fix: handle versioned selectors in globalOverrides for shrinkwrap comparison

When globalOverrides uses versioned selectors (e.g. "webpack@5": "5.103.0"),
the shrinkwrap comparison now correctly resolves the override by matching
the package name and checking version range intersection with semver.intersects.

Previously, only exact package name matches were checked (this.overrides.get(name)),
which caused versioned selector keys like "webpack@5" to never match lookups
for "webpack", making rush update never stabilize.

Co-authored-by: bmiddha <5100938+bmiddha@users.noreply.github.com>

Author: Copilot

libraries/rush-lib/src/logic/pnpm/PnpmShrinkwrapFile.ts

@@ -1110,7 +1110,9 @@ export class PnpmShrinkwrapFile extends BaseShrinkwrapFile {
         if (!foundDependency) {
           return true;
         }
-        const resolvedVersion: string = this.overrides.get(importerPackageName) ?? foundDependency.version;
+        const resolvedVersion: string =
+          this._resolveOverrideVersion(importerPackageName, foundDependency.version) ??
+          foundDependency.version;
         if (resolvedVersion !== importerVersionSpecifier) {
           return true;
         }
@@ -1167,7 +1169,7 @@ export class PnpmShrinkwrapFile extends BaseShrinkwrapFile {
           if (this.shrinkwrapFileMajorVersion >= ShrinkwrapFileMajorVersion.V9) {
             // TODO: Emit an error message when someone tries to override a version of something in one of their
             // local repo packages.
-            let resolvedVersion: string = this.overrides.get(name) ?? version;
+            let resolvedVersion: string = this._resolveOverrideVersion(name, version) ?? version;
             // convert path in posix style, otherwise pnpm install will fail in subspace case
             resolvedVersion = Path.convertToSlashes(resolvedVersion);
             const specifier: string = importer.specifiers[name];
@@ -1183,7 +1185,7 @@ export class PnpmShrinkwrapFile extends BaseShrinkwrapFile {
             } else {
               // TODO: Emit an error message when someone tries to override a version of something in one of their
               // local repo packages.
-              let resolvedVersion: string = this.overrides.get(name) ?? version;
+              let resolvedVersion: string = this._resolveOverrideVersion(name, version) ?? version;
               // convert path in posix style, otherwise pnpm install will fail in subspace case
               resolvedVersion = Path.convertToSlashes(resolvedVersion);
               if (
@@ -1218,6 +1220,48 @@ export class PnpmShrinkwrapFile extends BaseShrinkwrapFile {
     return false;
   }
 
+  /**
+   * Look up the override value for a given package name and version.
+   * Handles versioned selectors like "webpack@5" in addition to simple "webpack" keys.
+   */
+  private _resolveOverrideVersion(name: string, version: string): string | undefined {
+    // First, try exact match by package name
+    const exactMatch: string | undefined = this.overrides.get(name);
+    if (exactMatch !== undefined) {
+      return exactMatch;
+    }
+
+    // Then try versioned selectors (e.g., "webpack@5" or "@scope/pkg@^2.0.0")
+    for (const [key, value] of this.overrides) {
+      // Skip nested dependency selectors (contain '>')
+      if (key.includes('>')) {
+        continue;
+      }
+
+      // Parse the package name and version range from the override key.
+      // Handle scoped packages (@scope/pkg@range) by finding the '@' after the scope prefix.
+      const atIndex: number = key.startsWith('@') ? key.indexOf('@', 1) : key.indexOf('@');
+      if (atIndex === -1) {
+        continue; // No version selector, already handled by exact match above
+      }
+
+      const packageName: string = key.substring(0, atIndex);
+      const rangeStr: string = key.substring(atIndex + 1);
+
+      if (packageName === name) {
+        try {
+          if (semver.intersects(version, rangeStr)) {
+            return value;
+          }
+        } catch {
+          // If semver parsing fails (e.g. for non-semver versions), skip this override
+        }
+      }
+    }
+
+    return undefined;
+  }
+
   private _getIntegrityForPackage(specifier: string, optional: boolean): Map<string, string> {
     const integrities: Map<string, Map<string, string>> = this._integrities;
 

libraries/rush-lib/src/logic/pnpm/test/PnpmShrinkwrapFile.test.ts

@@ -362,6 +362,21 @@ snapshots:
           )
         ).resolves.toBe(false);
       });
+
+      it('can detect versioned overrides', async () => {
+        const project = getMockRushProject();
+        const pnpmShrinkwrapFile = getPnpmShrinkwrapFileFromFile(
+          `${__dirname}/yamlFiles/pnpm-lock-v5/versioned-overrides-not-modified.yaml`,
+          project.rushConfiguration.defaultSubspace
+        );
+        await expect(
+          pnpmShrinkwrapFile.isWorkspaceProjectModifiedAsync(
+            project,
+            project.rushConfiguration.defaultSubspace,
+            undefined
+          )
+        ).resolves.toBe(false);
+      });
     });
 
     describe('pnpm lockfile major version 6', () => {
@@ -410,6 +425,21 @@ snapshots:
         ).resolves.toBe(false);
       });
 
+      it('can detect versioned overrides', async () => {
+        const project = getMockRushProject();
+        const pnpmShrinkwrapFile = getPnpmShrinkwrapFileFromFile(
+          `${__dirname}/yamlFiles/pnpm-lock-v6/versioned-overrides-not-modified.yaml`,
+          project.rushConfiguration.defaultSubspace
+        );
+        await expect(
+          pnpmShrinkwrapFile.isWorkspaceProjectModifiedAsync(
+            project,
+            project.rushConfiguration.defaultSubspace,
+            undefined
+          )
+        ).resolves.toBe(false);
+      });
+
       it('can handle the inconsistent version of a package declared in dependencies and devDependencies', async () => {
         const project = getMockRushProject2();
         const pnpmShrinkwrapFile = getPnpmShrinkwrapFileFromFile(
@@ -472,6 +502,21 @@ snapshots:
         ).resolves.toBe(false);
       });
 
+      it('can detect versioned overrides', async () => {
+        const project = getMockRushProject();
+        const pnpmShrinkwrapFile = getPnpmShrinkwrapFileFromFile(
+          `${__dirname}/yamlFiles/pnpm-lock-v9/versioned-overrides-not-modified.yaml`,
+          project.rushConfiguration.defaultSubspace
+        );
+        await expect(
+          pnpmShrinkwrapFile.isWorkspaceProjectModifiedAsync(
+            project,
+            project.rushConfiguration.defaultSubspace,
+            undefined
+          )
+        ).resolves.toBe(false);
+      });
+
       it('can handle the inconsistent version of a package declared in dependencies and devDependencies', async () => {
         const project = getMockRushProject2();
         const pnpmShrinkwrapFile = getPnpmShrinkwrapFileFromFile(

libraries/rush-lib/src/logic/pnpm/test/yamlFiles/pnpm-lock-v5/versioned-overrides-not-modified.yaml

@@ -0,0 +1,32 @@
+lockfileVersion: 5.3
+
+overrides:
+  typescript@~5: 5.0.4
+
+importers:
+  .:
+    specifiers: {}
+
+  ../../apps/foo:
+    specifiers:
+      tslib: ~2.3.1
+      typescript: 5.0.4
+    dependencies:
+      tslib: 2.3.1
+    devDependencies:
+      typescript: 5.0.4
+
+packages:
+  /typescript/5.0.4:
+    resolution:
+      {
+        integrity: sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==
+      }
+    engines: { node: '>=12.20' }
+    hasBin: true
+
+  /tslib/2.3.1:
+    resolution:
+      {
+        integrity: sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw==
+      }

libraries/rush-lib/src/logic/pnpm/test/yamlFiles/pnpm-lock-v6/versioned-overrides-not-modified.yaml

@@ -0,0 +1,32 @@
+lockfileVersion: '6.0'
+
+overrides:
+  typescript@~5: 5.0.4
+
+importers:
+  .: {}
+
+  ../../apps/foo:
+    dependencies:
+      tslib:
+        specifier: ~2.3.1
+        version: 2.3.1
+    devDependencies:
+      typescript:
+        specifier: 5.0.4
+        version: 5.0.4
+
+packages:
+  /typescript/5.0.4:
+    resolution:
+      {
+        integrity: sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==
+      }
+    engines: { node: '>=12.20' }
+    hasBin: true
+
+  /tslib/2.3.1:
+    resolution:
+      {
+        integrity: sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw==
+      }

libraries/rush-lib/src/logic/pnpm/test/yamlFiles/pnpm-lock-v9/versioned-overrides-not-modified.yaml

@@ -0,0 +1,41 @@
+lockfileVersion: '9.0'
+
+settings:
+  autoInstallPeers: true
+  excludeLinksFromLockfile: false
+
+overrides:
+  typescript@~5: 5.0.4
+
+importers:
+  .: {}
+
+  ../../apps/foo:
+    dependencies:
+      tslib:
+        specifier: ~2.3.1
+        version: 2.3.1
+    devDependencies:
+      typescript:
+        specifier: 5.0.4
+        version: 5.0.4
+
+packages:
+  tslib@2.3.1:
+    resolution:
+      {
+        integrity: sha512-77EbyPPpMz+FRFRuAFlWMtmgUWGe9UOG2Z25NqCwiIjRhOf5iKGuzSe5P2w1laq+FkRy4p+PCuVkJSGkzTEKVw==
+      }
+
+  typescript@5.0.4:
+    resolution:
+      {
+        integrity: sha512-cW9T5W9xY37cc+jfEnaUvX91foxtHkza3Nw3wkoF4sSlKn0MONdkdEndig/qPBWXNkmplh3NzayQzCiHM4/hqw==
+      }
+    engines: { node: '>=12.20' }
+    hasBin: true
+
+snapshots:
+  tslib@2.3.1: {}
+
+  typescript@5.0.4: {}