fix!: refuse to pack when overrides apply to bundled packages by owlstronaut · Pull Request #9271 · npm/cli

owlstronaut · 2026-04-22T19:37:42Z

Follow up to #9235.

When a package defines overrides that apply to one or more of its bundledDependencies (or bundleDependencies), the resulting bundled tree is invalid from the perspective of any consumer: consumers do not apply the publishing package's overrides when validating the bundled tree, so npm ls will always show invalid edges for the affected bundled packages.

This PR refuses to pack (and therefore publish) such packages with a clear EBUNDLEOVERRIDE error that lists the offending bundled package names. Defining both overrides and bundledDependencies is still allowed — the error only fires when an override actually targets a package inside the bundled subtree. Cases that are now correctly accepted include:

overrides that target dev dependencies (which are not bundled),
overrides that target packages outside the bundled subtree, and
packages that bundle some deps but override only unrelated ones.

The check uses Arborist's own inBundle / inDepBundle / overridden semantics on the actual on-disk tree (the same tree pacote uses to build the tarball), so it stays consistent with what npm-packlist actually publishes.

The check lives in libnpmpack, so it covers npm pack, npm publish, and any direct consumers of the library.

Closes npm/statusboard#1102.

BREAKING CHANGE: npm pack and npm publish now error when a package's overrides apply to one or more of its bundled packages (bundledDependencies / bundleDependencies). Defining both fields is still allowed as long as no override actually targets a bundled package. To resolve the error, remove the affected entries from either overrides or the bundle.

wraithgar · 2026-04-22T20:57:49Z

What if we have overridden dev dependencies?
What if we only bundle some of our dependencies and none of them are overridden?

owlstronaut · 2026-04-22T20:59:12Z

What if we have overridden dev dependencies? What if we only bundle some of our dependencies and none of them are overridden?

those are good points. I'll need to make this a little more flexible

BREAKING CHANGE: npm pack and npm publish now error when a package's overrides apply to one or more of its bundled packages (bundledDependencies / bundleDependencies). Defining both fields is still allowed as long as no override actually targets a bundled package. To resolve the error, remove the affected entries from either overrides or the bundle.

owlstronaut requested a review from a team as a code owner April 22, 2026 19:37

owlstronaut force-pushed the fix-bundled-overrides-publish branch from 8cf2689 to 700f297 Compare April 23, 2026 15:21

owlstronaut changed the title ~~fix!: refuse to pack with bundled dependencies AND overrides~~ fix!: refuse to pack when overrides apply to bundled packages Apr 23, 2026

owlstronaut force-pushed the fix-bundled-overrides-publish branch from 700f297 to f6981d5 Compare April 23, 2026 15:31