.agents/skills/pnpm/references/features-overrides.md
Overrides let you force specific versions of packages, including transitive dependencies. Useful for fixing security vulnerabilities or compatibility issues.
Define overrides in pnpm-workspace.yaml (recommended) or package.json:
packages:
- 'packages/*'
overrides:
# Override all versions of a package
lodash: ^4.17.21
# Override specific version range
'foo@^1.0.0': ^1.2.3
# Override nested dependency
'express>cookie': ^0.6.0
# Override to different package
'underscore': 'npm:lodash@^4.17.21'
{
"pnpm": {
"overrides": {
"lodash": "^4.17.21",
"foo@^1.0.0": "^1.2.3",
"bar@^2.0.0>qux": "^1.0.0"
}
}
}
overrides:
lodash: ^4.17.21
Forces all lodash installations to use ^4.17.21.
overrides:
'foo@^1.0.0': ^1.2.3
Only override foo when the requested version matches ^1.0.0.
overrides:
'express>cookie': ^0.6.0
'[email protected]>bar@^2.0.0>qux': ^1.0.0
Override cookie only when it's a dependency of express.
overrides:
# Replace underscore with lodash
"underscore": "npm:lodash@^4.17.21"
# Use local file
"some-pkg": "file:./local-pkg"
# Use git
"some-pkg": "github:user/repo#commit"
overrides:
'unwanted-pkg': '-'
The - removes the package entirely.
Force patched version of vulnerable package:
overrides:
# Fix CVE in transitive dependency
'minimist': '^1.2.6'
'json5': '^2.2.3'
Force single version when multiple are installed:
overrides:
'react': '^18.2.0'
'react-dom': '^18.2.0'
overrides:
'@types/react': '^18.2.0'
overrides:
'request': 'npm:@cypress/request@^3.0.0'
For more complex scenarios, use .pnpmfile.cjs:
// .pnpmfile.cjs
function readPackage(pkg, context) {
// Override dependency version
if (pkg.dependencies?.lodash) {
pkg.dependencies.lodash = '^4.17.21'
}
// Add missing peer dependency
if (pkg.name === 'some-package') {
pkg.peerDependencies = {
...pkg.peerDependencies,
react: '*'
}
}
return pkg
}
module.exports = {
hooks: {
readPackage
}
}
| Feature | Overrides | Catalogs |
|---|---|---|
| Affects | All dependencies (including transitive) | Direct dependencies only |
| Usage | Automatic | Explicit catalog: reference |
| Purpose | Force versions, fix issues | Version management |
| Granularity | Can target specific parents | Package-wide only |
Check which version is resolved:
# See resolved versions
pnpm why lodash
# List all versions
pnpm list lodash --depth=Infinity