[WIP] Fix npm EOVERRIDE conflict when upgrading vaadin.version

[Codex]

Thanks for asking me to work on this. I will get started on it and keep this PR's description up to date as I form a plan and make progress.

---

This section details on the original issue you should resolve

<issue_title>PiT 25.2: npm EOVERRIDE conflict when upgrading vaadin.version in projects with direct Vaadin component dependencies</issue_title>
<issue_description>### Description of the bug

When a project has a direct npm dependency on a Vaadin component (e.g. @vaadin/charts) and vaadin.version is upgraded, the vaadin-maven-plugin updates the dependencies section in package.json to the new version but leaves the overrides section pointing to the old version. This causes an npm EOVERRIDE conflict.

npm error code EOVERRIDE
npm error Override for @vaadin/charts@25.2.0-alpha8 conflicts with direct dependency

The root cause is in TaskUpdatePackages.lockVersionForNpm() (line ~160): platform overrides are skipped for existing dependencies ("Skip platform overrides for existing dependencies"). When the dependency version is bumped, the override created in a previous run still pins the old version, but the skip logic prevents it from being updated.

Expected behavior

When vaadin.version is changed, all overrides for Vaadin platform components should be updated to match the new version, or the stale overrides should be removed.

Minimal reproducible example

git clone git@github.com:vaadin/npm-addon-template.git
cd npm-addon-template
git checkout v25
# Upgrade vaadin.version
perl -pi -e 's|(<vaadin.version>)[^<]+(</vaadin.version>)|${1}25.2.0-alpha3${2}|g' pom.xml
# Add prereleases repo
perl -pi -e 's|(\s*)(</project>)|$1$1<repositories><repository><id>v</id><url>https://maven.vaadin.com/vaadin-prereleases</url></repository></repositories>\n$1$2|' pom.xml
perl -pi -e 's|(\s*)(</project>)|$1$1<pluginRepositories><pluginRepository><id>v</id><url>https://maven.vaadin.com/vaadin-prereleases</url></pluginRepository></pluginRepositories>\n$1$2|' pom.xml
# Run dev mode (fails with EOVERRIDE)
mvn -ntp -B -Dserver.port=8080

Workaround: delete package.json before running, the plugin regenerates it cleanly.

Versions

• Vaadin / Flow version: 25.1.3 upgrading to 25.2.0-alpha3
• npm: 11.x
• Node: 24.x / 25.x

Code reference

TaskUpdatePackages.java line ~160:

if (dependencies.has(dependency) || devDependencies.has(dependency)) {
    // Skip platform overrides for existing dependencies
    continue;
}
```</issue_description>

<agent_instructions>This bug can be related to recently added overrides for workbox dependencies, see https://github.com/vaadin/flow/pull/24008.</agent_instructions>

## Comments on the Issue (you are @codex[agent] in this section)

<comments>
<comment_new><author>@mcollovati</author><body>
In addition to the mentioned cause, it is worth noting that vaadin-chart is added to the package.json because it is a transitive dependency of `vaadin-ai-components-flow`, imported by `vaadin-core`.
When running in dev mode, Vaadin uses the full dependency scanner, to if promotes also charts as an used package.</body></comment_new>
</comments>

[cla-assistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ platosha
❌ Codex
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

[github-actions]

Test Results

 1 392 files   -  3   1 392 suites   - 3   1h 14m 31s ⏱️ -42s
10 044 tests  - 40   9 973 ✅  - 41  70 💤 ±0  1 ❌ +1 
10 519 runs   - 40  10 439 ✅  - 41  79 💤 ±0  1 ❌ +1 

For more details on these failures, see this check.

Results for commit fc6da0c. ± Comparison against base commit b9356e4.

[github-actions]

Test Results

 1 392 files   -  3   1 392 suites   - 3   1h 14m 31s ⏱️ -42s
10 044 tests  - 40   9 973 ✅  - 41  70 💤 ±0  1 ❌ +1 
10 519 runs   - 40  10 439 ✅  - 41  79 💤 ±0  1 ❌ +1 

For more details on these failures, see this check.

Results for commit fc6da0c. ± Comparison against base commit b9356e4.

[platosha]

@codex[agent] there's a failed test reported in Flow Validation check here that needs to be addressed:

Error:  Failures: 
Error:    TaskUpdatePackagesNpmTest.npmIsInUse_packageJsonHasNonNumericVersion_versionNotOverridden:462->verifyVersionLockingWithNpmOverrides:1247 vaadin-element-mixin dependency should not be present ==> expected: <null> but was: <"2.4.2">