Skip to content

fix(rush): handle versioned selectors in globalOverrides during shrinkwrap comparison #5615

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
Copilot wants to merge 6 commits into
base: main
Choose a base branch
from
Draft

fix(rush): handle versioned selectors in globalOverrides during shrinkwrap comparison #5615

Copilot wants to merge 6 commits into from

Conversation

Copy link
Contributor

Copilot AI commented Feb 9, 2026
edited
Loading

  • Analyze the bug: rush update never stabilizes when globalOverrides uses versioned selectors like "webpack@5": "5.103.0" because PnpmShrinkwrapFile.isWorkspaceProjectModifiedAsync() only looks up overrides by exact package name (this.overrides.get(name)), missing versioned keys
  • Add a private helper method _resolveOverrideVersion() to PnpmShrinkwrapFile that matches versioned override selectors (e.g. "package@range") using semver.intersects
  • Also handle nested dependency selectors (e.g. "consumer>dependency" or "consumer@1>dependency@2") by extracting the dependency portion after >
  • Replace this.overrides.get(name) with the helper at all 3 override resolution points (pnpm v5, v6-v8, v9)
  • Add test YAML lockfiles and test cases for versioned override keys and nested dependency selectors across all lockfile versions
  • Build and test the changes (567 tests pass)
  • Code review and cleanup
  • Add change file for @microsoft/rush patch bump
Original prompt

This section details on the original issue you should resolve

<issue_title>[rush] rush update never stabilizes when globalOverrides uses a versioned selector</issue_title>
<issue_description>## Summary

When a globalOverrides entry in pnpm-config.json uses a versioned package selector (e.g. "webpack@5": "5.103.0"), rush update never reaches a stable state when a package is requesting another version.

Repro steps

Minimal repro: https://github.com/bmiddha/rushstack-demo-pnpm-global-overrides-rush-update-bug

Details

When a globalOverrides entry in pnpm-config.json uses a versioned package selector (e.g. "webpack@5": "5.103.0"), rush update never reaches a stable state when a package is requesting another version. Every invocation reports that dependencies do not match the current shrinkwrap, re-runs pnpm install, and rewrites the lockfile — even though nothing has changed.

Changing the override key to an unversioned selector (e.g. "webpack": "5.103.0") works; rush update stabilizes after the first run.

Standard questions

Please answer these questions to help us investigate your issue more quickly:

Question Answer
@microsoft/rush globally installed version? 5.163.0
rushVersion from rush.json? 5.163.0
pnpmVersion, npmVersion, or yarnVersion from rush.json? pnpm@8.14.0
(if pnpm) useWorkspaces from pnpm-config.json? true
Operating system? Mac
Would you consider contributing a PR? Yes
Node.js version (node -v)? 22.19.0
</issue_description>

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@github-project-automation github-project-automation bot moved this to Needs triage in Bug Triage Feb 9, 2026
@dmichon-msft
Copy link
Contributor

dmichon-msft commented Feb 9, 2026

@copilot pnpm also supports other selector formats, like consumer>dependency, which, if consumer is the name of a workspace package, could also trigger this bug.

@bmiddha
fix: handle versioned selectors in globalOverrides for shrinkwrap com…
fad6e8f 
…parison

When globalOverrides uses versioned selectors (e.g. "webpack@5": "5.103.0"),
the shrinkwrap comparison now correctly resolves the override by matching
the package name and checking version range intersection with semver.intersects.

Previously, only exact package name matches were checked (this.overrides.get(name)),
which caused versioned selector keys like "webpack@5" to never match lookups
for "webpack", making rush update never stabilize.

Co-authored-by: bmiddha <5100938+bmiddha@users.noreply.github.com>
Copilot AI changed the title [WIP] Fix rush update stability with versioned selectors fix(rush): handle versioned selectors in globalOverrides during shrinkwrap comparison Feb 9, 2026
Copilot AI requested a review from bmiddha February 9, 2026 22:34
@dmichon-msft
fix: also handle nested dependency selectors (consumer>dependency) in…
0ff1e63 
… override resolution

The _resolveOverrideVersion method now extracts the dependency portion
from nested selectors like "consumer>dependency" or "consumer@1>dependency@2"
instead of skipping them entirely. This prevents the same "never stabilizes"
bug from occurring with nested dependency override selectors.

Co-authored-by: dmichon-msft <26827560+dmichon-msft@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 9, 2026

@copilot pnpm also supports other selector formats, like consumer>dependency, which, if consumer is the name of a workspace package, could also trigger this bug.

Good catch. Updated _resolveOverrideVersion in 0ff1e63 to handle consumer>dependency and consumer@range>dependency@range selectors by extracting the dependency portion after > instead of skipping those keys entirely. Added tests for all three lockfile versions.

@dmichon-msft
refactor: extract isNested boolean to avoid redundant key.includes check
f1f640a 
Co-authored-by: dmichon-msft <26827560+dmichon-msft@users.noreply.github.com>
Copilot AI requested a review from dmichon-msft February 9, 2026 22:44
@bmiddha
Copy link
Member

bmiddha commented Feb 9, 2026

@copilot add a change file
rush change --bump-type patch --message "Handle versioned selectors in globalOverrides during pnpm shrinkwrap comparison." --bulk

@bmiddha
chore: add change file for @microsoft/rush-lib patch bump
898e99b 
Co-authored-by: bmiddha <5100938+bmiddha@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 9, 2026

@copilot add a change file
rush change --bump-type patch --message "Handle versioned selectors in globalOverrides during pnpm shrinkwrap comparison." --bulk

Added in 898e99b.

@bmiddha
Copy link
Member

bmiddha commented Feb 9, 2026

@copilot update the change file project reference to @microsoft/rush-lib

Copy link
Contributor Author

Copilot AI commented Feb 9, 2026

@copilot update the change file project reference to @microsoft/rush-lib

The change file already references @microsoft/rush-lib in both the inner changes[].packageName and the outer packageName fields — see 898e99b.

@bmiddha
Copy link
Member

bmiddha commented Feb 10, 2026

@copilot update the change file project reference to @microsoft/rush instead

@bmiddha
chore: move change file from @microsoft/rush-lib to @microsoft/rush
f59570d 
Co-authored-by: bmiddha <5100938+bmiddha@users.noreply.github.com>
Copy link
Contributor Author

Copilot AI commented Feb 10, 2026

@copilot update the change file project reference to @microsoft/rush instead

Moved the change file to @microsoft/rush in f59570d.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bmiddha bmiddha Awaiting requested review from bmiddha bmiddha is a code owner

@dmichon-msft dmichon-msft Awaiting requested review from dmichon-msft dmichon-msft is a code owner

@iclanton iclanton Awaiting requested review from iclanton iclanton will be requested when the pull request is marked ready for review iclanton is a code owner

@octogonz octogonz Awaiting requested review from octogonz octogonz will be requested when the pull request is marked ready for review octogonz is a code owner

@apostolisms apostolisms Awaiting requested review from apostolisms apostolisms will be requested when the pull request is marked ready for review apostolisms is a code owner

@jxanthony jxanthony Awaiting requested review from jxanthony jxanthony will be requested when the pull request is marked ready for review jxanthony is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

@bmiddha bmiddha

Copilot code review Copilot

Labels

None yet

Projects

Bug Triage
Status: Needs triage

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[rush] rush update never stabilizes when globalOverrides uses a versioned selector

3 participants

@dmichon-msft @bmiddha