@npmcli/arborist 2.4.2 → 2.6.0

package/bin/index.js

@@ -11,6 +11,7 @@ Version: ${require('../package.json').version}
 # COMMANDS
 
 * reify: reify ideal tree to node_modules (install, update, rm, ...)
+* prune: prune the ideal tree and reify (like npm prune)
 * ideal: generate and print the ideal tree
 * actual: read and print the actual tree in node_modules
 * virtual: read and print the virtual tree in the local shrinkwrap file
@@ -50,6 +51,9 @@ switch (cmd) {
   case 'ideal':
     require('./ideal.js')
     break
+  case 'prune':
+    require('./prune.js')
+    break
   case 'reify':
     require('./reify.js')
     break

package/bin/license.js

@@ -22,7 +22,7 @@ a.loadVirtual().then(tree => {
       set.push([tree.inventory.query('license', license).size, license])
 
     for (const [count, license] of set.sort((a, b) =>
-      a[1] && b[1] ? b[0] - a[0] || a[1].localeCompare(b[1])
+      a[1] && b[1] ? b[0] - a[0] || a[1].localeCompare(b[1], 'en')
       : a[1] ? -1
       : b[1] ? 1
       : 0))

package/bin/prune.js

@@ -0,0 +1,46 @@
+const Arborist = require('../')
+
+const options = require('./lib/options.js')
+const print = require('./lib/print-tree.js')
+require('./lib/logging.js')
+require('./lib/timers.js')
+
+const printDiff = diff => {
+  const {depth} = require('treeverse')
+  depth({
+    tree: diff,
+    visit: d => {
+      if (d.location === '')
+        return
+      switch (d.action) {
+        case 'REMOVE':
+          console.error('REMOVE', d.actual.location)
+          break
+        case 'ADD':
+          console.error('ADD', d.ideal.location, d.ideal.resolved)
+          break
+        case 'CHANGE':
+          console.error('CHANGE', d.actual.location, {
+            from: d.actual.resolved,
+            to: d.ideal.resolved,
+          })
+          break
+      }
+    },
+    getChildren: d => d.children,
+  })
+}
+
+const start = process.hrtime()
+process.emit('time', 'install')
+const arb = new Arborist(options)
+arb.prune(options).then(tree => {
+  process.emit('timeEnd', 'install')
+  const end = process.hrtime(start)
+  print(tree)
+  if (options.dryRun)
+    printDiff(arb.diff)
+  console.error(`resolved ${tree.inventory.size} deps in ${end[0] + end[1] / 1e9}s`)
+  if (tree.meta && options.save)
+    tree.meta.save()
+}).catch(er => console.error(require('util').inspect(er, { depth: Infinity })))

package/lib/add-rm-pkg-deps.js

@@ -75,7 +75,7 @@ const addSingle = ({pkg, spec, saveBundle, saveType, log}) => {
     // keep it sorted, keep it unique
     const bd = new Set(pkg.bundleDependencies || [])
     bd.add(spec.name)
-    pkg.bundleDependencies = [...bd].sort((a, b) => a.localeCompare(b))
+    pkg.bundleDependencies = [...bd].sort((a, b) => a.localeCompare(b, 'en'))
   }
 }
 

package/lib/arborist/audit.js

@@ -4,6 +4,7 @@ const AuditReport = require('../audit-report.js')
 
 // shared with reify
 const _global = Symbol.for('global')
+const _workspaces = Symbol.for('workspaces')
 
 module.exports = cls => class Auditor extends cls {
   async audit (options = {}) {
@@ -21,8 +22,10 @@ module.exports = cls => class Auditor extends cls {
 
     process.emit('time', 'audit')
     const tree = await this.loadVirtual()
-    this.auditReport = await AuditReport.load(tree, this.options)
-    const ret = options.fix ? this.reify() : this.auditReport
+    if (this[_workspaces] && this[_workspaces].length)
+      options.filterSet = this.workspaceDependencySet(tree, this[_workspaces])
+    this.auditReport = await AuditReport.load(tree, options)
+    const ret = options.fix ? this.reify(options) : this.auditReport
     process.emit('timeEnd', 'audit')
     this.finishTracker('audit')
     return ret

package/lib/arborist/build-ideal-tree.js

@@ -398,38 +398,14 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     process.emit('time', 'idealTree:userRequests')
     const tree = this.idealTree.target || this.idealTree
 
-    if (!this[_workspaces].length) {
-      return this[_applyUserRequestsToNode](tree, options).then(() =>
-        process.emit('timeEnd', 'idealTree:userRequests'))
-    }
-
-    const wsMap = tree.workspaces
-    if (!wsMap) {
-      this.log.warn('idealTree', 'Workspace filter set, but no workspaces present')
-      return
-    }
-
-    const promises = []
-    for (const name of this[_workspaces]) {
-      const path = wsMap.get(name)
-      if (!path) {
-        this.log.warn('idealTree', `Workspace ${name} in filter set, but not in workspaces`)
-        continue
-      }
-      const loc = relpath(tree.realpath, path)
-      const node = tree.inventory.get(loc)
-
-      /* istanbul ignore if - should be impossible */
-      if (!node) {
-        this.log.warn('idealTree', `Workspace ${name} in filter set, but no workspace folder present`)
-        continue
-      }
-
-      promises.push(this[_applyUserRequestsToNode](node, options))
+    if (!this[_workspaces].length)
+      await this[_applyUserRequestsToNode](tree, options)
+    else {
+      await Promise.all(this.workspaceNodes(tree, this[_workspaces])
+        .map(node => this[_applyUserRequestsToNode](node, options)))
     }
 
-    return Promise.all(promises).then(() =>
-      process.emit('timeEnd', 'idealTree:userRequests'))
+    process.emit('timeEnd', 'idealTree:userRequests')
   }
 
   async [_applyUserRequestsToNode] (tree, options) {
@@ -456,7 +432,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     }
 
     if (this.auditReport && this.auditReport.size > 0)
-      this[_queueVulnDependents](options)
+      await this[_queueVulnDependents](options)
 
     const { add, rm } = options
 
@@ -475,10 +451,14 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     if (add && add.length || rm && rm.length || this[_global])
       tree.package = tree.package
 
-    for (const spec of this[_resolvedAdd])
-      this[_explicitRequests].add(tree.edgesOut.get(spec.name))
+    for (const spec of this[_resolvedAdd]) {
+      if (spec.tree === tree)
+        this[_explicitRequests].add(tree.edgesOut.get(spec.name))
+    }
     for (const name of globalExplicitUpdateNames)
       this[_explicitRequests].add(tree.edgesOut.get(name))
+
+    this[_depsQueue].push(tree)
   }
 
   // This returns a promise because we might not have the name yet,
@@ -488,12 +468,14 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     // ie, doing `foo@bar` we just return foo
     // but if it's a url or git, we don't know the name until we
     // fetch it and look in its manifest.
-    return Promise.all(add.map(rawSpec => {
-      // We do NOT provide the path here, because user-additions need
-      // to be resolved relative to the CWD the user is in.
-      return this[_retrieveSpecName](npa(rawSpec))
-        .then(add => this[_updateFilePath](add))
-        .then(add => this[_followSymlinkPath](add))
+    return Promise.all(add.map(async rawSpec => {
+      // We do NOT provide the path to npa here, because user-additions
+      // need to be resolved relative to the CWD the user is in.
+      const spec = await this[_retrieveSpecName](npa(rawSpec))
+        .then(spec => this[_updateFilePath](spec))
+        .then(spec => this[_followSymlinkPath](spec))
+      spec.tree = tree
+      return spec
     })).then(add => {
       this[_resolvedAdd].push(...add)
       // now add is a list of spec objects with names.
@@ -528,7 +510,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
 
   async [_updateFilePath] (spec) {
     if (spec.type === 'file')
-      spec = this[_getRelpathSpec](spec, spec.fetchSpec)
+      return this[_getRelpathSpec](spec, spec.fetchSpec)
 
     return spec
   }
@@ -541,7 +523,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
           .catch(/* istanbul ignore next */() => null)
       )
 
-      spec = this[_getRelpathSpec](spec, real)
+      return this[_getRelpathSpec](spec, real)
     }
     return spec
   }
@@ -561,9 +543,9 @@ module.exports = cls => class IdealTreeBuilder extends cls {
   // what's in the bundle at each published manifest.  Without that, we
   // can't possibly fix bundled deps without breaking a ton of other stuff,
   // and leaving the user subject to getting it overwritten later anyway.
-  [_queueVulnDependents] (options) {
-    for (const {nodes} of this.auditReport.values()) {
-      for (const node of nodes) {
+  async [_queueVulnDependents] (options) {
+    for (const vuln of this.auditReport.values()) {
+      for (const node of vuln.nodes) {
         const bundler = node.getBundler()
 
         // XXX this belongs in the audit report itself, not here.
@@ -595,6 +577,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     if (this[_force] && this.auditReport && this.auditReport.topVulns.size) {
       options.add = options.add || []
       options.rm = options.rm || []
+      const nodesTouched = new Set()
       for (const [name, topVuln] of this.auditReport.topVulns.entries()) {
         const {
           simpleRange,
@@ -602,7 +585,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
           fixAvailable,
         } = topVuln
         for (const node of topNodes) {
-          if (node !== this.idealTree && node !== this.idealTree.target) {
+          if (!node.isProjectRoot && !node.isWorkspace) {
             // not something we're going to fix, sorry.  have to cd into
             // that directory and fix it yourself.
             this.log.warn('audit', 'Manual fix required in linked project ' +
@@ -622,9 +605,13 @@ module.exports = cls => class IdealTreeBuilder extends cls {
             : 'outside your stated dependency range'
           this.log.warn('audit', `Updating ${name} to ${version},` +
             `which is ${breakingMessage}.`)
-          options.add.push(`${name}@${version}`)
+
+          await this[_add](node, { add: [`${name}@${version}`] })
+          nodesTouched.add(node)
         }
       }
+      for (const node of nodesTouched)
+        node.package = node.package
     }
   }
 
@@ -646,7 +633,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     // probably have their own project associated with them.
 
     // for every node with one of the names on the list, we add its
-    // dependents to the queue to be evaluated.  in buildDepStem,
+    // dependents to the queue to be evaluated.  in buildDepStep,
     // anything on the update names list will get refreshed, even if
     // it isn't a problem.
 
@@ -764,7 +751,7 @@ This is a one-time fix-up, please be patient...
     // sort physically shallower deps up to the front of the queue,
     // because they'll affect things deeper in, then alphabetical
     this[_depsQueue].sort((a, b) =>
-      (a.depth - b.depth) || a.path.localeCompare(b.path))
+      (a.depth - b.depth) || a.path.localeCompare(b.path, 'en'))
 
     const node = this[_depsQueue].shift()
     const bd = node.package.bundleDependencies
@@ -902,7 +889,7 @@ This is a one-time fix-up, please be patient...
     }
 
     const placed = tasks
-      .sort((a, b) => a.edge.name.localeCompare(b.edge.name))
+      .sort((a, b) => a.edge.name.localeCompare(b.edge.name, 'en'))
       .map(({ edge, dep }) => this[_placeDep](dep, node, edge))
 
     const promises = []
@@ -1025,7 +1012,8 @@ This is a one-time fix-up, please be patient...
 
     // also skip over any nodes in the tree that failed to load, since those
     // will crash the install later on anyway.
-    const bd = node.isProjectRoot ? null : node.package.bundleDependencies
+    const bd = node.isProjectRoot || node.isWorkspace ? null
+      : node.package.bundleDependencies
     const bundled = new Set(bd || [])
 
     return [...node.edgesOut.values()]
@@ -1061,8 +1049,8 @@ This is a one-time fix-up, please be patient...
         if (this[_isVulnerable](edge.to))
           return true
 
-        // If the user has explicitly asked to install this package, it's a problem.
-        if (node.isProjectRoot && this[_explicitRequests].has(edge))
+        // If the user has explicitly asked to install this package, it's a "problem".
+        if (this[_explicitRequests].has(edge))
           return true
 
         // No problems!
@@ -1147,7 +1135,7 @@ This is a one-time fix-up, please be patient...
       // we typically only install non-optional peers, but we have to
       // factor them into the peerSet so that we can avoid conflicts
       .filter(e => e.peer && !(e.valid && e.to))
-      .sort(({name: a}, {name: b}) => a.localeCompare(b))
+      .sort(({name: a}, {name: b}) => a.localeCompare(b, 'en'))
 
     for (const edge of peerEdges) {
       // already placed this one, and we're happy with it.
@@ -1358,7 +1346,7 @@ This is a one-time fix-up, please be patient...
       // first in x, then in the root, ending with KEEP, because we already
       // have it.  In that case, we ought to REMOVE the nm/x/nm/y node, because
       // it is an unnecessary duplicate.
-      this[_pruneDedupable](target, true)
+      this[_pruneDedupable](target)
       return []
     }
 
@@ -1475,8 +1463,20 @@ This is a one-time fix-up, please be patient...
       return
     }
     if (descend) {
-      for (const child of node.children.values())
+      // sort these so that they're deterministically ordered
+      // otherwise, resulting tree shape is dependent on the order
+      // in which they happened to be resolved.
+      const nodeSort = (a, b) => a.location.localeCompare(b.location, 'en')
+
+      const children = [...node.children.values()].sort(nodeSort)
+      const fsChildren = [...node.fsChildren].sort(nodeSort)
+      for (const child of children)
         this[_pruneDedupable](child)
+      for (const topNode of fsChildren) {
+        const children = [...topNode.children.values()].sort(nodeSort)
+        for (const child of children)
+          this[_pruneDedupable](child)
+      }
     }
   }
 

package/lib/arborist/index.js

@@ -45,6 +45,7 @@ const mixins = [
 ]
 
 const Base = mixins.reduce((a, b) => b(a), require('events'))
+const getWorkspaceNodes = require('../get-workspace-nodes.js')
 
 class Arborist extends Base {
   constructor (options = {}) {
@@ -64,6 +65,35 @@ class Arborist extends Base {
     this.path = resolve(this.options.path)
     process.emit('timeEnd', 'arborist:ctor')
   }
+
+  // returns an array of the actual nodes for all the workspaces
+  workspaceNodes (tree, workspaces) {
+    return getWorkspaceNodes(tree, workspaces, this.log)
+  }
+
+  // returns a set of workspace nodes and all their deps
+  workspaceDependencySet (tree, workspaces) {
+    const wsNodes = this.workspaceNodes(tree, workspaces)
+    const set = new Set(wsNodes)
+    const extraneous = new Set()
+    for (const node of set) {
+      for (const edge of node.edgesOut.values()) {
+        const dep = edge.to
+        if (dep) {
+          set.add(dep)
+          if (dep.target)
+            set.add(dep.target)
+        }
+      }
+      for (const child of node.children.values()) {
+        if (child.extraneous)
+          extraneous.add(child)
+      }
+    }
+    for (const extra of extraneous)
+      set.add(extra)
+    return set
+  }
 }
 
 module.exports = Arborist

package/lib/arborist/load-virtual.js

@@ -159,12 +159,12 @@ module.exports = cls => class VirtualLoader extends cls {
       ...depsToEdges('peerOptional', peerOptional),
       ...lockWS,
     ].sort(([atype, aname], [btype, bname]) =>
-      atype.localeCompare(btype) || aname.localeCompare(bname))
+      atype.localeCompare(btype, 'en') || aname.localeCompare(bname, 'en'))
 
     const rootEdges = [...root.edgesOut.values()]
       .map(e => [e.type, e.name, e.spec])
       .sort(([atype, aname], [btype, bname]) =>
-        atype.localeCompare(btype) || aname.localeCompare(bname))
+        atype.localeCompare(btype, 'en') || aname.localeCompare(bname, 'en'))
 
     if (rootEdges.length !== lockEdges.length) {
       // something added or removed

package/lib/arborist/rebuild.js

@@ -14,8 +14,9 @@ const {
 } = require('@npmcli/node-gyp')
 
 const boolEnv = b => b ? '1' : ''
-const sortNodes = (a, b) => (a.depth - b.depth) || a.path.localeCompare(b.path)
+const sortNodes = (a, b) => (a.depth - b.depth) || a.path.localeCompare(b.path, 'en')
 
+const _workspaces = Symbol.for('workspaces')
 const _build = Symbol('build')
 const _resetQueues = Symbol('resetQueues')
 const _rebuildBundle = Symbol('rebuildBundle')
@@ -70,8 +71,14 @@ module.exports = cls => class Builder extends cls {
 
     // if we don't have a set of nodes, then just rebuild
     // the actual tree on disk.
-    if (!nodes)
-      nodes = (await this.loadActual()).inventory.values()
+    if (!nodes) {
+      const tree = await this.loadActual()
+      if (this[_workspaces] && this[_workspaces].length) {
+        const filterSet = this.workspaceDependencySet(tree, this[_workspaces])
+        nodes = tree.inventory.filter(node => filterSet.has(node))
+      } else
+        nodes = tree.inventory.values()
+    }
 
     // separates links nodes so that it can run
     // prepare scripts and link bins in the expected order

package/lib/arborist/reify.js

@@ -133,12 +133,12 @@ module.exports = cls => class Reifier extends cls {
     this.addTracker('reify')
     process.emit('time', 'reify')
     await this[_validatePath]()
-      .then(() => this[_loadTrees](options))
-      .then(() => this[_diffTrees]())
-      .then(() => this[_reifyPackages]())
-      .then(() => this[_saveIdealTree](options))
-      .then(() => this[_copyIdealToActual]())
-      .then(() => this[_awaitQuickAudit]())
+    await this[_loadTrees](options)
+    await this[_diffTrees]()
+    await this[_reifyPackages]()
+    await this[_saveIdealTree](options)
+    await this[_copyIdealToActual]()
+    await this[_awaitQuickAudit]()
 
     this.finishTracker('reify')
     process.emit('timeEnd', 'reify')
@@ -774,8 +774,14 @@ module.exports = cls => class Reifier extends cls {
     // NOT return the promise, as the intent is for this to run in parallel
     // with the reification, and be resolved at a later time.
     process.emit('time', 'reify:audit')
+    const options = { ...this.options }
+    const tree = this.idealTree
+
+    // if we're operating on a workspace, only audit the workspace deps
+    if (this[_workspaces] && this[_workspaces].length)
+      options.filterSet = this.workspaceDependencySet(tree, this[_workspaces])
 
-    this.auditReport = AuditReport.load(this.idealTree, this.options)
+    this.auditReport = AuditReport.load(tree, options)
       .then(res => {
         process.emit('timeEnd', 'reify:audit')
         this.auditReport = res
@@ -936,7 +942,7 @@ module.exports = cls => class Reifier extends cls {
 
   // last but not least, we save the ideal tree metadata to the package-lock
   // or shrinkwrap file, and any additions or removals to package.json
-  [_saveIdealTree] (options) {
+  async [_saveIdealTree] (options) {
     // the ideal tree is actualized now, hooray!
     // it still contains all the references to optional nodes that were removed
     // for install failures.  Those still end up in the shrinkwrap, so we
@@ -944,23 +950,26 @@ module.exports = cls => class Reifier extends cls {
 
     // support save=false option
     if (options.save === false || this[_global] || this[_dryRun])
-      return
+      return false
 
     process.emit('time', 'reify:save')
 
+    const updatedTrees = new Set()
+
     // resolvedAdd is the list of user add requests, but with names added
     // to things like git repos and tarball file/urls.  However, if the
     // user requested 'foo@', and we have a foo@file:../foo, then we should
     // end up saving the spec we actually used, not whatever they gave us.
     if (this[_resolvedAdd].length) {
-      const root = this.idealTree
-      const pkg = root.package
-      for (const { name } of this[_resolvedAdd]) {
-        const req = npa.resolve(name, root.edgesOut.get(name).spec, root.realpath)
+      for (const { name, tree: addTree } of this[_resolvedAdd]) {
+        // addTree either the root, or a workspace
+        const edge = addTree.edgesOut.get(name)
+        const pkg = addTree.package
+        const req = npa.resolve(name, edge.spec, addTree.realpath)
         const {rawSpec, subSpec} = req
 
         const spec = subSpec ? subSpec.rawSpec : rawSpec
-        const child = root.children.get(name)
+        const child = edge.to
 
         let newSpec
         if (req.registry) {
@@ -972,8 +981,15 @@ module.exports = cls => class Reifier extends cls {
           // would allow versions outside the requested range.  Tags and
           // specific versions save with the save-prefix.
           const isRange = (subSpec || req).type === 'range'
-          const range = !isRange || subset(prefixRange, spec, { loose: true })
-            ? prefixRange : spec
+
+          let range = spec
+          if (
+            !isRange ||
+            spec === '*' ||
+            subset(prefixRange, spec, { loose: true })
+          )
+            range = prefixRange
+
           const pname = child.packageName
           const alias = name !== pname
           newSpec = alias ? `npm:${pname}@${range}` : range
@@ -992,7 +1008,7 @@ module.exports = cls => class Reifier extends cls {
           // path initially, in which case we can end up with the wrong
           // thing, so just get the ultimate fetchSpec and relativize it.
           const p = req.fetchSpec.replace(/^file:/, '')
-          const rel = relpath(root.realpath, p)
+          const rel = relpath(addTree.realpath, p)
           newSpec = `file:${rel}`
         } else
           newSpec = req.saveSpec
@@ -1024,10 +1040,9 @@ module.exports = cls => class Reifier extends cls {
               pkg.optionalDependencies[name] = newSpec
           }
         }
-      }
 
-      // refresh the edges so they have the correct specs
-      this.idealTree.package = pkg
+        updatedTrees.add(addTree)
+      }
     }
 
     // preserve indentation, if possible
@@ -1041,10 +1056,21 @@ module.exports = cls => class Reifier extends cls {
       : this[_formatPackageLock],
     }
 
-    return Promise.all([
-      this[_saveLockFile](saveOpt),
-      updateRootPackageJson(this.idealTree),
-    ]).then(() => process.emit('timeEnd', 'reify:save'))
+    const promises = [this[_saveLockFile](saveOpt)]
+
+    // grab any from explicitRequests that had deps removed
+    for (const { from: tree } of this.explicitRequests)
+      updatedTrees.add(tree)
+
+    for (const tree of updatedTrees) {
+      // refresh the edges so they have the correct specs
+      tree.package = tree.package
+      promises.push(updateRootPackageJson(tree))
+    }
+
+    await Promise.all(promises)
+    process.emit('timeEnd', 'reify:save')
+    return true
   }
 
   async [_saveLockFile] (saveOpt) {
@@ -1078,11 +1104,11 @@ module.exports = cls => class Reifier extends cls {
     // Then we move the entire idealTree over to this.actualTree, and
     // save the hidden lockfile.
     if (this.diff && this.diff.filterSet.size) {
+      const reroot = new Set()
+
       const { filterSet } = this.diff
       const seen = new Set()
       for (const [loc, ideal] of this.idealTree.inventory.entries()) {
-        if (seen.has(loc))
-          continue
         seen.add(loc)
 
         // if it's an ideal node from the filter set, then skip it
@@ -1106,7 +1132,7 @@ module.exports = cls => class Reifier extends cls {
           if (isLink && ideal.isLink && ideal.realpath === realpath)
             continue
           else
-            actual.root = this.idealTree
+            reroot.add(actual)
         }
       }
 
@@ -1116,12 +1142,22 @@ module.exports = cls => class Reifier extends cls {
         if (seen.has(loc))
           continue
         seen.add(loc)
+
+        // we know that this is something that ISN'T in the idealTree,
+        // or else we will have addressed it in the previous loop.
+        // If it's in the filterSet, that means we intentionally removed
+        // it, so nothing to do here.
         if (filterSet.has(actual))
           continue
-        actual.root = this.idealTree
+
+        reroot.add(actual)
       }
 
-      // prune out any tops that lack a linkIn
+      // go through the rerooted actual nodes, and move them over.
+      for (const actual of reroot)
+        actual.root = this.idealTree
+
+      // prune out any tops that lack a linkIn, they are no longer relevant.
       for (const top of this.idealTree.tops) {
         if (top.linksIn.size === 0)
           top.root = null

package/lib/audit-report.js

@@ -78,7 +78,7 @@ class AuditReport extends Map {
     }
 
     obj.vulnerabilities = vulnerabilities
-      .sort(([a], [b]) => a.localeCompare(b))
+      .sort(([a], [b]) => a.localeCompare(b, 'en'))
       .reduce((set, [name, vuln]) => {
         set[name] = vuln
         return set
@@ -89,7 +89,8 @@ class AuditReport extends Map {
 
   constructor (tree, opts = {}) {
     super()
-    this[_omit] = new Set(opts.omit || [])
+    const { omit } = opts
+    this[_omit] = new Set(omit || [])
     this.topVulns = new Map()
 
     this.calculator = new Calculator(opts)
@@ -97,6 +98,7 @@ class AuditReport extends Map {
     this.options = opts
     this.log = opts.log || procLog
     this.tree = tree
+    this.filterSet = opts.filterSet
   }
 
   async run () {
@@ -146,7 +148,7 @@ class AuditReport extends Map {
 
       const p = []
       for (const node of this.tree.inventory.query('packageName', name)) {
-        if (shouldOmit(node, this[_omit]))
+        if (!shouldAudit(node, this[_omit], this.filterSet))
           continue
 
         // if not vulnerable by this advisory, keep searching
@@ -292,7 +294,7 @@ class AuditReport extends Map {
     try {
       try {
         // first try the super fast bulk advisory listing
-        const body = prepareBulkData(this.tree, this[_omit])
+        const body = prepareBulkData(this.tree, this[_omit], this.filterSet)
         this.log.silly('audit', 'bulk request', body)
 
         // no sense asking if we don't have anything to audit,
@@ -333,22 +335,25 @@ class AuditReport extends Map {
   }
 }
 
-// return true if we should ignore this one
-const shouldOmit = (node, omit) =>
-  !node.version ? true
-  : node.isRoot ? true
-  : omit.size === 0 ? false
-  : node.dev && omit.has('dev') ||
+// return true if we should audit this one
+const shouldAudit = (node, omit, filterSet) =>
+  !node.version ? false
+  : node.isRoot ? false
+  : filterSet && filterSet.size !== 0 && !filterSet.has(node) ? false
+  : omit.size === 0 ? true
+  : !( // otherwise, just ensure we're not omitting this one
+    node.dev && omit.has('dev') ||
     node.optional && omit.has('optional') ||
     node.devOptional && omit.has('dev') && omit.has('optional') ||
     node.peer && omit.has('peer')
+  )
 
-const prepareBulkData = (tree, omit) => {
+const prepareBulkData = (tree, omit, filterSet) => {
   const payload = {}
   for (const name of tree.inventory.query('packageName')) {
     const set = new Set()
     for (const node of tree.inventory.query('packageName', name)) {
-      if (shouldOmit(node, omit))
+      if (!shouldAudit(node, omit, filterSet))
         continue
 
       set.add(node.version)

package/lib/diff.js

@@ -40,6 +40,7 @@ class Diff {
     // - Add set of Nodes depended on by the filterNode to filterSet.
     // - Anything outside of that set should be ignored by getChildren
     const filterSet = new Set()
+    const extraneous = new Set()
     for (const filterNode of filterNodes) {
       const { root } = filterNode
       if (root !== ideal && root !== actual)
@@ -72,10 +73,19 @@ class Diff {
           const actualNode = actual.inventory.get(loc)
           const actuals = !actualNode ? []
             : [...actualNode.edgesOut.values()].filter(e => e.to).map(e => e.to)
+          if (actualNode) {
+            for (const child of actualNode.children.values()) {
+              if (child.extraneous)
+                extraneous.add(child)
+            }
+          }
+
           return ideals.concat(actuals)
         },
       })
     }
+    for (const extra of extraneous)
+      filterSet.add(extra)
 
     return depth({
       tree: new Diff({actual, ideal, filterSet, shrinkwrapInflated}),

package/lib/get-workspace-nodes.js

@@ -0,0 +1,33 @@
+// Get the actual nodes corresponding to a root node's child workspaces,
+// given a list of workspace names.
+const relpath = require('./relpath.js')
+const getWorkspaceNodes = (tree, workspaces, log) => {
+  const wsMap = tree.workspaces
+  if (!wsMap) {
+    log.warn('workspaces', 'filter set, but no workspaces present')
+    return []
+  }
+
+  const nodes = []
+  for (const name of workspaces) {
+    const path = wsMap.get(name)
+    if (!path) {
+      log.warn('workspaces', `${name} in filter set, but not in workspaces`)
+      continue
+    }
+
+    const loc = relpath(tree.realpath, path)
+    const node = tree.inventory.get(loc)
+
+    if (!node) {
+      log.warn('workspaces', `${name} in filter set, but no workspace folder present`)
+      continue
+    }
+
+    nodes.push(node)
+  }
+
+  return nodes
+}
+
+module.exports = getWorkspaceNodes

package/lib/node.js

@@ -354,7 +354,7 @@ class Node {
     }
 
     const why = {
-      name: this.isProjectRoot ? this.packageName : this.name,
+      name: this.isProjectRoot || this.isTop ? this.packageName : this.name,
       version: this.package.version,
     }
     if (this.errors.length || !this.packageName || !this.package.version) {
@@ -380,6 +380,7 @@ class Node {
       return why
 
     why.location = this.location
+    why.isWorkspace = this.isWorkspace
 
     // make a new list each time.  we can revisit, but not loop.
     seen = seen.concat(this)
@@ -400,6 +401,10 @@ class Node {
       for (const edge of edges)
         why.dependents.push(edge.explain(seen))
     }
+
+    if (this.linksIn.size)
+      why.linksIn = [...this.linksIn].map(link => link[_explain](edge, seen))
+
     return why
   }
 
@@ -896,14 +901,14 @@ class Node {
       return false
 
     // it's a top level pkg, or a dep of one
-    if (!this.parent || !this.parent.parent)
+    if (!this.resolveParent || !this.resolveParent.resolveParent)
       return false
 
     // no one wants it, remove it
     if (this.edgesIn.size === 0)
       return true
 
-    const other = this.parent.parent.resolve(this.name)
+    const other = this.resolveParent.resolveParent.resolve(this.name)
 
     // nothing else, need this one
     if (!other)

package/lib/printable.js

@@ -46,14 +46,14 @@ class ArboristNode {
     // edgesOut sorted by name
     if (tree.edgesOut.size) {
       this.edgesOut = new Map([...tree.edgesOut.entries()]
-        .sort(([a], [b]) => a.localeCompare(b))
+        .sort(([a], [b]) => a.localeCompare(b, 'en'))
         .map(([name, edge]) => [name, new EdgeOut(edge)]))
     }
 
     // edgesIn sorted by location
     if (tree.edgesIn.size) {
       this.edgesIn = new Set([...tree.edgesIn]
-        .sort((a, b) => a.from.location.localeCompare(b.from.location))
+        .sort((a, b) => a.from.location.localeCompare(b.from.location, 'en'))
         .map(edge => new EdgeIn(edge)))
     }
 
@@ -65,14 +65,14 @@ class ArboristNode {
     // fsChildren sorted by path
     if (tree.fsChildren.size) {
       this.fsChildren = new Set([...tree.fsChildren]
-        .sort(({path: a}, {path: b}) => a.localeCompare(b))
+        .sort(({path: a}, {path: b}) => a.localeCompare(b, 'en'))
         .map(tree => printableTree(tree, path)))
     }
 
     // children sorted by name
     if (tree.children.size) {
       this.children = new Map([...tree.children.entries()]
-        .sort(([a], [b]) => a.localeCompare(b))
+        .sort(([a], [b]) => a.localeCompare(b, 'en'))
         .map(([name, tree]) => [name, printableTree(tree, path)]))
     }
   }

package/lib/shrinkwrap.js

@@ -844,7 +844,7 @@ class Shrinkwrap {
       /* istanbul ignore next - sort calling order is indeterminate */
       return aloc.length > bloc.length ? 1
         : bloc.length > aloc.length ? -1
-        : aloc[aloc.length - 1].localeCompare(bloc[bloc.length - 1])
+        : aloc[aloc.length - 1].localeCompare(bloc[bloc.length - 1], 'en')
     })[0]
 
     const res = consistentResolve(node.resolved, this.path, this.path, true)

package/lib/update-root-package-json.js

@@ -18,7 +18,7 @@ const orderDeps = (pkg) => {
   for (const type of depTypes) {
     if (pkg && pkg[type]) {
       pkg[type] = Object.keys(pkg[type])
-        .sort((a, b) => a.localeCompare(b))
+        .sort((a, b) => a.localeCompare(b, 'en'))
         .reduce((res, key) => {
           res[key] = pkg[type][key]
           return res

package/lib/vuln.js

@@ -106,12 +106,12 @@ class Vuln {
         vulnerableVersions: undefined,
         id: undefined,
       }).sort((a, b) =>
-        String(a.source || a).localeCompare(String(b.source || b))),
+        String(a.source || a).localeCompare(String(b.source || b, 'en'))),
       effects: [...this.effects].map(v => v.name)
-        .sort(/* istanbul ignore next */(a, b) => a.localeCompare(b)),
+        .sort(/* istanbul ignore next */(a, b) => a.localeCompare(b, 'en')),
       range: this.simpleRange,
       nodes: [...this.nodes].map(n => n.location)
-        .sort(/* istanbul ignore next */(a, b) => a.localeCompare(b)),
+        .sort(/* istanbul ignore next */(a, b) => a.localeCompare(b, 'en')),
       fixAvailable: this[_fixAvailable],
     }
   }

package/lib/yarn-lock.js

@@ -34,7 +34,7 @@ const {breadth} = require('treeverse')
 
 // sort a key/value object into a string of JSON stringified keys and vals
 const sortKV = obj => Object.keys(obj)
-  .sort((a, b) => a.localeCompare(b))
+  .sort((a, b) => a.localeCompare(b, 'en'))
   .map(k => `    ${JSON.stringify(k)} ${JSON.stringify(obj[k])}`)
   .join('\n')
 
@@ -165,7 +165,7 @@ class YarnLock {
   toString () {
     return prefix + [...new Set([...this.entries.values()])]
       .map(e => e.toString())
-      .sort((a, b) => a.localeCompare(b)).join('\n\n') + '\n'
+      .sort((a, b) => a.localeCompare(b, 'en')).join('\n\n') + '\n'
   }
 
   fromTree (tree) {
@@ -175,7 +175,7 @@ class YarnLock {
       tree,
       visit: node => this.addEntryFromNode(node),
       getChildren: node => [...node.children.values(), ...node.fsChildren]
-        .sort((a, b) => a.depth - b.depth || a.name.localeCompare(b.name)),
+        .sort((a, b) => a.depth - b.depth || a.name.localeCompare(b.name, 'en')),
     })
     return this
   }
@@ -183,7 +183,7 @@ class YarnLock {
   addEntryFromNode (node) {
     const specs = [...node.edgesIn]
       .map(e => `${node.name}@${e.spec}`)
-      .sort((a, b) => a.localeCompare(b))
+      .sort((a, b) => a.localeCompare(b, 'en'))
 
     // Note:
     // yarn will do excessive duplication in a case like this:
@@ -309,7 +309,7 @@ class YarnLockEntry {
   toString () {
     // sort objects to the bottom, then alphabetical
     return ([...this[_specs]]
-      .sort((a, b) => a.localeCompare(b))
+      .sort((a, b) => a.localeCompare(b, 'en'))
       .map(JSON.stringify).join(', ') +
       ':\n' +
       Object.getOwnPropertyNames(this)
@@ -318,7 +318,7 @@ class YarnLockEntry {
           (a, b) =>
           /* istanbul ignore next - sort call order is unpredictable */
             (typeof this[a] === 'object') === (typeof this[b] === 'object')
-              ? a.localeCompare(b)
+              ? a.localeCompare(b, 'en')
               : typeof this[a] === 'object' ? 1 : -1)
         .map(prop =>
           typeof this[prop] !== 'object'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "2.4.2",
+  "version": "2.6.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@npmcli/installed-package-contents": "^1.0.7",
@@ -14,7 +14,7 @@
     "cacache": "^15.0.3",
     "common-ancestor-path": "^1.0.1",
     "json-parse-even-better-errors": "^2.3.1",
-    "json-stringify-nice": "^1.1.2",
+    "json-stringify-nice": "^1.1.4",
     "mkdirp-infer-owner": "^2.0.0",
     "npm-install-checks": "^4.0.0",
     "npm-package-arg": "^8.1.0",
@@ -40,9 +40,8 @@
     "eslint-plugin-promise": "^4.2.1",
     "eslint-plugin-standard": "^4.0.1",
     "minify-registry-metadata": "^2.1.0",
-    "mutate-fs": "^2.1.1",
-    "tap": "^15.0.4",
-    "tcompare": "^3.0.4"
+    "tap": "^15.0.9",
+    "tcompare": "^5.0.6"
   },
   "scripts": {
     "test": "npm run test-only --",
@@ -74,16 +73,21 @@
   "bin": {
     "arborist": "bin/index.js"
   },
+  "//": "sk test-env locale to catch locale-specific sorting",
   "tap": {
     "after": "test/fixtures/cleanup.js",
     "coverage-map": "map.js",
     "test-env": [
-      "NODE_OPTIONS=--no-warnings"
+      "NODE_OPTIONS=--no-warnings",
+      "LC_ALL=sk"
     ],
     "node-arg": [
       "--no-warnings",
       "--no-deprecation"
     ],
     "timeout": "240"
+  },
+  "engines": {
+    "node": ">= 10"
   }
 }

package/CHANGELOG.md

@@ -1,19 +0,0 @@
-# CHANGELOG
-
-## 2.0
-
-* BREAKING CHANGE: root node is now included in inventory
-* All parent/target/fsParent/etc. references set in `root` setter, rather
-  than the hodgepodge of setters that existed before.
-* `treeCheck` function added, to enforce strict correctness guarantees when
-  `ARBORIST_DEBUG=1` in the environment (on by default in Arborist tests).
-
-## 1.0
-
-* Release for npm v7 beta
-* Fully functional
-
-## 0.0
-
-* Proof of concept
-* Before this, it was [`read-package-tree`](http://npm.im/read-package-tree)