Verify latest release

• I verified that the issue exists in the latest pnpm release

pnpm version

10.25.0

Which area(s) of pnpm are affected? (leave empty if unsure)

No response

Link to the code that reproduces this issue or a replay of the bug

No response

Reproduction steps

1. Configure a pnpm.overrides entry in your root package.json defined as a reference to a direct dependency's spec by prefixing the name of the dependency with a $

   {
     "dependencies": {
       "foo": "^1.0.0"
     },
     "pnpm": {
        "overrides": {
          "foo": "$foo"
        }
     }
   }

2. Run pnpm audit --fix

3. Notice that the override reference (meaning $foo) is now replaced with an actual version, even if this dependency was not subject to an auditable fix.

Describe the Bug

pnpm overrides defined as a reference to a local dependency or devDependency with $ are replaced with versions rather than leaving the reference in place when running pnpm audit --fix.

Expected Behavior

The pnpm audit command should only change the overrides entry if the package is specifically impacted by an audit.

In the example above, I would expect the foo dependency override to remain unchanged.

Which Node.js version are you using?

24.11.1

Which operating systems have you used?

• macOS
• Windows
• Linux

If your OS is a Linux based, which one it is? (Include the version if relevant)

No response