Tired of flaky CI? Latchkey auto-heals failed jobs and retries them for you. Start free →