@npmcli/arborist 4.1.2 → 4.3.1

package/lib/arborist/build-ideal-tree.js

@@ -41,7 +41,7 @@ const _complete = Symbol('complete')
 const _depsSeen = Symbol('depsSeen')
 const _depsQueue = Symbol('depsQueue')
 const _currentDep = Symbol('currentDep')
-const _updateAll = Symbol('updateAll')
+const _updateAll = Symbol.for('updateAll')
 const _mutateTree = Symbol('mutateTree')
 const _flagsSuspect = Symbol.for('flagsSuspect')
 const _workspaces = Symbol.for('workspaces')
@@ -176,7 +176,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
   // public method
   async buildIdealTree (options = {}) {
     if (this.idealTree) {
-      return Promise.resolve(this.idealTree)
+      return this.idealTree
     }
 
     // allow the user to set reify options on the ctor as well.
@@ -194,8 +194,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     process.emit('time', 'idealTree')
 
     if (!options.add && !options.rm && !options.update && this[_global]) {
-      const er = new Error('global requires add, rm, or update option')
-      return Promise.reject(er)
+      throw new Error('global requires add, rm, or update option')
     }
 
     // first get the virtual tree, if possible.  If there's a lockfile, then
@@ -270,6 +269,22 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     this[_complete] = !!options.complete
     this[_preferDedupe] = !!options.preferDedupe
     this[_legacyBundling] = !!options.legacyBundling
+
+    // validates list of update names, they must
+    // be dep names only, no semver ranges are supported
+    for (const name of update.names) {
+      const spec = npa(name)
+      const validationError =
+        new TypeError(`Update arguments must not contain package version specifiers
+
+Try using the package name instead, e.g:
+    npm update ${spec.name}`)
+      validationError.code = 'EUPDATEARGS'
+
+      if (spec.fetchSpec !== 'latest') {
+        throw validationError
+      }
+    }
     this[_updateNames] = update.names
 
     this[_updateAll] = update.all
@@ -321,7 +336,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
       // Load on a new Arborist object, so the Nodes aren't the same,
       // or else it'll get super confusing when we change them!
       .then(async root => {
-        if (!this[_updateAll] && !this[_global] && !root.meta.loadedFromDisk) {
+        if ((!this[_updateAll] && !this[_global] && !root.meta.loadedFromDisk) || (this[_global] && this[_updateNames].length)) {
           await new this.constructor(this.options).loadActual({ root })
           const tree = root.target
           // even though we didn't load it from a package-lock.json FILE,
@@ -334,6 +349,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
             root.meta.lockfileVersion = defaultLockfileVersion
           }
         }
+        root.meta.inferFormattingOptions(root.package)
         return root
       })
 
@@ -1180,6 +1196,11 @@ This is a one-time fix-up, please be patient...
           return true
         }
 
+        // If the edge is a workspace, and it's valid, leave it alone
+        if (edge.to.isWorkspace) {
+          return false
+        }
+
         // user explicitly asked to update this package by name, problem
         if (this[_updateNames].includes(edge.name)) {
           return true
@@ -1229,24 +1250,40 @@ This is a one-time fix-up, please be patient...
     // Don't bother to load the manifest for link deps, because the target
     // might be within another package that doesn't exist yet.
     const { legacyPeerDeps } = this
-    return spec.type === 'directory'
-      ? this[_linkFromSpec](name, spec, parent, edge)
-      : this[_fetchManifest](spec)
-        .then(pkg => new Node({ name, pkg, parent, legacyPeerDeps }), error => {
-          error.requiredBy = edge.from.location || '.'
-
-          // failed to load the spec, either because of enotarget or
-          // fetch failure of some other sort.  save it so we can verify
-          // later that it's optional, otherwise the error is fatal.
-          const n = new Node({
-            name,
-            parent,
-            error,
-            legacyPeerDeps,
-          })
-          this[_loadFailures].add(n)
-          return n
+
+    // spec is a directory, link it
+    if (spec.type === 'directory') {
+      return this[_linkFromSpec](name, spec, parent, edge)
+    }
+
+    // if the spec matches a workspace name, then see if the workspace node will
+    // satisfy the edge. if it does, we return the workspace node to make sure it
+    // takes priority.
+    if (this.idealTree.workspaces && this.idealTree.workspaces.has(spec.name)) {
+      const existingNode = this.idealTree.edgesOut.get(spec.name).to
+      if (existingNode && existingNode.isWorkspace && existingNode.satisfies(edge)) {
+        return edge.to
+      }
+    }
+
+    // spec isn't a directory, and either isn't a workspace or the workspace we have
+    // doesn't satisfy the edge. try to fetch a manifest and build a node from that.
+    return this[_fetchManifest](spec)
+      .then(pkg => new Node({ name, pkg, parent, legacyPeerDeps }), error => {
+        error.requiredBy = edge.from.location || '.'
+
+        // failed to load the spec, either because of enotarget or
+        // fetch failure of some other sort.  save it so we can verify
+        // later that it's optional, otherwise the error is fatal.
+        const n = new Node({
+          name,
+          parent,
+          error,
+          legacyPeerDeps,
         })
+        this[_loadFailures].add(n)
+        return n
+      })
   }
 
   [_linkFromSpec] (name, spec, parent, edge) {

package/lib/arborist/load-actual.js

@@ -212,7 +212,8 @@ module.exports = cls => class ActualLoader extends cls {
     const promises = []
     for (const path of tree.workspaces.values()) {
       if (!this[_cache].has(path)) {
-        const p = this[_loadFSNode]({ path, root: this[_actualTree] })
+        // workspace overrides use the root overrides
+        const p = this[_loadFSNode]({ path, root: this[_actualTree], useRootOverrides: true })
           .then(node => this[_loadFSTree](node))
         promises.push(p)
       }
@@ -240,7 +241,7 @@ module.exports = cls => class ActualLoader extends cls {
     this[_actualTree] = root
   }
 
-  [_loadFSNode] ({ path, parent, real, root, loadOverrides }) {
+  [_loadFSNode] ({ path, parent, real, root, loadOverrides, useRootOverrides }) {
     if (!real) {
       return realpath(path, this[_rpcache], this[_stcache])
         .then(
@@ -250,6 +251,7 @@ module.exports = cls => class ActualLoader extends cls {
             real,
             root,
             loadOverrides,
+            useRootOverrides,
           }),
           // if realpath fails, just provide a dummy error node
           error => new Node({
@@ -289,6 +291,9 @@ module.exports = cls => class ActualLoader extends cls {
           parent,
           root,
           loadOverrides,
+          ...(useRootOverrides && root.overrides
+            ? { overrides: root.overrides.getNodeRule({ name: pkg.name, version: pkg.version }) }
+            : {}),
         })
       })
       .then(node => {

package/lib/arborist/reify.js

@@ -5,6 +5,7 @@ const pacote = require('pacote')
 const AuditReport = require('../audit-report.js')
 const { subset, intersects } = require('semver')
 const npa = require('npm-package-arg')
+const semver = require('semver')
 const debug = require('../debug.js')
 const walkUp = require('walk-up-path')
 
@@ -58,6 +59,8 @@ const _bundleUnpacked = Symbol('bundleUnpacked')
 const _bundleMissing = Symbol('bundleMissing')
 const _reifyNode = Symbol.for('reifyNode')
 const _extractOrLink = Symbol('extractOrLink')
+const _updateAll = Symbol.for('updateAll')
+const _updateNames = Symbol.for('updateNames')
 // defined by rebuild mixin
 const _checkBins = Symbol.for('checkBins')
 const _symlink = Symbol('symlink')
@@ -1140,21 +1143,33 @@ module.exports = cls => class Reifier extends cls {
     // for install failures.  Those still end up in the shrinkwrap, so we
     // save it first, then prune out the optional trash, and then return it.
 
-    // support save=false option
-    if (options.save === false || this[_global] || this[_dryRun]) {
+    const save = !(options.save === false)
+
+    // we check for updates in order to make sure we run save ideal tree
+    // even though save=false since we want `npm update` to be able to
+    // write to package-lock files by default
+    const hasUpdates = this[_updateAll] || this[_updateNames].length
+
+    // we're going to completely skip save ideal tree in case of a global or
+    // dry-run install and also if the save option is set to false, EXCEPT for
+    // update since the expected behavior for npm7+ is for update to
+    // NOT save to package.json, we make that exception since we still want
+    // saveIdealTree to be able to write the lockfile by default.
+    const saveIdealTree = !(
+      (!save && !hasUpdates)
+      || this[_global]
+      || this[_dryRun]
+    )
+
+    if (!saveIdealTree) {
       return false
     }
 
     process.emit('time', 'reify:save')
 
     const updatedTrees = new Set()
-
-    // resolvedAdd is the list of user add requests, but with names added
-    // to things like git repos and tarball file/urls.  However, if the
-    // user requested 'foo@', and we have a foo@file:../foo, then we should
-    // end up saving the spec we actually used, not whatever they gave us.
-    if (this[_resolvedAdd].length) {
-      for (const { name, tree: addTree } of this[_resolvedAdd]) {
+    const updateNodes = nodes => {
+      for (const { name, tree: addTree } of nodes) {
         // addTree either the root, or a workspace
         const edge = addTree.edgesOut.get(name)
         const pkg = addTree.package
@@ -1168,7 +1183,7 @@ module.exports = cls => class Reifier extends cls {
         // that we couldn't resolve, this MAY be missing.  if we haven't
         // blown up by now, it's because it was not a problem, though, so
         // just move on.
-        if (!child) {
+        if (!child || !addTree.isTop) {
           continue
         }
 
@@ -1259,6 +1274,80 @@ module.exports = cls => class Reifier extends cls {
       }
     }
 
+    // Returns true if any of the edges from this node has a semver
+    // range definition that is an exact match to the version installed
+    // e.g: should return true if for a given an installed version 1.0.0,
+    // range is either =1.0.0 or 1.0.0
+    const exactVersion = node => {
+      for (const edge of node.edgesIn) {
+        try {
+          if (semver.subset(edge.spec, node.version)) {
+            return false
+          }
+        } catch {}
+      }
+      return true
+    }
+
+    // helper that retrieves an array of nodes that were
+    // potentially updated during the reify process, in order
+    // to limit the number of nodes to check and update, only
+    // select nodes from the inventory that are direct deps
+    // of a given package.json (project root or a workspace)
+    // and in ase of using a list of `names`, restrict nodes
+    // to only names that are found in this list
+    const retrieveUpdatedNodes = names => {
+      const filterDirectDependencies = node =>
+        !node.isRoot && node.resolveParent.isRoot
+        && (!names || names.includes(node.name))
+        && exactVersion(node) // skip update for exact ranges
+
+      const directDeps = this.idealTree.inventory
+        .filter(filterDirectDependencies)
+
+      // traverses the list of direct dependencies and collect all nodes
+      // to be updated, since any of them might have changed during reify
+      const nodes = []
+      for (const node of directDeps) {
+        for (const edgeIn of node.edgesIn) {
+          nodes.push({
+            name: node.name,
+            tree: edgeIn.from.target,
+          })
+        }
+      }
+      return nodes
+    }
+
+    if (save) {
+      // when using update all alongside with save, we'll make
+      // sure to refresh every dependency of the root idealTree
+      if (this[_updateAll]) {
+        const nodes = retrieveUpdatedNodes()
+        updateNodes(nodes)
+      } else {
+        // resolvedAdd is the list of user add requests, but with names added
+        // to things like git repos and tarball file/urls.  However, if the
+        // user requested 'foo@', and we have a foo@file:../foo, then we should
+        // end up saving the spec we actually used, not whatever they gave us.
+        if (this[_resolvedAdd].length) {
+          updateNodes(this[_resolvedAdd])
+        }
+
+        // if updating given dependencies by name, restrict the list of
+        // nodes to check to only those currently in _updateNames
+        if (this[_updateNames].length) {
+          const nodes = retrieveUpdatedNodes(this[_updateNames])
+          updateNodes(nodes)
+        }
+
+        // grab any from explicitRequests that had deps removed
+        for (const { from: tree } of this.explicitRequests) {
+          updatedTrees.add(tree)
+        }
+      }
+    }
+
     // preserve indentation, if possible
     const {
       [Symbol.for('indent')]: indent,
@@ -1291,15 +1380,12 @@ module.exports = cls => class Reifier extends cls {
       await pkgJson.save()
     }
 
-    // grab any from explicitRequests that had deps removed
-    for (const { from: tree } of this.explicitRequests) {
-      updatedTrees.add(tree)
-    }
-
-    for (const tree of updatedTrees) {
-      // refresh the edges so they have the correct specs
-      tree.package = tree.package
-      promises.push(updatePackageJson(tree))
+    if (save) {
+      for (const tree of updatedTrees) {
+        // refresh the edges so they have the correct specs
+        tree.package = tree.package
+        promises.push(updatePackageJson(tree))
+      }
     }
 
     await Promise.all(promises)

package/lib/shrinkwrap.js

@@ -424,6 +424,18 @@ class Shrinkwrap {
       .map(fn => fn && maybeStatFile(fn)))
   }
 
+  inferFormattingOptions (packageJSONData) {
+    // don't use detect-indent, just pick the first line.
+    // if the file starts with {" then we have an indent of '', ie, none
+    // which will default to 2 at save time.
+    const {
+      [Symbol.for('indent')]: indent,
+      [Symbol.for('newline')]: newline,
+    } = packageJSONData
+    this.indent = indent !== undefined ? indent : this.indent
+    this.newline = newline !== undefined ? newline : this.newline
+  }
+
   load () {
     // we don't need to load package-lock.json except for top of tree nodes,
     // only npm-shrinkwrap.json.
@@ -451,15 +463,7 @@ class Shrinkwrap {
 
       return data ? parseJSON(data) : {}
     }).then(async data => {
-      // don't use detect-indent, just pick the first line.
-      // if the file starts with {" then we have an indent of '', ie, none
-      // which will default to 2 at save time.
-      const {
-        [Symbol.for('indent')]: indent,
-        [Symbol.for('newline')]: newline,
-      } = data
-      this.indent = indent !== undefined ? indent : this.indent
-      this.newline = newline !== undefined ? newline : this.newline
+      this.inferFormattingOptions(data)
 
       if (!this.hiddenLockfile || !data.packages) {
         return data
@@ -472,8 +476,13 @@ class Shrinkwrap {
       // all good!  hidden lockfile is the newest thing in here.
       return data
     }).catch(er => {
-      const rel = relpath(this.path, this.filename)
-      this.log.verbose('shrinkwrap', `failed to load ${rel}`, er)
+      /* istanbul ignore else */
+      if (typeof this.filename === 'string') {
+        const rel = relpath(this.path, this.filename)
+        this.log.verbose('shrinkwrap', `failed to load ${rel}`, er)
+      } else {
+        this.log.verbose('shrinkwrap', `failed to load ${this.path}`, er)
+      }
       this.loadingError = er
       this.loadedFromDisk = false
       this.ancientLockfile = false
@@ -1085,18 +1094,29 @@ class Shrinkwrap {
     return lock
   }
 
-  save (options = {}) {
+  toJSON () {
     if (!this.data) {
-      throw new Error('run load() before saving data')
+      throw new Error('run load() before getting or setting data')
     }
 
+    return this.commit()
+  }
+
+  toString (options = {}) {
+    const data = this.toJSON()
     const { format = true } = options
     const defaultIndent = this.indent || 2
     const indent = format === true ? defaultIndent
       : format || 0
     const eol = format ? this.newline || '\n' : ''
-    const data = this.commit()
-    const json = stringify(data, swKeyOrder, indent).replace(/\n/g, eol)
+    return stringify(data, swKeyOrder, indent).replace(/\n/g, eol)
+  }
+
+  save (options = {}) {
+    if (!this.data) {
+      throw new Error('run load() before saving data')
+    }
+    const json = this.toString(options)
     return Promise.all([
       writeFile(this.filename, json).catch(er => {
         if (this.hiddenLockfile) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "4.1.2",
+  "version": "4.3.1",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
@@ -12,7 +12,7 @@
     "@npmcli/node-gyp": "^1.0.3",
     "@npmcli/package-json": "^1.0.1",
     "@npmcli/run-script": "^2.0.0",
-    "bin-links": "^2.3.0",
+    "bin-links": "^3.0.0",
     "cacache": "^15.0.3",
     "common-ancestor-path": "^1.0.1",
     "json-parse-even-better-errors": "^2.3.1",
@@ -22,7 +22,7 @@
     "npm-install-checks": "^4.0.0",
     "npm-package-arg": "^8.1.5",
     "npm-pick-manifest": "^6.1.0",
-    "npm-registry-fetch": "^11.0.0",
+    "npm-registry-fetch": "^12.0.1",
     "pacote": "^12.0.2",
     "parse-conflict-json": "^2.0.1",
     "proc-log": "^1.0.0",
@@ -37,7 +37,7 @@
     "walk-up-path": "^1.0.0"
   },
   "devDependencies": {
-    "@npmcli/template-oss": "^2.3.1",
+    "@npmcli/template-oss": "^2.4.2",
     "benchmark": "^2.1.4",
     "chalk": "^4.1.0",
     "minify-registry-metadata": "^2.1.0",
@@ -94,9 +94,11 @@
   "engines": {
     "node": "^12.13.0 || ^14.15.0 || >=16"
   },
-  "templateVersion": "2.3.1",
   "eslintIgnore": [
     "test/fixtures/",
     "!test/fixtures/*.js"
-  ]
+  ],
+  "templateOSS": {
+    "version": "2.4.3"
+  }
 }