@npmcli/arborist 4.0.2 → 4.1.0

package/lib/edge.js

@@ -29,6 +29,7 @@ class ArboristEdge {}
 const printableEdge = (edge) => {
   const edgeFrom = edge.from && edge.from.location
   const edgeTo = edge.to && edge.to.location
+  const override = edge.overrides && edge.overrides.value
 
   return Object.assign(new ArboristEdge(), {
     name: edge.name,
@@ -38,12 +39,13 @@ const printableEdge = (edge) => {
     ...(edgeTo ? { to: edgeTo } : {}),
     ...(edge.error ? { error: edge.error } : {}),
     ...(edge.peerConflicted ? { peerConflicted: true } : {}),
+    ...(override ? { overridden: override } : {}),
   })
 }
 
 class Edge {
   constructor (options) {
-    const { type, name, spec, accept, from } = options
+    const { type, name, spec, accept, from, overrides } = options
 
     if (typeof spec !== 'string') {
       throw new TypeError('must provide string spec')
@@ -55,6 +57,10 @@ class Edge {
 
     this[_spec] = spec
 
+    if (overrides !== undefined) {
+      this.overrides = overrides
+    }
+
     if (accept !== undefined) {
       if (typeof accept !== 'string') {
         throw new TypeError('accept field must be a string if provided')
@@ -82,8 +88,11 @@ class Edge {
   }
 
   satisfiedBy (node) {
-    return node.name === this.name &&
-      depValid(node, this.spec, this.accept, this.from)
+    if (node.name !== this.name) {
+      return false
+    }
+
+    return depValid(node, this.spec, this.accept, this.from)
   }
 
   explain (seen = []) {
@@ -101,6 +110,10 @@ class Edge {
       type: this.type,
       name: this.name,
       spec: this.spec,
+      ...(this.rawSpec !== this.spec ? {
+        rawSpec: this.rawSpec,
+        overridden: true,
+      } : {}),
       ...(bundled ? { bundled } : {}),
       ...(error ? { error } : {}),
       ...(from ? { from: from.explain(null, seen) } : {}),
@@ -143,7 +156,28 @@ class Edge {
     return this[_name]
   }
 
+  get rawSpec () {
+    return this[_spec]
+  }
+
   get spec () {
+    if (this.overrides && this.overrides.value && this.overrides.name === this.name) {
+      if (this.overrides.value.startsWith('$')) {
+        const ref = this.overrides.value.slice(1)
+        const pkg = this.from.root.package
+        const overrideSpec = (pkg.devDependencies && pkg.devDependencies[ref]) ||
+            (pkg.optionalDependencies && pkg.optionalDependencies[ref]) ||
+            (pkg.dependencies && pkg.dependencies[ref]) ||
+            (pkg.peerDependencies && pkg.peerDependencies[ref])
+
+        if (overrideSpec) {
+          return overrideSpec
+        }
+
+        throw new Error(`Unable to resolve reference ${this.overrides.value}`)
+      }
+      return this.overrides.value
+    }
     return this[_spec]
   }
 
@@ -213,6 +247,7 @@ class Edge {
     if (node.edgesOut.has(this.name)) {
       node.edgesOut.get(this.name).detach()
     }
+
     node.addEdgeOut(this)
     this.reload()
   }

package/lib/from-path.js

@@ -3,7 +3,7 @@
 // end up getting installed.  directory (ie, symlink) deps also need
 // to be resolved based on their targets, but that's what realpath is
 
-const {dirname} = require('path')
+const { dirname } = require('path')
 const npa = require('npm-package-arg')
 
 const fromPath = (node, spec) =>

package/lib/link.js

@@ -3,7 +3,7 @@ const relpath = require('./relpath.js')
 const Node = require('./node.js')
 const _loadDeps = Symbol.for('Arborist.Node._loadDeps')
 const _target = Symbol.for('_target')
-const {dirname} = require('path')
+const { dirname } = require('path')
 // defined by Node class
 const _delistFromMeta = Symbol.for('_delistFromMeta')
 const _refreshLocation = Symbol.for('_refreshLocation')

package/lib/node.js

@@ -32,15 +32,16 @@ const semver = require('semver')
 const nameFromFolder = require('@npmcli/name-from-folder')
 const Edge = require('./edge.js')
 const Inventory = require('./inventory.js')
-const {normalize} = require('read-package-json-fast')
-const {getPaths: getBinPaths} = require('bin-links')
+const OverrideSet = require('./override-set.js')
+const { normalize } = require('read-package-json-fast')
+const { getPaths: getBinPaths } = require('bin-links')
 const npa = require('npm-package-arg')
 const debug = require('./debug.js')
 const gatherDepSet = require('./gather-dep-set.js')
 const treeCheck = require('./tree-check.js')
 const walkUp = require('walk-up-path')
 
-const {resolve, relative, dirname, basename} = require('path')
+const { resolve, relative, dirname, basename } = require('path')
 const util = require('util')
 const _package = Symbol('_package')
 const _parent = Symbol('_parent')
@@ -88,6 +89,8 @@ class Node {
       legacyPeerDeps = false,
       linksIn,
       hasShrinkwrap,
+      overrides,
+      loadOverrides = false,
       extraneous = true,
       dev = true,
       optional = true,
@@ -190,6 +193,17 @@ class Node {
     // because this.package is read when adding to inventory
     this[_package] = pkg && typeof pkg === 'object' ? pkg : {}
 
+    if (overrides) {
+      this.overrides = overrides
+    } else if (loadOverrides) {
+      const overrides = this[_package].overrides || {}
+      if (Object.keys(overrides).length > 0) {
+        this.overrides = new OverrideSet({
+          overrides: this[_package].overrides,
+        })
+      }
+    }
+
     // only relevant for the root and top nodes
     this.meta = meta
 
@@ -291,8 +305,8 @@ class Node {
   }
 
   get hasInstallScript () {
-    const {hasInstallScript, scripts} = this.package
-    const {install, preinstall, postinstall} = scripts || {}
+    const { hasInstallScript, scripts } = this.package
+    const { install, preinstall, postinstall } = scripts || {}
     return !!(hasInstallScript || install || preinstall || postinstall)
   }
 
@@ -376,7 +390,7 @@ class Node {
     }
 
     if (this.root.sourceReference) {
-      const {name, version} = this.root.package
+      const { name, version } = this.root.package
       why.whileInstalling = {
         name,
         version,
@@ -963,6 +977,11 @@ class Node {
       return false
     }
 
+    // XXX need to check for two root nodes?
+    if (node.overrides !== this.overrides) {
+      return false
+    }
+
     ignorePeers = new Set(ignorePeers)
 
     // gather up all the deps of this node and that are only depended
@@ -1208,6 +1227,10 @@ class Node {
       this[_changePath](newPath)
     }
 
+    if (parent.overrides) {
+      this.overrides = parent.overrides.getNodeRule(this)
+    }
+
     // clobbers anything at that path, resets all appropriate references
     this.root = parent.root
   }
@@ -1279,11 +1302,33 @@ class Node {
     }
   }
 
+  assertRootOverrides () {
+    if (!this.isProjectRoot || !this.overrides) {
+      return
+    }
+
+    for (const edge of this.edgesOut.values()) {
+      // if these differ an override has been applied, those are not allowed
+      // for top level dependencies so throw an error
+      if (edge.spec !== edge.rawSpec && !edge.spec.startsWith('$')) {
+        throw Object.assign(new Error(`Override for ${edge.name}@${edge.rawSpec} conflicts with direct dependency`), { code: 'EOVERRIDE' })
+      }
+    }
+  }
+
   addEdgeOut (edge) {
+    if (this.overrides) {
+      edge.overrides = this.overrides.getEdgeRule(edge)
+    }
+
     this.edgesOut.set(edge.name, edge)
   }
 
   addEdgeIn (edge) {
+    if (edge.overrides) {
+      this.overrides = edge.overrides
+    }
+
     this.edgesIn.add(edge)
 
     // try to get metadata from the yarn.lock file

package/lib/override-set.js

@@ -0,0 +1,123 @@
+const npa = require('npm-package-arg')
+const semver = require('semver')
+
+class OverrideSet {
+  constructor ({ overrides, key, parent }) {
+    this.parent = parent
+    this.children = new Map()
+
+    if (typeof overrides === 'string') {
+      overrides = { '.': overrides }
+    }
+
+    // change a literal empty string to * so we can use truthiness checks on
+    // the value property later
+    if (overrides['.'] === '') {
+      overrides['.'] = '*'
+    }
+
+    if (parent) {
+      const spec = npa(key)
+      if (!spec.name) {
+        throw new Error(`Override without name: ${key}`)
+      }
+
+      this.name = spec.name
+      spec.name = ''
+      this.key = key
+      this.keySpec = spec.rawSpec === '' ? '' : spec.toString()
+      this.value = overrides['.'] || this.keySpec
+    }
+
+    for (const [key, childOverrides] of Object.entries(overrides)) {
+      if (key === '.') {
+        continue
+      }
+
+      const child = new OverrideSet({
+        parent: this,
+        key,
+        overrides: childOverrides,
+      })
+
+      this.children.set(child.key, child)
+    }
+  }
+
+  getEdgeRule (edge) {
+    for (const rule of this.ruleset.values()) {
+      if (rule.name !== edge.name) {
+        continue
+      }
+
+      if (rule.keySpec === '' ||
+        semver.intersects(edge.spec, rule.keySpec)) {
+        return rule
+      }
+    }
+
+    return this
+  }
+
+  getNodeRule (node) {
+    for (const rule of this.ruleset.values()) {
+      if (rule.name !== node.name) {
+        continue
+      }
+
+      if (rule.keySpec === '' ||
+        semver.satisfies(node.version, rule.keySpec) ||
+        semver.satisfies(node.version, rule.value)) {
+        return rule
+      }
+    }
+
+    return this
+  }
+
+  getMatchingRule (node) {
+    for (const rule of this.ruleset.values()) {
+      if (rule.name !== node.name) {
+        continue
+      }
+
+      if (rule.keySpec === '' ||
+        semver.satisfies(node.version, rule.keySpec) ||
+        semver.satisfies(node.version, rule.value)) {
+        return rule
+      }
+    }
+
+    return null
+  }
+
+  * ancestry () {
+    for (let ancestor = this; ancestor; ancestor = ancestor.parent) {
+      yield ancestor
+    }
+  }
+
+  get isRoot () {
+    return !this.parent
+  }
+
+  get ruleset () {
+    const ruleset = new Map()
+
+    for (const override of this.ancestry()) {
+      for (const kid of override.children.values()) {
+        if (!ruleset.has(kid.key)) {
+          ruleset.set(kid.key, kid)
+        }
+      }
+
+      if (!override.isRoot && !ruleset.has(override.key)) {
+        ruleset.set(override.key, override)
+      }
+    }
+
+    return ruleset
+  }
+}
+
+module.exports = OverrideSet

package/lib/place-dep.js

@@ -295,6 +295,7 @@ class PlaceDep {
       integrity: dep.integrity,
       legacyPeerDeps: this.legacyPeerDeps,
       error: dep.errors[0],
+      ...(dep.overrides ? { overrides: dep.overrides } : {}),
       ...(dep.isLink ? { target: dep.target, realpath: dep.realpath } : {}),
     })
 
@@ -407,11 +408,12 @@ class PlaceDep {
       for (const entryEdge of peerEntrySets(edge.from).keys()) {
         // either this one needs to be pruned and re-evaluated, or marked
         // as peerConflicted and warned about.  If the entryEdge comes in from
-        // the root, then we have to leave it alone, and in that case, it
-        // will have already warned or crashed by getting to this point.
+        // the root or a workspace, then we have to leave it alone, and in that
+        // case, it will have already warned or crashed by getting to this point
         const entryNode = entryEdge.to
         const deepestTarget = deepestNestingTarget(entryNode)
-        if (deepestTarget !== target && !entryEdge.from.isRoot) {
+        if (deepestTarget !== target &&
+            !(entryEdge.from.isProjectRoot || entryEdge.from.isWorkspace)) {
           prunePeerSets.push(...gatherDepSet([entryNode], e => {
             return e.to !== entryNode && !e.peerConflicted
           }))

package/lib/printable.js

@@ -1,6 +1,5 @@
 // helper function to output a clearer visualization
 // of the current node and its descendents
-
 const localeCompare = require('@isaacs/string-locale-compare')('en')
 const util = require('util')
 const relpath = require('./relpath.js')
@@ -65,6 +64,11 @@ class ArboristNode {
       this.errors = tree.errors.map(treeError)
     }
 
+    if (tree.overrides) {
+      this.overrides = new Map([...tree.overrides.ruleset.values()]
+        .map((override) => [override.key, override.value]))
+    }
+
     // edgesOut sorted by name
     if (tree.edgesOut.size) {
       this.edgesOut = new Map([...tree.edgesOut.entries()]
@@ -87,7 +91,7 @@ class ArboristNode {
     // fsChildren sorted by path
     if (tree.fsChildren.size) {
       this.fsChildren = new Set([...tree.fsChildren]
-        .sort(({path: a}, {path: b}) => localeCompare(a, b))
+        .sort(({ path: a }, { path: b }) => localeCompare(a, b))
         .map(tree => printableTree(tree, path)))
     }
 
@@ -114,7 +118,7 @@ class ArboristLink extends ArboristNode {
   }
 }
 
-const treeError = ({code, path}) => ({
+const treeError = ({ code, path }) => ({
   code,
   ...(path ? { path } : {}),
 })
@@ -126,7 +130,10 @@ class Edge {
   constructor (edge) {
     this.type = edge.type
     this.name = edge.name
-    this.spec = edge.spec || '*'
+    this.spec = edge.rawSpec || '*'
+    if (edge.rawSpec !== edge.spec) {
+      this.override = edge.spec
+    }
     if (edge.error) {
       this.error = edge.error
     }
@@ -145,6 +152,8 @@ class EdgeOut extends Edge {
 
   [util.inspect.custom] () {
     return `{ ${this.type} ${this.name}@${this.spec}${
+      this.override ? ` overridden:${this.override}` : ''
+    }${
       this.to ? ' -> ' + this.to : ''
     }${
       this.error ? ' ' + this.error : ''

package/lib/relpath.js

@@ -1,3 +1,3 @@
-const {relative} = require('path')
+const { relative } = require('path')
 const relpath = (from, to) => relative(from, to).replace(/\\/g, '/')
 module.exports = relpath

package/lib/retire-path.js

@@ -1,5 +1,5 @@
 const crypto = require('crypto')
-const {dirname, basename, resolve} = require('path')
+const { dirname, basename, resolve } = require('path')
 
 // use sha1 because it's faster, and collisions extremely unlikely anyway
 const pathSafeHash = s =>

package/lib/shrinkwrap.js

@@ -35,7 +35,7 @@ const mismatch = (a, b) => a && b && a !== b
 
 const procLog = require('proc-log')
 const YarnLock = require('./yarn-lock.js')
-const {promisify} = require('util')
+const { promisify } = require('util')
 const rimraf = promisify(require('rimraf'))
 const fs = require('fs')
 const readFile = promisify(fs.readFile)
@@ -180,7 +180,7 @@ const assertNoNewer = async (path, data, lockTime, dir = path, seen = null) => {
 
   const parent = isParent ? dir : resolve(dir, 'node_modules')
   const children = dir === path
-    ? Promise.resolve([{name: 'node_modules', isDirectory: () => true }])
+    ? Promise.resolve([{ name: 'node_modules', isDirectory: () => true }])
     : readdir(parent, { withFileTypes: true })
 
   return children.catch(() => [])
@@ -238,21 +238,31 @@ class Shrinkwrap {
     return swKeyOrder
   }
 
-  static reset (options) {
+  static async reset (options) {
     // still need to know if it was loaded from the disk, but don't
     // bother reading it if we're gonna just throw it away.
     const s = new Shrinkwrap(options)
     s.reset()
 
-    return s[_maybeStat]().then(([sw, lock]) => {
-      s.filename = resolve(s.path,
-        (s.hiddenLockfile ? 'node_modules/.package-lock'
-        : s.shrinkwrapOnly || sw ? 'npm-shrinkwrap'
-        : 'package-lock') + '.json')
-      s.loadedFromDisk = !!(sw || lock)
-      s.type = basename(s.filename)
-      return s
-    })
+    const [sw, lock] = await s[_maybeStat]()
+
+    s.filename = resolve(s.path,
+      (s.hiddenLockfile ? 'node_modules/.package-lock'
+      : s.shrinkwrapOnly || sw ? 'npm-shrinkwrap'
+      : 'package-lock') + '.json')
+    s.loadedFromDisk = !!(sw || lock)
+    s.type = basename(s.filename)
+
+    try {
+      if (s.loadedFromDisk && !s.lockfileVersion) {
+        const json = parseJSON(await maybeReadFile(s.filename))
+        if (json.lockfileVersion > defaultLockfileVersion) {
+          s.lockfileVersion = json.lockfileVersion
+        }
+      }
+    } catch (e) {}
+
+    return s
   }
 
   static metaFromNode (node, path) {
@@ -356,7 +366,7 @@ class Shrinkwrap {
     if (fromYarn && fromYarn.version) {
       // if it's the yarn or npm default registry, use the version as
       // our effective spec.  if it's any other kind of thing, use that.
-      const {resolved, version, integrity} = fromYarn
+      const { resolved, version, integrity } = fromYarn
       const isYarnReg = spec.registry && yarnRegRe.test(resolved)
       const isnpmReg = spec.registry && !isYarnReg && npmRegRe.test(resolved)
       const isReg = isnpmReg || isYarnReg
@@ -380,9 +390,10 @@ class Shrinkwrap {
   reset () {
     this.tree = null
     this[_awaitingUpdate] = new Map()
-    this.originalLockfileVersion = this.lockfileVersion
+    const lockfileVersion = this.lockfileVersion || defaultLockfileVersion
+    this.originalLockfileVersion = lockfileVersion
     this.data = {
-      lockfileVersion: this.lockfileVersion || defaultLockfileVersion,
+      lockfileVersion,
       requires: true,
       packages: {},
       dependencies: {},
@@ -1051,7 +1062,7 @@ class Shrinkwrap {
     }
 
     // now we walk the children, putting them in the 'dependencies' object
-    const {children} = node.target
+    const { children } = node.target
     if (!children.size) {
       delete lock.dependencies
     } else {

package/lib/version-from-tgz.js

@@ -1,7 +1,7 @@
 /* eslint node/no-deprecated-api: "off" */
 const semver = require('semver')
-const {basename} = require('path')
-const {parse} = require('url')
+const { basename } = require('path')
+const { parse } = require('url')
 module.exports = (name, tgz) => {
   const base = basename(tgz)
   if (!base.endsWith('.tgz')) {

package/lib/vuln.js

@@ -11,7 +11,7 @@
 //   @npmcli/metavuln-calculator
 // - via: dependency vulns which cause this one
 
-const {satisfies, simplifyRange} = require('semver')
+const { satisfies, simplifyRange } = require('semver')
 const semverOpt = { loose: true, includePrerelease: true }
 
 const localeCompare = require('@isaacs/string-locale-compare')('en')

package/lib/yarn-lock.js

@@ -30,8 +30,8 @@
 
 const localeCompare = require('@isaacs/string-locale-compare')('en')
 const consistentResolve = require('./consistent-resolve.js')
-const {dirname} = require('path')
-const {breadth} = require('treeverse')
+const { dirname } = require('path')
+const { breadth } = require('treeverse')
 
 // sort a key/value object into a string of JSON stringified keys and vals
 const sortKV = obj => Object.keys(obj)

package/package.json

@@ -1,15 +1,15 @@
 {
   "name": "@npmcli/arborist",
-  "version": "4.0.2",
+  "version": "4.1.0",
   "description": "Manage node_modules trees",
   "dependencies": {
-    "@isaacs/string-locale-compare": "^1.0.1",
+    "@isaacs/string-locale-compare": "^1.1.0",
     "@npmcli/installed-package-contents": "^1.0.7",
     "@npmcli/map-workspaces": "^2.0.0",
     "@npmcli/metavuln-calculator": "^2.0.0",
     "@npmcli/move-file": "^1.1.0",
     "@npmcli/name-from-folder": "^1.0.1",
-    "@npmcli/node-gyp": "^1.0.1",
+    "@npmcli/node-gyp": "^1.0.3",
     "@npmcli/package-json": "^1.0.1",
     "@npmcli/run-script": "^2.0.0",
     "bin-links": "^2.3.0",
@@ -23,7 +23,7 @@
     "npm-package-arg": "^8.1.5",
     "npm-pick-manifest": "^6.1.0",
     "npm-registry-fetch": "^11.0.0",
-    "pacote": "^12.0.0",
+    "pacote": "^12.0.2",
     "parse-conflict-json": "^1.1.1",
     "proc-log": "^1.0.0",
     "promise-all-reject-late": "^1.0.0",
@@ -37,39 +37,40 @@
     "walk-up-path": "^1.0.0"
   },
   "devDependencies": {
-    "@npmcli/lint": "^1.0.2",
+    "@npmcli/template-oss": "^2.3.1",
     "benchmark": "^2.1.4",
     "chalk": "^4.1.0",
     "minify-registry-metadata": "^2.1.0",
-    "tap": "^15.0.9",
+    "nock": "^13.2.0",
+    "tap": "^15.1.2",
     "tcompare": "^5.0.6"
   },
   "scripts": {
-    "test": "npm run test-only --",
-    "test-only": "tap",
-    "posttest": "npm run lint --",
+    "test": "tap",
+    "posttest": "npm run lint",
     "snap": "tap",
-    "postsnap": "npm run lintfix --",
+    "postsnap": "npm run lintfix",
     "test-proxy": "ARBORIST_TEST_PROXY=1 tap --snapshot",
     "preversion": "npm test",
     "postversion": "npm publish",
     "prepublishOnly": "git push origin --follow-tags",
     "eslint": "eslint",
-    "lint": "npm run npmclilint -- \"lib/**/*.*js\" \"bin/**/*.*js\" \"test/*.*js\" \"test/arborist/*.*js\"",
+    "lint": "eslint '**/*.js'",
     "lintfix": "npm run lint -- --fix",
     "benchmark": "node scripts/benchmark.js",
     "benchclean": "rm -rf scripts/benchmark/*/",
-    "npmclilint": "npmcli-lint"
+    "npmclilint": "npmcli-lint",
+    "postlint": "npm-template-check"
   },
   "repository": {
     "type": "git",
     "url": "https://github.com/npm/arborist"
   },
-  "author": "Isaac Z. Schlueter <i@izs.me> (http://blog.izs.me/)",
+  "author": "GitHub Inc.",
   "license": "ISC",
   "files": [
-    "lib/**/*.js",
-    "bin/**/*.js"
+    "bin",
+    "lib"
   ],
   "main": "lib/index.js",
   "bin": {
@@ -88,9 +89,14 @@
       "--no-warnings",
       "--no-deprecation"
     ],
-    "timeout": "240"
+    "timeout": "360"
   },
   "engines": {
     "node": "^12.13.0 || ^14.15.0 || >=16"
-  }
+  },
+  "templateVersion": "2.3.1",
+  "eslintIgnore": [
+    "test/fixtures/",
+    "!test/fixtures/*.js"
+  ]
 }