`peerDependencies` validation should compatiable with `pnpm.overrides`

[Timeless0911]

Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

10.0.0

Which area(s) of pnpm are affected? (leave empty if unsure)

Dependencies resolver

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

Any repo with peerDependencies specification and pnpm.overrides with link: or file: protocol to override peerDependencies.

Describe the Bug

Hi, it is really a breaking change to directly prohibit peer dependencies from using link: and file: protocols which introduced in #8942.

There exists a scene that when we need to debug packages from two different repos, we usually write pnpm.overrides or running pnpm link to do symlinks.

"pnpm": {
  "overrides": {
    "@foo/bar": "link:../baz",
  }
}

This feature of validation in peerDependencies prevents us to using pnpm.overrides like above.

May I ask how can I skip error of ERR_PNPM_INVALID_PEER_DEPENDENCY_SPECIFICATION  after bumping pnpm@10.0.0 with changes of this PR?

Expected Behavior

It would be better to provide a configuration in .npmrc like verify-deps-before-run to make it configurable to disable this validation behaviour.

Which Node.js version are you using?

22.10.0

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response

[haoqunjiang]

It's affecting Vue Ecosystem CI too.
https://github.com/vuejs/ecosystem-ci/actions/runs/12822966555/job/35756738458
Reproducible with corepack enable && pnpm test vue-macros.
We would alter the ecosystem packages with something like:

  "pnpm": {
    "overrides": {
      "vue@^3": "https://pkg.pr.new/vue@main"
    }
  }

in the package.json, and this overrides field is causing errors in repositories with pnpm 10.

[KSXGitHub]

It would be better to provide a configuration in .npmrc like verify-deps-before-run to make it configurable to disable this validation behaviour.

Before this workaround is introduced, you may use .pnpmfile.cjs for now.

I do wonder though: Should overrides overrides peerDependencies? Or maybe we should introduce additional overrides fields (such as prodOverrides, optionalOverrides, peerOverrides) or special syntax to filter types of dependencies?

[Timeless0911]

I think it is common to declare dependencies as both peerDependencies and devDependencies in npm package development. And if dependencies are not specified in devDependencies, since there exists auto-install-peers feature by default, peerDependencies should also be overrided though?

[KSXGitHub]

I think it is common to declare dependencies as both peerDependencies and devDependencies in npm package development.

devDependencies are not installed (unless they are direct dependencies of workspace packages, of course) so they are irrelevant. However, packages can still declare dependencies that satisfy peerDependencies of one of their dependencies. So not overriding peerDependencies would still break regardless.