npm "overrides" Not Applied - Fix Ignored package.json Overrides in CI
An overrides block forces a transitive dependency to a specific version, but it only takes effect once the lockfile is regenerated by an npm version that supports it. A stale lock or old npm silently ignores it.
What this error means
You added an overrides entry to pin a transitive dependency, yet CI still installs the old version - an audit or ERESOLVE still references the version you tried to override.
// package.json
"overrides": { "semver": "7.5.4" }
# but CI still resolves the old one:
$ npm ls semver
app@1.0.0
└─┬ some-dep@2.0.0
└── semver@6.3.0 # override not appliedCommon causes
Lockfile not regenerated after adding overrides
overrides change the resolved tree, so the lockfile must be regenerated. npm ci installs strictly from a stale lock that predates the override and ignores it.
An npm version too old to honor overrides
overrides require npm 8.3+. An older npm in the CI image silently ignores the field.
How to fix it
Regenerate the lockfile with a supporting npm
Run a fresh install so the override is baked into the lockfile, then commit it.
npm --version # ensure >= 8.3
rm -f package-lock.json
npm install
npm ls semver # confirm the override took
git add package-lock.jsonVerify the overrides syntax
- Confirm the package name and nesting in
overridesmatch the actual dependency. - Use the nested form (
"parent": { "child": "x" }) when scoping to one parent. - Run
npm ls <pkg>after install to confirm the resolved version.
How to prevent it
- Regenerate and commit the lockfile whenever overrides change.
- Keep npm >= 8.3 in CI so overrides are honored.
- Assert the resolved version with
npm lsin CI.