From 94da69635ec828e1bbc0efd1a6f4e3378ca578b9 Mon Sep 17 00:00:00 2001
From: btea <2356281422@qq.com>
Date: Tue, 28 Apr 2026 07:42:38 +0800
Subject: [PATCH] fix: sort the keys of the overrides object (#11309)

---
 .changeset/sort-audit-fix-overrides.md    | 6 ++++++
 deps/compliance/commands/package.json     | 1 +
 deps/compliance/commands/src/audit/fix.ts | 3 ++-
 deps/compliance/commands/tsconfig.json    | 3 +++
 pnpm-lock.yaml                            | 3 +++
 5 files changed, 15 insertions(+), 1 deletion(-)
 create mode 100644 .changeset/sort-audit-fix-overrides.md

diff --git a/.changeset/sort-audit-fix-overrides.md b/.changeset/sort-audit-fix-overrides.md
new file mode 100644
index 0000000000..d9b7e8e9cc
--- /dev/null
+++ b/.changeset/sort-audit-fix-overrides.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/deps.compliance.commands": patch
+"pnpm": patch
+---
+
+Sort the keys of the overrides object returned by `pnpm audit --fix` so that the log output order matches the order written to `pnpm-workspace.yaml`.
diff --git a/deps/compliance/commands/package.json b/deps/compliance/commands/package.json
index 6a3db515f9..bdfe3897a1 100644
--- a/deps/compliance/commands/package.json
+++ b/deps/compliance/commands/package.json
@@ -53,6 +53,7 @@
     "@pnpm/lockfile.utils": "workspace:*",
     "@pnpm/lockfile.walker": "workspace:*",
     "@pnpm/network.auth-header": "workspace:*",
+    "@pnpm/object.key-sorting": "workspace:*",
     "@pnpm/store.path": "workspace:*",
     "@pnpm/types": "workspace:*",
     "@pnpm/workspace.project-manifest-reader": "workspace:*",
diff --git a/deps/compliance/commands/src/audit/fix.ts b/deps/compliance/commands/src/audit/fix.ts
index 5a78960662..b7d930091f 100644
--- a/deps/compliance/commands/src/audit/fix.ts
+++ b/deps/compliance/commands/src/audit/fix.ts
@@ -1,5 +1,6 @@
 import { writeSettings } from '@pnpm/config.writer'
 import { type AuditAdvisory, type AuditReport, normalizeGhsaId } from '@pnpm/deps.compliance.audit'
+import { sortDirectKeys } from '@pnpm/object.key-sorting'
 import semver from 'semver'
 
 import type { AuditOptions } from './audit.js'
@@ -42,7 +43,7 @@ function createOverrides (advisories: AuditAdvisory[]): Record<string, string> {
     if (!advisory.patched_versions) continue
     entries.push([`${advisory.module_name}@${advisory.vulnerable_versions}`, caretRangeForPatched(advisory.patched_versions)])
   }
-  return Object.fromEntries(entries)
+  return sortDirectKeys(Object.fromEntries(entries))
 }
 
 // Use the minimum patched version with a caret so pnpm stays within the
diff --git a/deps/compliance/commands/tsconfig.json b/deps/compliance/commands/tsconfig.json
index d9fcd55a14..8b40b40435 100644
--- a/deps/compliance/commands/tsconfig.json
+++ b/deps/compliance/commands/tsconfig.json
@@ -64,6 +64,9 @@
     {
       "path": "../../../network/auth-header"
     },
+    {
+      "path": "../../../object/key-sorting"
+    },
     {
       "path": "../../../pkg-manifest/reader"
     },
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 6a8a109fa2..2b6ddaadfe 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -2989,6 +2989,9 @@ importers:
       '@pnpm/network.auth-header':
         specifier: workspace:*
         version: link:../../../network/auth-header
+      '@pnpm/object.key-sorting':
+        specifier: workspace:*
+        version: link:../../../object/key-sorting
       '@pnpm/store.path':
         specifier: workspace:*
         version: link:../../../store/path