fix!: refuse to pack with bundled dependencies AND overrides

owlstronaut · owlstronaut · commit 8cf26898e4f3 · 2026-04-22T12:32:35.000-07:00
BREAKING CHANGE: npm pack and npm publish now error when a package defines both bundledDependencies (or bundleDependencies) and overrides. Remove one of the fields from package.json to publish.
diff --git a/workspaces/libnpmpack/lib/index.js b/workspaces/libnpmpack/lib/index.js
@@ -14,6 +14,20 @@ async function pack (spec = 'file:.', opts = {}) {
 
   const manifest = await pacote.manifest(spec, { ...opts, Arborist, _isRoot: true })
 
+  if (spec.type === 'directory') {
+    const bundled = manifest.bundledDependencies || manifest.bundleDependencies
+    const hasBundled = Array.isArray(bundled) ? bundled.length > 0 : Boolean(bundled)
+    const hasOverrides = manifest.overrides
+      && typeof manifest.overrides === 'object'
+      && Object.keys(manifest.overrides).length > 0
+    if (hasBundled && hasOverrides) {
+      throw Object.assign(
+        new Error('Cannot pack or publish a package that has both bundled dependencies and overrides. Remove either the "bundledDependencies"/"bundleDependencies" or "overrides" field from package.json before publishing.'),
+        { code: 'EBUNDLEOVERRIDE' }
+      )
+    }
+  }
+
   const stdio = opts.foregroundScripts ? 'inherit' : 'pipe'
 
   if (spec.type === 'directory' && !opts.ignoreScripts) {
diff --git a/workspaces/libnpmpack/test/index.js b/workspaces/libnpmpack/test/index.js
@@ -212,3 +212,81 @@ t.test('doesn\'t run scripts when ignoreScripts === true', async t => {
     spawk.clean()
   })
 })
+
+t.test('refuses to pack with both bundledDependencies and overrides', async t => {
+  const testDir = t.testdir({
+    'package.json': JSON.stringify({
+      name: 'my-cool-pkg',
+      version: '1.0.0',
+      bundledDependencies: ['semver'],
+      dependencies: { semver: '7.5.0' },
+      overrides: { 'lru-cache': '6.0.0' },
+    }, null, 2),
+  })
+
+  const cwd = process.cwd()
+  process.chdir(testDir)
+  t.teardown(() => process.chdir(cwd))
+
+  await t.rejects(
+    pack('file:.'),
+    { code: 'EBUNDLEOVERRIDE' },
+    'throws with EBUNDLEOVERRIDE code'
+  )
+})
+
+t.test('refuses to pack with bundleDependencies (alt spelling) and overrides', async t => {
+  const testDir = t.testdir({
+    'package.json': JSON.stringify({
+      name: 'my-cool-pkg',
+      version: '1.0.0',
+      bundleDependencies: ['semver'],
+      dependencies: { semver: '7.5.0' },
+      overrides: { 'lru-cache': '6.0.0' },
+    }, null, 2),
+  })
+
+  const cwd = process.cwd()
+  process.chdir(testDir)
+  t.teardown(() => process.chdir(cwd))
+
+  await t.rejects(
+    pack('file:.'),
+    { code: 'EBUNDLEOVERRIDE' },
+    'throws with EBUNDLEOVERRIDE code'
+  )
+})
+
+t.test('packs with only bundledDependencies (no overrides)', async t => {
+  const testDir = t.testdir({
+    'package.json': JSON.stringify({
+      name: 'my-cool-pkg',
+      version: '1.0.0',
+      bundledDependencies: [],
+    }, null, 2),
+  })
+
+  const cwd = process.cwd()
+  process.chdir(testDir)
+  t.teardown(() => process.chdir(cwd))
+
+  const tarball = await pack('file:.')
+  t.ok(tarball)
+})
+
+t.test('packs with only overrides (no bundled)', async t => {
+  const testDir = t.testdir({
+    'package.json': JSON.stringify({
+      name: 'my-cool-pkg',
+      version: '1.0.0',
+      overrides: { 'lru-cache': '6.0.0' },
+    }, null, 2),
+  })
+
+  const cwd = process.cwd()
+  process.chdir(testDir)
+  t.teardown(() => process.chdir(cwd))
+
+  const tarball = await pack('file:.')
+  t.ok(tarball)
+})
