Loading source
Pulling the file list, source metadata, and syntax-aware rendering for this listing.
Source from repo
pnpm 10.x reference skill covering workspaces, catalogs, patches, peer deps, overrides, and CI/CD caching strategies.
Files
Skill
Size
Entrypoint
Format
Open file
Syntax-highlighted preview of this file as included in the skill package.
references/features-overrides.md
1---2name: pnpm-overrides3description: Force specific versions of dependencies including transitive dependencies4---5# pnpm Overrides7Overrides let you force specific versions of packages, including transitive dependencies. Useful for fixing security vulnerabilities or compatibility issues.9## Basic Syntax11Define overrides in `pnpm-workspace.yaml` (recommended) or `package.json`:13### In pnpm-workspace.yaml (Recommended)15```yaml17packages:18- 'packages/*'19overrides:21# Override all versions of a package22lodash: ^4.17.2123# Override specific version range25"foo@^1.0.0": ^1.2.326# Override nested dependency28"express>cookie": ^0.6.029# Override to different package31"underscore": "npm:lodash@^4.17.21"32```33### In package.json35```json37{38"pnpm": {39"overrides": {40"lodash": "^4.17.21",41"foo@^1.0.0": "^1.2.3",42"bar@^2.0.0>qux": "^1.0.0"43}44}45}46```47## Override Patterns49### Override all instances51```yaml52overrides:53lodash: ^4.17.2154```55Forces all lodash installations to use ^4.17.21.56### Override specific parent version58```yaml59overrides:60"foo@^1.0.0": ^1.2.361```62Only override foo when the requested version matches ^1.0.0.63### Override nested dependency65```yaml66overrides:67"express>cookie": ^0.6.068"[email protected]>bar@^2.0.0>qux": ^1.0.069```70Override cookie only when it's a dependency of express.71### Replace with different package73```yaml74overrides:75# Replace underscore with lodash76"underscore": "npm:lodash@^4.17.21"77# Use local file79"some-pkg": "file:./local-pkg"80# Use git82"some-pkg": "github:user/repo#commit"83```84### Remove a dependency86```yaml87overrides:88"unwanted-pkg": "-"89```90The `-` removes the package entirely.91## Common Use Cases93### Security Fix95Force patched version of vulnerable package:97```yaml99overrides:100# Fix CVE in transitive dependency101"minimist": "^1.2.6"102"json5": "^2.2.3"103```104### Deduplicate Dependencies106Force single version when multiple are installed:108```yaml110overrides:111"react": "^18.2.0"112"react-dom": "^18.2.0"113```114### Fix Peer Dependency Issues116```yaml118overrides:119"@types/react": "^18.2.0"120```121### Replace Deprecated Package123```yaml125overrides:126"request": "npm:@cypress/request@^3.0.0"127```128## Hooks Alternative130For more complex scenarios, use `.pnpmfile.cjs`:132```js134// .pnpmfile.cjs135function readPackage(pkg, context) {136// Override dependency version137if (pkg.dependencies?.lodash) {138pkg.dependencies.lodash = '^4.17.21'139}140// Add missing peer dependency142if (pkg.name === 'some-package') {143pkg.peerDependencies = {144...pkg.peerDependencies,145react: '*'146}147}148return pkg150}151module.exports = {153hooks: {154readPackage155}156}157```158## Overrides vs Catalogs160| Feature | Overrides | Catalogs |162|---------|-----------|----------|163| Affects | All dependencies (including transitive) | Direct dependencies only |164| Usage | Automatic | Explicit `catalog:` reference |165| Purpose | Force versions, fix issues | Version management |166| Granularity | Can target specific parents | Package-wide only |167## Debugging169Check which version is resolved:171```bash173# See resolved versions174pnpm why lodash175# List all versions177pnpm list lodash --depth=Infinity178```179<!--181Source references:182- https://pnpm.io/package_json#pnpmoverrides183- https://pnpm.io/pnpmfile184-->185