@npmcli/arborist 5.0.3 → 5.0.6

package/README.md

@@ -1,5 +1,9 @@
 # @npmcli/arborist
 
+[![npm version](https://img.shields.io/npm/v/@npmcli/arborist.svg)](https://npm.im/@npmcli/arborist)
+[![license](https://img.shields.io/npm/l/@npmcli/arborist.svg)](https://npm.im/@npmcli/arborist)
+[![CI - @npmcli/arborist](https://github.com/npm/cli/actions/workflows/ci-npmcli-arborist.yml/badge.svg)](https://github.com/npm/cli/actions/workflows/ci-npmcli-arborist.yml)
+
 Inspect and manage `node_modules` trees.
 
 ![a tree with the word ARBORIST superimposed on it](https://raw.githubusercontent.com/npm/arborist/main/docs/logo.svg?sanitize=true)

package/lib/arborist/build-ideal-tree.js

@@ -355,6 +355,21 @@ Try using the package name instead, e.g:
       })
 
       .then(tree => {
+        // search the virtual tree for invalid edges, if any are found add their source to
+        // the depsQueue so that we'll fix it later
+        depth({
+          tree,
+          getChildren: (node) => [...node.edgesOut.values()].map(edge => edge.to),
+          filter: node => node,
+          visit: node => {
+            for (const edge of node.edgesOut.values()) {
+              if (!edge.valid) {
+                this[_depsQueue].push(node)
+                break // no need to continue the loop after the first hit
+              }
+            }
+          },
+        })
         // null the virtual tree, because we're about to hack away at it
         // if you want another one, load another copy.
         this.idealTree = tree
@@ -743,6 +758,12 @@ This is a one-time fix-up, please be patient...
         continue
       }
 
+      // if the node's location isn't within node_modules then this is actually
+      // a link target, so skip it. the link node itself will be queued later.
+      if (!node.location.startsWith('node_modules')) {
+        continue
+      }
+
       queue.push(async () => {
         log.silly('inflate', node.location)
         const { resolved, version, path, name, location, integrity } = node
@@ -750,8 +771,7 @@ This is a one-time fix-up, please be patient...
         const useResolved = resolved && (
           !version || resolved.startsWith('file:')
         )
-        const id = useResolved ? resolved
-          : version || `file:${node.path}`
+        const id = useResolved ? resolved : version
         const spec = npa.resolve(name, id, dirname(path))
         const t = `idealTree:inflate:${location}`
         this.addTracker(t)

package/lib/arborist/load-virtual.js

@@ -79,7 +79,7 @@ module.exports = cls => class VirtualLoader extends cls {
   async [loadRoot] (s) {
     const pj = this.path + '/package.json'
     const pkg = await rpj(pj).catch(() => s.data.packages['']) || {}
-    return this[loadWorkspaces](this[loadNode]('', pkg))
+    return this[loadWorkspaces](this[loadNode]('', pkg, true))
   }
 
   async [loadFromShrinkwrap] (s, root) {
@@ -264,7 +264,7 @@ module.exports = cls => class VirtualLoader extends cls {
     }
   }
 
-  [loadNode] (location, sw) {
+  [loadNode] (location, sw, loadOverrides) {
     const p = this.virtualTree ? this.virtualTree.realpath : this.path
     const path = resolve(p, location)
     // shrinkwrap doesn't include package name unless necessary
@@ -290,6 +290,7 @@ module.exports = cls => class VirtualLoader extends cls {
       optional,
       devOptional,
       peer,
+      loadOverrides,
     })
     // cast to boolean because they're undefined in the lock file when false
     node.extraneous = !!sw.extraneous

package/lib/arborist/reify.js

@@ -1308,7 +1308,7 @@ module.exports = cls => class Reifier extends cls {
     // to only names that are found in this list
     const retrieveUpdatedNodes = names => {
       const filterDirectDependencies = node =>
-        !node.isRoot && node.resolveParent.isRoot
+        !node.isRoot && node.resolveParent && node.resolveParent.isRoot
         && (!names || names.includes(node.name))
         && exactVersion(node) // skip update for exact ranges
 

package/lib/audit-report.js

@@ -134,16 +134,7 @@ class AuditReport extends Map {
     const seen = new Set()
     for (const advisory of advisories) {
       const { name, range } = advisory
-
-      // don't flag the exact same name/range more than once
-      // adding multiple advisories with the same range is fine, but no
-      // need to search for nodes we already would have added.
       const k = `${name}@${range}`
-      if (seen.has(k)) {
-        continue
-      }
-
-      seen.add(k)
 
       const vuln = this.get(name) || new Vuln({ name, advisory })
       if (this.has(name)) {
@@ -151,44 +142,50 @@ class AuditReport extends Map {
       }
       super.set(name, vuln)
 
-      const p = []
-      for (const node of this.tree.inventory.query('packageName', name)) {
-        if (!shouldAudit(node, this[_omit], this.filterSet)) {
-          continue
-        }
+      // don't flag the exact same name/range more than once
+      // adding multiple advisories with the same range is fine, but no
+      // need to search for nodes we already would have added.
+      if (!seen.has(k)) {
+        const p = []
+        for (const node of this.tree.inventory.query('packageName', name)) {
+          if (!shouldAudit(node, this[_omit], this.filterSet)) {
+            continue
+          }
 
-        // if not vulnerable by this advisory, keep searching
-        if (!advisory.testVersion(node.version)) {
-          continue
-        }
+          // if not vulnerable by this advisory, keep searching
+          if (!advisory.testVersion(node.version)) {
+            continue
+          }
 
-        // we will have loaded the source already if this is a metavuln
-        if (advisory.type === 'metavuln') {
-          vuln.addVia(this.get(advisory.dependency))
-        }
+          // we will have loaded the source already if this is a metavuln
+          if (advisory.type === 'metavuln') {
+            vuln.addVia(this.get(advisory.dependency))
+          }
 
-        // already marked this one, no need to do it again
-        if (vuln.nodes.has(node)) {
-          continue
-        }
+          // already marked this one, no need to do it again
+          if (vuln.nodes.has(node)) {
+            continue
+          }
 
-        // haven't marked this one yet.  get its dependents.
-        vuln.nodes.add(node)
-        for (const { from: dep, spec } of node.edgesIn) {
-          if (dep.isTop && !vuln.topNodes.has(dep)) {
-            this[_checkTopNode](dep, vuln, spec)
-          } else {
+          // haven't marked this one yet.  get its dependents.
+          vuln.nodes.add(node)
+          for (const { from: dep, spec } of node.edgesIn) {
+            if (dep.isTop && !vuln.topNodes.has(dep)) {
+              this[_checkTopNode](dep, vuln, spec)
+            } else {
             // calculate a metavuln, if necessary
-            const calc = this.calculator.calculate(dep.packageName, advisory)
-            p.push(calc.then(meta => {
-              if (meta.testVersion(dep.version, spec)) {
-                advisories.add(meta)
-              }
-            }))
+              const calc = this.calculator.calculate(dep.packageName, advisory)
+              p.push(calc.then(meta => {
+                if (meta.testVersion(dep.version, spec)) {
+                  advisories.add(meta)
+                }
+              }))
+            }
           }
         }
+        await Promise.all(p)
+        seen.add(k)
       }
-      await Promise.all(p)
 
       // make sure we actually got something.  if not, remove it
       // this can happen if you are loading from a lockfile created by

package/lib/edge.js

@@ -215,6 +215,11 @@ class Edge {
 
   reload (hard = false) {
     this[_explanation] = null
+    if (this[_from].overrides) {
+      this.overrides = this[_from].overrides.getEdgeRule(this)
+    } else {
+      delete this.overrides
+    }
     const newTo = this[_from].resolve(this.name)
     if (newTo !== this[_to]) {
       if (this[_to]) {

package/lib/node.js

@@ -792,6 +792,9 @@ class Node {
       target.root = root
     }
 
+    if (!this.overrides && this.parent && this.parent.overrides) {
+      this.overrides = this.parent.overrides.getNodeRule(this)
+    }
     // tree should always be valid upon root setter completion.
     treeCheck(this)
     treeCheck(root)

package/lib/retire-path.js

@@ -7,7 +7,7 @@ const pathSafeHash = s =>
     .update(s)
     .digest('base64')
     .replace(/[^a-zA-Z0-9]+/g, '')
-    .substr(0, 8)
+    .slice(0, 8)
 
 const retirePath = from => {
   const d = dirname(from)

package/lib/shrinkwrap.js

@@ -807,7 +807,7 @@ class Shrinkwrap {
       const pathFixed = !resolved ? null
         : !/^file:/.test(resolved) ? resolved
         // resolve onto the metadata path
-        : `file:${resolve(this.path, resolved.substr(5))}`
+        : `file:${resolve(this.path, resolved.slice(5))}`
 
       // if we have one, only set the other if it matches
       // otherwise it could be for a completely different thing.
@@ -1056,7 +1056,7 @@ class Shrinkwrap {
             // turn absolute file: paths into relative paths from the node
             // this especially shows up with workspace edges when the root
             // node is also a workspace in the set.
-            const p = resolve(node.realpath, spec.substr('file:'.length))
+            const p = resolve(node.realpath, spec.slice('file:'.length))
             set[k] = `file:${relpath(node.realpath, p)}`
           } else {
             set[k] = spec

package/lib/tracker.js

@@ -1,10 +1,12 @@
 const _progress = Symbol('_progress')
 const _onError = Symbol('_onError')
+const _setProgress = Symbol('_setProgess')
 const npmlog = require('npmlog')
 
 module.exports = cls => class Tracker extends cls {
   constructor (options = {}) {
     super(options)
+    this[_setProgress] = !!options.progress
     this[_progress] = new Map()
   }
 
@@ -27,7 +29,7 @@ module.exports = cls => class Tracker extends cls {
       // 1. no existing tracker, no subsection
       // Create a new tracker from npmlog
       // starts progress bar
-      if (this[_progress].size === 0) {
+      if (this[_setProgress] && this[_progress].size === 0) {
         npmlog.enableProgress()
       }
 
@@ -76,7 +78,7 @@ module.exports = cls => class Tracker extends cls {
 
       // remove progress bar if all
       // trackers are finished
-      if (this[_progress].size === 0) {
+      if (this[_setProgress] && this[_progress].size === 0) {
         npmlog.disableProgress()
       }
     } else if (!hasTracker && subsection === null) {
@@ -92,7 +94,9 @@ module.exports = cls => class Tracker extends cls {
   }
 
   [_onError] (msg) {
-    npmlog.disableProgress()
+    if (this[_setProgress]) {
+      npmlog.disableProgress()
+    }
     throw new Error(msg)
   }
 }

package/lib/version-from-tgz.js

@@ -16,7 +16,7 @@ module.exports = (name, tgz) => {
     // basename checking.  Note that registries can
     // be mounted below the root url, so /a/b/-/x/y/foo/-/foo-1.2.3.tgz
     // is a potential option.
-    const tfsplit = u.path.substr(1).split('/-/')
+    const tfsplit = u.path.slice(1).split('/-/')
     if (tfsplit.length > 1) {
       const afterTF = tfsplit.pop()
       if (afterTF === base) {

package/package.json

@@ -1,16 +1,16 @@
 {
   "name": "@npmcli/arborist",
-  "version": "5.0.3",
+  "version": "5.0.6",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
     "@npmcli/installed-package-contents": "^1.0.7",
     "@npmcli/map-workspaces": "^2.0.0",
     "@npmcli/metavuln-calculator": "^3.0.1",
-    "@npmcli/move-file": "^1.1.0",
+    "@npmcli/move-file": "^2.0.0",
     "@npmcli/name-from-folder": "^1.0.1",
-    "@npmcli/node-gyp": "^1.0.3",
-    "@npmcli/package-json": "^1.0.1",
+    "@npmcli/node-gyp": "^2.0.0",
+    "@npmcli/package-json": "^2.0.0",
     "@npmcli/run-script": "^3.0.0",
     "bin-links": "^3.0.0",
     "cacache": "^16.0.0",
@@ -20,7 +20,7 @@
     "mkdirp": "^1.0.4",
     "mkdirp-infer-owner": "^2.0.0",
     "nopt": "^5.0.0",
-    "npm-install-checks": "^4.0.0",
+    "npm-install-checks": "^5.0.0",
     "npm-package-arg": "^9.0.0",
     "npm-pick-manifest": "^7.0.0",
     "npm-registry-fetch": "^13.0.0",
@@ -34,17 +34,18 @@
     "readdir-scoped-modules": "^1.1.0",
     "rimraf": "^3.0.2",
     "semver": "^7.3.5",
-    "ssri": "^8.0.1",
-    "treeverse": "^1.0.4",
+    "ssri": "^9.0.0",
+    "treeverse": "^2.0.0",
     "walk-up-path": "^1.0.0"
   },
   "devDependencies": {
-    "@npmcli/template-oss": "^2.4.2",
+    "@npmcli/eslint-config": "^3.0.1",
+    "@npmcli/template-oss": "3.3.2",
     "benchmark": "^2.1.4",
     "chalk": "^4.1.0",
     "minify-registry-metadata": "^2.1.0",
     "nock": "^13.2.0",
-    "tap": "^15.1.2",
+    "tap": "^16.0.1",
     "tcompare": "^5.0.6"
   },
   "scripts": {
@@ -57,24 +58,24 @@
     "postversion": "npm publish",
     "prepublishOnly": "git push origin --follow-tags",
     "eslint": "eslint",
-    "lint": "eslint '**/*.js'",
+    "lint": "eslint \"**/*.js\"",
     "lintfix": "npm run lint -- --fix",
     "benchmark": "node scripts/benchmark.js",
     "benchclean": "rm -rf scripts/benchmark/*/",
     "npmclilint": "npmcli-lint",
-    "postlint": "npm-template-check",
-    "template-copy": "npm-template-copy --force"
+    "postlint": "template-oss-check",
+    "template-oss-apply": "template-oss-apply --force"
   },
   "repository": {
     "type": "git",
-    "url": "https://github.com/npm/cli",
+    "url": "https://github.com/npm/cli.git",
     "directory": "workspaces/arborist"
   },
   "author": "GitHub Inc.",
   "license": "ISC",
   "files": [
-    "bin",
-    "lib"
+    "bin/",
+    "lib/"
   ],
   "main": "lib/index.js",
   "bin": {
@@ -96,13 +97,10 @@
     "timeout": "360"
   },
   "engines": {
-    "node": "^12.13.0 || ^14.15.0 || >=16"
+    "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
   },
-  "eslintIgnore": [
-    "test/fixtures/",
-    "!test/fixtures/*.js"
-  ],
   "templateOSS": {
-    "version": "2.9.2"
+    "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
+    "version": "3.3.2"
   }
 }