npm package-lock.json round-trip corrupts graph when package.json has any non-empty overrides

[sairus2k]

Summary

When package.json contains a non-empty overrides block, aube install rewrites package-lock.json in a way that:

• strips optional: true markers (and matching os / cpu constraints) from platform-specific packages,
• prunes those platform-specific package entries entirely from the packages section,
• collapses peerDependencies into concrete dependencies with pinned versions.

The content of overrides does not matter — even an override on a package with no peer chains (e.g. lodash) triggers it. An empty overrides: {} does not trigger it.

Environment

• aube 1.15.0 macos-arm64 (2026-05-17)
• node v24.14.1, npm 11.11.0

Minimal reproduction

package.json:

{
  "name": "aube-overrides-repro",
  "version": "1.0.0",
  "private": true,
  "dependencies": {
    "typescript": "^5.0.0",
    "vite": "^8.0.13",
    "react": "18.3.1",
    "@casl/react": "5.0.1",
    "@casl/ability": "6.8.1"
  },
  "overrides": {
    "lodash": "^4.0.0"
  }
}

npm install --package-lock-only --ignore-scripts --no-audit --no-fund
cp package-lock.json package-lock.npm.json
aube install --ignore-scripts
diff -q package-lock.npm.json package-lock.json

Actual

Files package-lock.npm.json and package-lock.json differ

metric	npm-fresh	aube-rewritten	Δ
lines	967	408	−58%
node_modules/... entries	57	27	−30 packages
optional: true markers	46	13	−33
react: "18.x" pin injections into peer-only entries	0	2	+2

The pruned packages are all @esbuild/* platform binaries, including the one matching the host (@esbuild/darwin-arm64). @casl/react gains injected concrete dependencies:

 "node_modules/@casl/react": {
   "version": "5.0.1",
   ...
+  "dependencies": {
+    "@casl/ability": "6.8.1",
+    "react": "18.3.1"
+  },
   "peerDependencies": {
     "@casl/ability": "^4.0.0 || ^5.1.0 || ^6.0.0",
     "react": "^17.0.0 || ^18.0.0 || ^19.0.0"
   }
 }

Expected

aube install on a package-lock.json written by npm should round-trip the file faithfully. The overrides block should not change the shape of packages[], optional/os/cpu metadata, or peer/dep classification of unrelated packages.

Ablation

overrides value	result
absent	byte-identical to npm
{} (empty object)	byte-identical to npm
{ "typescript": "$typescript" }	DIFFERS (960 → 401)
{ "typescript": "^5.0.0" }	DIFFERS (960 → 401)
{ "lodash": "^4.0.0" }	DIFFERS (967 → 408)

The trigger is the presence of any entry in overrides — neither the npm $<direct-dep> parent-reference syntax nor a specific override target is required.

This issue was investigated with Claude Code.

[jdx]

Thanks for the detailed repro. I opened https://github.com/endevco/aube/pull/753 for this.

Root cause: package-lock.json does not carry the lockfile-level override snapshot that aube/pnpm/bun locks use for drift detection. Because of that, any non-empty package.json overrides block made an npm lock look stale, even when the override was unrelated to the packages in the lockfile. aube then re-resolved and rewrote package-lock.json, which was npm-readable but could be lossy relative to npm’s original graph shape.

The PR makes drift checks format-aware: npm/yarn skip those lockfile-level metadata comparisons, while aube-lock.yaml, pnpm-lock.yaml, and bun.lock stay strict. I also verified bun does serialize top-level overrides, and Yarn 1/4 resolutions are applied into package entries rather than stored as a top-level snapshot.

Validation included the repro from this discussion: after aube install --ignore-scripts, the npm-generated package-lock.json stayed byte-identical. I also forced a package-lock rewrite and confirmed npm accepted the result with npm install --package-lock-only and npm ls --package-lock-only --all.

This comment was generated by Codex.