Npm: add support for overrides
Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.
Problem
npm cli supports the shrinkwrap command that locks dependencies considering overrides https://docs.npmjs.com/cli/v9/configuring-npm/package-json#overrides .
The overrides might be used by the users to redefine the version of the nested dependency. It helps to fix security vulnerabilities and to solve the issue of the weak maintenance of package's dependencies.
In order to properly support overrides we need to set the attribute _hasShrinkwrap to true in the package's version metadata.
Solution
When the command npm shrinkwrap is executed than it creates the file npm-shrinkwrap.json within the package. This file is sent in the package tarball together with other files.
We could check the existence of npm-shrinkwrap.json asynchronously (during a background job) when the new package is uploaded and save the value in the npm metadata package_json field.
Afterwards when we generate package's metadata, we could read this value.