@npmcli/arborist 2.6.0 → 2.6.4

package/bin/lib/timers.js

@@ -1,5 +1,6 @@
 const timers = Object.create(null)
 const { format } = require('util')
+const options = require('./options.js')
 
 process.on('time', name => {
   if (timers[name])
@@ -15,7 +16,8 @@ process.on('timeEnd', name => {
   const res = process.hrtime(timers[name])
   delete timers[name]
   const msg = format(`${process.pid} ${name}`, res[0] * 1e3 + res[1] / 1e6)
-  console.error(dim(msg))
+  if (options.timers !== false)
+    console.error(dim(msg))
 })
 
 process.on('exit', () => {

package/lib/arborist/build-ideal-tree.js

@@ -7,7 +7,7 @@ const semver = require('semver')
 const promiseCallLimit = require('promise-call-limit')
 const getPeerSet = require('../peer-set.js')
 const realpath = require('../../lib/realpath.js')
-const { resolve } = require('path')
+const { resolve, dirname } = require('path')
 const { promisify } = require('util')
 const treeCheck = require('../tree-check.js')
 const readdir = promisify(require('readdir-scoped-modules'))
@@ -661,7 +661,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     const ancient = meta.ancientLockfile
     const old = meta.loadedFromDisk && !(meta.originalLockfileVersion >= 2)
 
-    if (inventory.size === 0 || !ancient && !(old && this[_complete]))
+    if (inventory.size === 0 || !ancient && !old)
       return
 
     // if the lockfile is from node v5 or earlier, then we'll have to reload
@@ -688,10 +688,12 @@ This is a one-time fix-up, please be patient...
         this.log.silly('inflate', node.location)
         const { resolved, version, path, name, location, integrity } = node
         // don't try to hit the registry for linked deps
-        const useResolved = !version ||
-          resolved && resolved.startsWith('file:')
-        const id = useResolved ? resolved : version
-        const spec = npa.resolve(name, id, path)
+        const useResolved = resolved && (
+          !version || resolved.startsWith('file:')
+        )
+        const id = useResolved ? resolved
+          : version || `file:${node.path}`
+        const spec = npa.resolve(name, id, dirname(path))
         const sloc = location.substr('node_modules/'.length)
         const t = `idealTree:inflate:${sloc}`
         this.addTracker(t)

package/lib/arborist/index.js

@@ -28,7 +28,7 @@
 
 const {resolve} = require('path')
 const {homedir} = require('os')
-const procLog = require('../proc-log.js')
+const procLog = require('proc-log')
 const { saveTypeMap } = require('../add-rm-pkg-deps.js')
 
 const mixins = [

package/lib/arborist/load-actual.js

@@ -22,6 +22,7 @@ const _loadFSTree = Symbol('loadFSTree')
 const _loadFSChildren = Symbol('loadFSChildren')
 const _findMissingEdges = Symbol('findMissingEdges')
 const _findFSParents = Symbol('findFSParents')
+const _resetDepFlags = Symbol('resetDepFlags')
 
 const _actualTreeLoaded = Symbol('actualTreeLoaded')
 const _rpcache = Symbol.for('realpathCache')
@@ -74,6 +75,19 @@ module.exports = cls => class ActualLoader extends cls {
     this[_topNodes] = new Set()
   }
 
+  [_resetDepFlags] (tree, root) {
+    // reset all deps to extraneous prior to recalc
+    if (!root) {
+      for (const node of tree.inventory.values())
+        node.extraneous = true
+    }
+
+    // only reset root flags if we're not re-rooting,
+    // otherwise leave as-is
+    calcDepFlags(tree, !root)
+    return tree
+  }
+
   // public method
   async loadActual (options = {}) {
     // allow the user to set options on the ctor as well.
@@ -88,6 +102,7 @@ module.exports = cls => class ActualLoader extends cls {
     return this.actualTree ? this.actualTree
       : this[_actualTreePromise] ? this[_actualTreePromise]
       : this[_actualTreePromise] = this[_loadActual](options)
+        .then(tree => this[_resetDepFlags](tree, options.root))
         .then(tree => this.actualTree = treeCheck(tree))
   }
 
@@ -152,8 +167,7 @@ module.exports = cls => class ActualLoader extends cls {
       root: this[_actualTree],
     })
     await this[_loadWorkspaces](this[_actualTree])
-    if (this[_actualTree].workspaces && this[_actualTree].workspaces.size)
-      calcDepFlags(this[_actualTree], !root)
+
     this[_transplant](root)
     return this[_actualTree]
   }
@@ -178,8 +192,6 @@ module.exports = cls => class ActualLoader extends cls {
         dependencies[name] = dependencies[name] || '*'
       actualRoot.package = { ...actualRoot.package, dependencies }
     }
-    // only reset root flags if we're not re-rooting, otherwise leave as-is
-    calcDepFlags(this[_actualTree], !root)
     return this[_actualTree]
   }
 

package/lib/arborist/reify.js

@@ -2,7 +2,6 @@
 
 const onExit = require('../signal-handling.js')
 const pacote = require('pacote')
-const rpj = require('read-package-json-fast')
 const AuditReport = require('../audit-report.js')
 const {subset, intersects} = require('semver')
 const npa = require('npm-package-arg')
@@ -16,6 +15,7 @@ const mkdirp = require('mkdirp-infer-owner')
 const justMkdirp = require('mkdirp')
 const moveFile = require('@npmcli/move-file')
 const rimraf = promisify(require('rimraf'))
+const PackageJson = require('@npmcli/package-json')
 const packageContents = require('@npmcli/installed-package-contents')
 const { checkEngine, checkPlatform } = require('npm-install-checks')
 
@@ -25,7 +25,6 @@ const Diff = require('../diff.js')
 const retirePath = require('../retire-path.js')
 const promiseAllRejectLate = require('promise-all-reject-late')
 const optionalSet = require('../optional-set.js')
-const updateRootPackageJson = require('../update-root-package-json.js')
 const calcDepFlags = require('../calc-dep-flags.js')
 const { saveTypeMap, hasSubKey } = require('../add-rm-pkg-deps.js')
 
@@ -57,7 +56,6 @@ const _extractOrLink = Symbol('extractOrLink')
 const _checkBins = Symbol.for('checkBins')
 const _symlink = Symbol('symlink')
 const _warnDeprecated = Symbol('warnDeprecated')
-const _loadAncientPackageDetails = Symbol('loadAncientPackageDetails')
 const _loadBundlesAndUpdateTrees = Symbol.for('loadBundlesAndUpdateTrees')
 const _submitQuickAudit = Symbol('submitQuickAudit')
 const _awaitQuickAudit = Symbol('awaitQuickAudit')
@@ -522,7 +520,6 @@ module.exports = cls => class Reifier extends cls {
         await this[_checkBins](node)
         await this[_extractOrLink](node)
         await this[_warnDeprecated](node)
-        await this[_loadAncientPackageDetails](node)
       })
 
     return this[_handleOptionalFailure](node, p)
@@ -583,32 +580,6 @@ module.exports = cls => class Reifier extends cls {
       this.log.warn('deprecated', `${_id}: ${deprecated}`)
   }
 
-  async [_loadAncientPackageDetails] (node, forceReload = false) {
-    // If we're loading from a v1 lockfile, load details from the package.json
-    // that weren't recorded in the old format.
-    const {meta} = this.idealTree
-    const ancient = meta.ancientLockfile
-    const old = meta.loadedFromDisk && !(meta.originalLockfileVersion >= 2)
-
-    // already replaced with the manifest if it's truly ancient
-    if (node.path && (forceReload || (old && !ancient))) {
-      // XXX should have a shared location where package.json is read,
-      // so we don't ever read the same pj more than necessary.
-      let pkg
-      try {
-        pkg = await rpj(node.path + '/package.json')
-      } catch (err) {}
-
-      if (pkg) {
-        node.package.bin = pkg.bin
-        node.package.os = pkg.os
-        node.package.cpu = pkg.cpu
-        node.package.engines = pkg.engines
-        meta.add(node)
-      }
-    }
-  }
-
   // if the node is optional, then the failure of the promise is nonfatal
   // just add it and its optional set to the trash list.
   [_handleOptionalFailure] (node, p) {
@@ -1058,6 +1029,25 @@ module.exports = cls => class Reifier extends cls {
 
     const promises = [this[_saveLockFile](saveOpt)]
 
+    const updatePackageJson = async (tree) => {
+      const pkgJson = await PackageJson.load(tree.path)
+        .catch(() => new PackageJson(tree.path))
+      const {
+        dependencies = {},
+        devDependencies = {},
+        optionalDependencies = {},
+        peerDependencies = {},
+      } = tree.package
+
+      pkgJson.update({
+        dependencies,
+        devDependencies,
+        optionalDependencies,
+        peerDependencies,
+      })
+      await pkgJson.save()
+    }
+
     // grab any from explicitRequests that had deps removed
     for (const { from: tree } of this.explicitRequests)
       updatedTrees.add(tree)
@@ -1065,7 +1055,7 @@ module.exports = cls => class Reifier extends cls {
     for (const tree of updatedTrees) {
       // refresh the edges so they have the correct specs
       tree.package = tree.package
-      promises.push(updateRootPackageJson(tree))
+      promises.push(updatePackageJson(tree))
     }
 
     await Promise.all(promises)
@@ -1079,12 +1069,6 @@ module.exports = cls => class Reifier extends cls {
 
     const { meta } = this.idealTree
 
-    // might have to update metadata for bins and stuff that gets lost
-    if (meta.loadedFromDisk && !(meta.originalLockfileVersion >= 2)) {
-      for (const node of this.idealTree.inventory.values())
-        await this[_loadAncientPackageDetails](node, true)
-    }
-
     return meta.save(saveOpt)
   }
 

package/lib/audit-report.js

@@ -12,7 +12,7 @@ const _fixAvailable = Symbol('fixAvailable')
 const _checkTopNode = Symbol('checkTopNode')
 const _init = Symbol('init')
 const _omit = Symbol('omit')
-const procLog = require('./proc-log.js')
+const procLog = require('proc-log')
 
 const fetch = require('npm-registry-fetch')
 

package/lib/calc-dep-flags.js

@@ -22,6 +22,11 @@ const calcDepFlagsStep = (node) => {
   // Since we're only walking through deps that are not already flagged
   // as non-dev/non-optional, it's typically a very shallow traversal
   node.extraneous = false
+  resetParents(node, 'extraneous')
+  resetParents(node, 'dev')
+  resetParents(node, 'peer')
+  resetParents(node, 'devOptional')
+  resetParents(node, 'optional')
 
   // for links, map their hierarchy appropriately
   if (node.target) {
@@ -29,8 +34,7 @@ const calcDepFlagsStep = (node) => {
     node.target.optional = node.optional
     node.target.devOptional = node.devOptional
     node.target.peer = node.peer
-    node.target.extraneous = false
-    node = node.target
+    return calcDepFlagsStep(node.target)
   }
 
   node.edgesOut.forEach(({peer, optional, dev, to}) => {
@@ -71,6 +75,14 @@ const calcDepFlagsStep = (node) => {
   return node
 }
 
+const resetParents = (node, flag) => {
+  if (node[flag])
+    return
+
+  for (let p = node; p && (p === node || p[flag]); p = p.resolveParent)
+    p[flag] = false
+}
+
 // typically a short walk, since it only traverses deps that
 // have the flag set.
 const unsetFlag = (node, flag) => {

package/lib/diff.js

@@ -110,16 +110,32 @@ const getAction = ({actual, ideal}) => {
   if (ideal.isRoot && actual.isRoot)
     return null
 
+  // if the versions don't match, it's a change no matter what
+  if (ideal.version !== actual.version)
+    return 'CHANGE'
+
   const binsExist = ideal.binPaths.every((path) => existsSync(path))
 
   // top nodes, links, and git deps won't have integrity, but do have resolved
-  if (!ideal.integrity && !actual.integrity && ideal.resolved === actual.resolved && binsExist)
+  // if neither node has integrity, the bins exist, and either (a) neither
+  // node has a resolved value or (b) they both do and match, then we can
+  // leave this one alone since we already know the versions match due to
+  // the condition above.  The "neither has resolved" case (a) cannot be
+  // treated as a 'mark CHANGE and refetch', because shrinkwraps, bundles,
+  // and link deps may lack this information, and we don't want to try to
+  // go to the registry for something that isn't there.
+  const noIntegrity = !ideal.integrity && !actual.integrity
+  const noResolved = !ideal.resolved && !actual.resolved
+  const resolvedMatch = ideal.resolved && ideal.resolved === actual.resolved
+  if (noIntegrity && binsExist && (resolvedMatch || noResolved))
     return null
 
   // otherwise, verify that it's the same bits
   // note that if ideal has integrity, and resolved doesn't, we treat
   // that as a 'change', so that it gets re-fetched and locked down.
-  if (!ideal.integrity || !actual.integrity || !ssri.parse(ideal.integrity).match(actual.integrity) || !binsExist)
+  const integrityMismatch = !ideal.integrity || !actual.integrity ||
+    !ssri.parse(ideal.integrity).match(actual.integrity)
+  if (integrityMismatch || !binsExist)
     return 'CHANGE'
 
   return null
@@ -129,9 +145,9 @@ const allChildren = node => {
   if (!node)
     return new Map()
 
-  // if the node is a global root, and also a link, then what we really
+  // if the node is root, and also a link, then what we really
   // want is to traverse the target's children
-  if (node.global && node.isRoot && node.isLink)
+  if (node.isRoot && node.isLink)
     return allChildren(node.target)
 
   const kids = new Map()

package/lib/inventory.js

@@ -7,6 +7,20 @@ const _index = Symbol('_index')
 const defaultKeys = ['name', 'license', 'funding', 'realpath', 'packageName']
 const { hasOwnProperty } = Object.prototype
 const debug = require('./debug.js')
+
+// handling for the outdated "licenses" array, just pick the first one
+// also support the alternative spelling "licence"
+const getLicense = pkg => {
+  if (pkg) {
+    const lic = pkg.license || pkg.licence
+    if (lic)
+      return lic
+    const lics = pkg.licenses || pkg.licences
+    if (Array.isArray(lics))
+      return lics[0]
+  }
+}
+
 class Inventory extends Map {
   constructor (opt = {}) {
     const { primary, keys } = opt
@@ -56,7 +70,9 @@ class Inventory extends Map {
     for (const [key, map] of this[_index].entries()) {
       // if the node has the value, but it's false, then use that
       const val_ = hasOwnProperty.call(node, key) ? node[key]
-        : node[key] || (node.package && node.package[key])
+        : key === 'license' ? getLicense(node.package)
+        : node[key] ? node[key]
+        : node.package && node.package[key]
       const val = typeof val_ === 'string' ? val_
         : !val_ || typeof val_ !== 'object' ? val_
         : key === 'license' ? val_.type

package/lib/node.js

@@ -547,6 +547,8 @@ class Node {
 
       // try to find our parent/fsParent in the new root inventory
       for (const p of walkUp(dirname(this.path))) {
+        if (p === this.path)
+          continue
         const ploc = relpath(root.realpath, p)
         const parent = root.inventory.get(ploc)
         if (parent) {
@@ -783,7 +785,13 @@ class Node {
   }
 
   get fsParent () {
-    return this[_fsParent]
+    const parent = this[_fsParent]
+    /* istanbul ignore next - should be impossible */
+    debug(() => {
+      if (parent === this)
+        throw new Error('node set to its own fsParent')
+    })
+    return parent
   }
 
   set fsParent (fsParent) {
@@ -1009,7 +1017,13 @@ class Node {
   }
 
   get parent () {
-    return this[_parent]
+    const parent = this[_parent]
+    /* istanbul ignore next - should be impossible */
+    debug(() => {
+      if (parent === this)
+        throw new Error('node set to its own parent')
+    })
+    return parent
   }
 
   // This setter keeps everything in order when we move a node from

package/lib/shrinkwrap.js

@@ -32,7 +32,7 @@ const mismatch = (a, b) => a && b && a !== b
 // After calling this.commit(), any nodes not present in the tree will have
 // been removed from the shrinkwrap data as well.
 
-const procLog = require('./proc-log.js')
+const procLog = require('proc-log')
 const YarnLock = require('./yarn-lock.js')
 const {promisify} = require('util')
 const rimraf = promisify(require('rimraf'))
@@ -349,6 +349,7 @@ class Shrinkwrap {
   reset () {
     this.tree = null
     this[_awaitingUpdate] = new Map()
+    this.originalLockfileVersion = lockfileVersion
     this.data = {
       lockfileVersion,
       requires: true,
@@ -714,6 +715,7 @@ class Shrinkwrap {
         resolved,
         integrity,
         hasShrinkwrap,
+        version,
       } = this.get(node.path)
 
       const pathFixed = !resolved ? null
@@ -727,8 +729,12 @@ class Shrinkwrap {
         node.resolved === pathFixed
       const integrityOk = !integrity || !node.integrity ||
         node.integrity === integrity
+      const versionOk = !version || !node.version || version === node.version
 
-      if ((resolved || integrity) && resolvedOk && integrityOk) {
+      const allOk = (resolved || integrity || version) &&
+        resolvedOk && integrityOk && versionOk
+
+      if (allOk) {
         node.resolved = node.resolved || pathFixed || null
         node.integrity = node.integrity || integrity || null
         node.hasShrinkwrap = node.hasShrinkwrap || hasShrinkwrap || false

package/lib/tracker.js

@@ -1,6 +1,6 @@
 const _progress = Symbol('_progress')
 const _onError = Symbol('_onError')
-const procLog = require('./proc-log.js')
+const procLog = require('proc-log')
 
 module.exports = cls => class Tracker extends cls {
   constructor (options = {}) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "2.6.0",
+  "version": "2.6.4",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@npmcli/installed-package-contents": "^1.0.7",
@@ -9,6 +9,7 @@
     "@npmcli/move-file": "^1.1.0",
     "@npmcli/name-from-folder": "^1.0.1",
     "@npmcli/node-gyp": "^1.0.1",
+    "@npmcli/package-json": "^1.0.1",
     "@npmcli/run-script": "^1.8.2",
     "bin-links": "^2.2.1",
     "cacache": "^15.0.3",
@@ -19,9 +20,10 @@
     "npm-install-checks": "^4.0.0",
     "npm-package-arg": "^8.1.0",
     "npm-pick-manifest": "^6.1.0",
-    "npm-registry-fetch": "^10.0.0",
+    "npm-registry-fetch": "^11.0.0",
     "pacote": "^11.2.6",
     "parse-conflict-json": "^1.1.1",
+    "proc-log": "^1.0.0",
     "promise-all-reject-late": "^1.0.0",
     "promise-call-limit": "^1.0.1",
     "read-package-json-fast": "^2.0.2",

package/lib/proc-log.js

@@ -1,21 +0,0 @@
-// default logger.
-// emits 'log' events on the process
-const LEVELS = [
-  'notice',
-  'error',
-  'warn',
-  'info',
-  'verbose',
-  'http',
-  'silly',
-  'pause',
-  'resume',
-]
-
-const log = level => (...args) => process.emit('log', level, ...args)
-
-const logger = {}
-for (const level of LEVELS)
-  logger[level] = log(level)
-
-module.exports = logger

package/lib/update-root-package-json.js

@@ -1,95 +0,0 @@
-const fs = require('fs')
-const promisify = require('util').promisify
-const readFile = promisify(fs.readFile)
-const writeFile = promisify(fs.writeFile)
-const {resolve} = require('path')
-
-const parseJSON = require('json-parse-even-better-errors')
-
-const depTypes = new Set([
-  'dependencies',
-  'optionalDependencies',
-  'devDependencies',
-  'peerDependencies',
-])
-
-// sort alphabetically all types of deps for a given package
-const orderDeps = (pkg) => {
-  for (const type of depTypes) {
-    if (pkg && pkg[type]) {
-      pkg[type] = Object.keys(pkg[type])
-        .sort((a, b) => a.localeCompare(b, 'en'))
-        .reduce((res, key) => {
-          res[key] = pkg[type][key]
-          return res
-        }, {})
-    }
-  }
-  return pkg
-}
-const parseJsonSafe = json => {
-  try {
-    return parseJSON(json)
-  } catch (er) {
-    return null
-  }
-}
-
-const updateRootPackageJson = async tree => {
-  const filename = resolve(tree.path, 'package.json')
-  const originalJson = await readFile(filename, 'utf8').catch(() => null)
-  const originalContent = parseJsonSafe(originalJson)
-
-  const depsData = orderDeps({
-    ...tree.package,
-  })
-
-  // optionalDependencies don't need to be repeated in two places
-  if (depsData.dependencies) {
-    if (depsData.optionalDependencies) {
-      for (const name of Object.keys(depsData.optionalDependencies))
-        delete depsData.dependencies[name]
-    }
-    if (Object.keys(depsData.dependencies).length === 0)
-      delete depsData.dependencies
-  }
-
-  // if there's no package.json, just use internal pkg info as source of truth
-  // clone the object though, so we can still refer to what it originally was
-  const packageJsonContent = !originalContent ? depsData
-    : Object.assign({}, originalContent)
-
-  // loop through all types of dependencies and update package json content
-  for (const type of depTypes)
-    packageJsonContent[type] = depsData[type]
-
-  // if original package.json had dep in peerDeps AND deps, preserve that.
-  const { dependencies: origProd, peerDependencies: origPeer } =
-    originalContent || {}
-  const { peerDependencies: newPeer } = packageJsonContent
-  if (origProd && origPeer && newPeer) {
-    // we have original prod/peer deps, and new peer deps
-    // copy over any that were in both in the original
-    for (const name of Object.keys(origPeer)) {
-      if (origProd[name] !== undefined && newPeer[name] !== undefined) {
-        packageJsonContent.dependencies = packageJsonContent.dependencies || {}
-        packageJsonContent.dependencies[name] = newPeer[name]
-      }
-    }
-  }
-
-  // format content
-  const {
-    [Symbol.for('indent')]: indent,
-    [Symbol.for('newline')]: newline,
-  } = tree.package
-  const format = indent === undefined ? '  ' : indent
-  const eol = newline === undefined ? '\n' : newline
-  const content = (JSON.stringify(packageJsonContent, null, format) + '\n')
-    .replace(/\n/g, eol)
-
-  if (content !== originalJson)
-    return writeFile(filename, content)
-}
-
-module.exports = updateRootPackageJson