Support for pnpm.overrides

[fantun3s]

What would you like Renovate to be able to do?

I would like Renovate to be able to deal with pnpm.overrides the same way it does for overrides.

Currently, when renovate updates a dependency, it will also change the version of that dependency on the overrides section, but will ignore the pnpm.overrides section.

I've set up a repository to reproduce the current behaviour:
Repo: https://github.com/fantun3s/SIMPLE-PNPM-RENOVATE
PR: https://github.com/fantun3s/SIMPLE-PNPM-RENOVATE/pull/4

If you have any ideas on how this should be implemented, please tell us here.

I believe the same logic that is already in place to handle the overrides property can be reused for pnpm.overrides.

Is this a feature you are interested in implementing yourself?

Maybe

[Hi-Fi]

Is automatic update of overrides really something that's wanted? As those are (usually at least) used to select working version for some transient dependency, so offering update to those automatically feels some thing that would easily break things.

Relates to projen/projen#2126

I know that npm has those, but it just backfired today as we have a lot of "garbage" PRs due to updated trying to touch resolutions (and breaking the build as Projen puts those back causing git's mutability check to fail)

[rarkins]

I think we should make sure we have adequate metadata (e.g. depType=overrides) so that users can decide whether to update them or not. In cases where you're holding back a dependency version with overrides, you naturally wouldn't want it updated. But there can be cases where people are using a newer version and may want that updated.

[Turbo87]

while I agree that something like depType=overrides might be useful I don't think it should block the implementation of pnpm.overrides support. if yarn resolutions and npm overrides are already supported then this is about feature parity, and somewhat orthogonal to the discussion of whether certain overrides should be updated or not. :)

[RahulGautamSingh]

Do we need to extract dependencies from the pnpm.overrides section, or should we only update dependencies when a matching dependency is being updated, similar to how we handle yarn resolutions? In other words, if a dependency is exclusively listed in pnpm.overrides and is not present in npm.overrides or the main dependencies object, we don't update it.

[viceice]

always update the override, they don't need to be in normal dependencies.

they are independent and mostly transitive deps.

[karlhorky]

As more users are switching to pnpm in the ecosystem, this issue will gain more attention over time, and potentially community contributors.

Is there a recommended path for community contributions here? Should the Renovate implementation of npm Overrides and Yarn Resolutions be copied to support pnpm Overrides too?

[rarkins]

Yes, it should be mostly a copy paste of the same concept from npm/yarn

[renovate-release]

🎉 This issue has been resolved in version 37.281.0 🎉

The release is available on:

• GitHub release
• npm package (@latest dist-tag)
• 37.281.0

Your semantic-release bot 📦🚀