The published npm package (@10up/block-components@1.22.2) includes "workspaces": ["example/"] in its package.json. Although the example/ directory itself is correctly excluded from the tarball by the "files" allowlist, the workspaces field persists in the published package.json.
This causes npm to treat @10up/block-components as a workspace-aware package during dependency resolution in consuming projects, which breaks npm's overrides feature for any transitive dependency of this package.
Expected: When a consuming project sets "overrides": { "uuid": "^14.0.0" }, only uuid@14.0.0 should be installed — the override should apply to all transitive dependencies.
Actual: A nested uuid@9.0.1 is installed under node_modules/@10up/block-components/node_modules/uuid, ignoring the override. npm dedupe and install-strategy=dedupe also cannot collapse the nested copy.
Steps to Reproduce
- Create a new project and add
@10up/block-components as a dependency with a uuid override:
mkdir /tmp/test-bc && cd /tmp/test-bc
npm init -y
npm pkg set 'dependencies.@10up/block-components'='^1.22.2'
npm pkg set 'overrides.uuid'='^14.0.0'
- Install dependencies:
- Check the uuid dependency tree:
- Observe the nested
uuid@9.0.1 that ignores the override:
├─┬ @10up/block-components@1.22.2
│ └── uuid@9.0.1 <-- should be 14.0.0
- Confirm the
workspaces field is present in the published package:
npm view @10up/block-components@1.22.2 workspaces
# [ 'example/' ]
Suggested fix
Remove the "workspaces" field from package.json, since example/ is a development-only workspace already excluded from the published tarball by "files": ["dist", "README.md"]:
"repository": {
"type": "git",
"url": "git+https://github.com/10up/block-components.git"
},
- "workspaces": [
- "example/"
- ],
"keywords": [Environment information
- npm 11.10.0
- Node 20.20.0
- @10up/block-components 1.22.2
- macOS Tahoe
WordPress information
N/A — this is an npm packaging issue, not WordPress-specific.
Code of Conduct
The published npm package (
@10up/block-components@1.22.2) includes"workspaces": ["example/"]in itspackage.json. Although theexample/directory itself is correctly excluded from the tarball by the"files"allowlist, theworkspacesfield persists in the publishedpackage.json.This causes npm to treat
@10up/block-componentsas a workspace-aware package during dependency resolution in consuming projects, which breaks npm'soverridesfeature for any transitive dependency of this package.Expected: When a consuming project sets
"overrides": { "uuid": "^14.0.0" }, onlyuuid@14.0.0should be installed — the override should apply to all transitive dependencies.Actual: A nested
uuid@9.0.1is installed undernode_modules/@10up/block-components/node_modules/uuid, ignoring the override.npm dedupeandinstall-strategy=dedupealso cannot collapse the nested copy.Steps to Reproduce
@10up/block-componentsas a dependency with a uuid override:uuid@9.0.1that ignores the override:workspacesfield is present in the published package:npm view @10up/block-components@1.22.2 workspaces # [ 'example/' ]Suggested fix
Remove the
"workspaces"field frompackage.json, sinceexample/is a development-only workspace already excluded from the published tarball by"files": ["dist", "README.md"]:"repository": { "type": "git", "url": "git+https://github.com/10up/block-components.git" }, - "workspaces": [ - "example/" - ], "keywords": [Environment information
WordPress information
N/A — this is an npm packaging issue, not WordPress-specific.
Code of Conduct