I'm pretty sure this explains the behavior I'm seeing, but I couldn't find it documented anywhere.

package.json overrides are only applied from the root package. If a dependency have overrides they are ignored, they aren't even applied to that package's subtree.

Here's an example

There's some package A that depends on lodash 3.

{
  "name": "a", "version": "1.0.0",
  "dependencies": { "lodash": "^3.10.1" }
}

Your package B depends on a, but overrides lodash to 4. You're confident that a actually works with 4, at least in your use case.

{
  "name": "b", "version": "1.0.0",
  "dependencies": { "a": "file:~/test/a/a-1.0.0.tgz" },
  "overrides": { "a": { "lodash": "^4" } }
}

You have some consumer C that uses your library.

{
  "name": "c", "version": "1.0.0",
  "dependencies": { "b": "file:~/test/b/b-1.0.0.tgz" }
}

C will still install lodash 3, ignoring overrides in B.

$ npm explain lodash
lodash@3.10.1
node_modules/lodash
  lodash@"^3.10.1" from a@1.0.0
  node_modules/a
    a@"file:~/axios-test/a/a-1.0.0.tgz" from b@1.0.0
    node_modules/b
      b@"file:~/axios-test/b/b-1.0.0.tgz" from the root project

I'm guessing this is by design? If so it should be documented. I'd also like to hear a short justification.
I checked these pages as well as searching for overrides

• https://docs.npmjs.com/cli/v10/commands/npm-install
• https://docs.npmjs.com/cli/v10/configuring-npm/package-json#overrides

I maintain a package that depends on axios and aws4-axios, but aws4-axios has an incorrect peer dependency that I have to override. I realized that overrrides are not transitive when they fixed my package, but not a test consumer.
I naïvely expected the overrides to apply to the sub-tree of my package, as if C declared

"overrides": {
  "b": { ...b.overrides },
}