@npmcli/arborist 5.1.1 → 5.2.2

package/README.md

@@ -9,7 +9,7 @@ Inspect and manage `node_modules` trees.
 ![a tree with the word ARBORIST superimposed on it](https://raw.githubusercontent.com/npm/arborist/main/docs/logo.svg?sanitize=true)
 
 There's more documentation [in the docs
-folder](https://github.com/npm/arborist/tree/main/docs).
+folder](https://github.com/npm/cli/tree/latest/workspaces/arborist/docs).
 
 ## USAGE
 

package/lib/arborist/build-ideal-tree.js

@@ -329,6 +329,7 @@ Try using the package name instead, e.g:
         ? Shrinkwrap.reset({
           path: this.path,
           lockfileVersion: this.options.lockfileVersion,
+          resolveOptions: this.options,
         }).then(meta => Object.assign(root, { meta }))
         : this.loadVirtual({ root }))
 
@@ -388,6 +389,7 @@ Try using the package name instead, e.g:
     const meta = new Shrinkwrap({
       path: this.path,
       lockfileVersion: this.options.lockfileVersion,
+      resolveOptions: this.options,
     })
     meta.reset()
     root.meta = meta
@@ -671,7 +673,7 @@ Try using the package name instead, e.g:
           const breakingMessage = isSemVerMajor
             ? 'a SemVer major change'
             : 'outside your stated dependency range'
-          log.warn('audit', `Updating ${name} to ${version},` +
+          log.warn('audit', `Updating ${name} to ${version}, ` +
             `which is ${breakingMessage}.`)
 
           await this[_add](node, { add: [`${name}@${version}`] })

package/lib/arborist/load-actual.js

@@ -147,6 +147,7 @@ module.exports = cls => class ActualLoader extends cls {
     const meta = await Shrinkwrap.load({
       path: this[_actualTree].path,
       hiddenLockfile: true,
+      resolveOptions: this.options,
     })
     if (meta.loadedFromDisk) {
       this[_actualTree].meta = meta
@@ -155,6 +156,7 @@ module.exports = cls => class ActualLoader extends cls {
       const meta = await Shrinkwrap.load({
         path: this[_actualTree].path,
         lockfileVersion: this.options.lockfileVersion,
+        resolveOptions: this.options,
       })
       this[_actualTree].meta = meta
       return this[_loadActualActually]({ root, ignoreMissing })

package/lib/arborist/load-virtual.js

@@ -57,6 +57,7 @@ module.exports = cls => class VirtualLoader extends cls {
     const s = await Shrinkwrap.load({
       path: this.path,
       lockfileVersion: this.options.lockfileVersion,
+      resolveOptions: this.options,
     })
     if (!s.loadedFromDisk && !options.root) {
       const er = new Error('loadVirtual requires existing shrinkwrap file')

package/lib/arborist/rebuild.js

@@ -21,6 +21,8 @@ const sortNodes = (a, b) =>
 
 const _workspaces = Symbol.for('workspaces')
 const _build = Symbol('build')
+const _loadDefaultNodes = Symbol('loadDefaultNodes')
+const _retrieveNodesByType = Symbol('retrieveNodesByType')
 const _resetQueues = Symbol('resetQueues')
 const _rebuildBundle = Symbol('rebuildBundle')
 const _ignoreScripts = Symbol('ignoreScripts')
@@ -39,6 +41,7 @@ const _includeWorkspaceRoot = Symbol.for('includeWorkspaceRoot')
 const _workspacesEnabled = Symbol.for('workspacesEnabled')
 
 const _force = Symbol.for('force')
+const _global = Symbol.for('global')
 
 // defined by reify mixin
 const _handleOptionalFailure = Symbol.for('handleOptionalFailure')
@@ -75,36 +78,60 @@ module.exports = cls => class Builder extends cls {
     // running JUST a rebuild, we treat optional failures as real fails
     this[_doHandleOptionalFailure] = handleOptionalFailure
 
-    // if we don't have a set of nodes, then just rebuild
-    // the actual tree on disk.
     if (!nodes) {
-      const tree = await this.loadActual()
-      let filterSet
-      if (!this[_workspacesEnabled]) {
-        filterSet = this.excludeWorkspacesDependencySet(tree)
-        nodes = tree.inventory.filter(node =>
-          filterSet.has(node) || node.isProjectRoot
-        )
-      } else if (this[_workspaces] && this[_workspaces].length) {
-        filterSet = this.workspaceDependencySet(
-          tree,
-          this[_workspaces],
-          this[_includeWorkspaceRoot]
-        )
-        nodes = tree.inventory.filter(node => filterSet.has(node))
-      } else {
-        nodes = tree.inventory.values()
-      }
+      nodes = await this[_loadDefaultNodes]()
     }
 
     // separates links nodes so that it can run
     // prepare scripts and link bins in the expected order
     process.emit('time', 'build')
+
+    const {
+      depNodes,
+      linkNodes,
+    } = this[_retrieveNodesByType](nodes)
+
+    // build regular deps
+    await this[_build](depNodes, {})
+
+    // build link deps
+    if (linkNodes.size) {
+      this[_resetQueues]()
+      await this[_build](linkNodes, { type: 'links' })
+    }
+
+    process.emit('timeEnd', 'build')
+  }
+
+  // if we don't have a set of nodes, then just rebuild
+  // the actual tree on disk.
+  async [_loadDefaultNodes] () {
+    let nodes
+    const tree = await this.loadActual()
+    let filterSet
+    if (!this[_workspacesEnabled]) {
+      filterSet = this.excludeWorkspacesDependencySet(tree)
+      nodes = tree.inventory.filter(node =>
+        filterSet.has(node) || node.isProjectRoot
+      )
+    } else if (this[_workspaces] && this[_workspaces].length) {
+      filterSet = this.workspaceDependencySet(
+        tree,
+        this[_workspaces],
+        this[_includeWorkspaceRoot]
+      )
+      nodes = tree.inventory.filter(node => filterSet.has(node))
+    } else {
+      nodes = tree.inventory.values()
+    }
+    return nodes
+  }
+
+  [_retrieveNodesByType] (nodes) {
     const depNodes = new Set()
     const linkNodes = new Set()
+
     for (const node of nodes) {
-      // we skip the target nodes to that workspace in order to make sure
-      // we only run lifecycle scripts / place bin links once per workspace
       if (node.isLink) {
         linkNodes.add(node)
       } else {
@@ -112,14 +139,22 @@ module.exports = cls => class Builder extends cls {
       }
     }
 
-    await this[_build](depNodes, {})
-
-    if (linkNodes.size) {
-      this[_resetQueues]()
-      await this[_build](linkNodes, { type: 'links' })
+    // deduplicates link nodes and their targets, avoids
+    // calling lifecycle scripts twice when running `npm rebuild`
+    // ref: https://github.com/npm/cli/issues/2905
+    //
+    // we avoid doing so if global=true since `bin-links` relies
+    // on having the target nodes available in global mode.
+    if (!this[_global]) {
+      for (const node of linkNodes) {
+        depNodes.delete(node.target)
+      }
     }
 
-    process.emit('timeEnd', 'build')
+    return {
+      depNodes,
+      linkNodes,
+    }
   }
 
   [_resetQueues] () {
@@ -136,24 +171,22 @@ module.exports = cls => class Builder extends cls {
     process.emit('time', `build:${type}`)
 
     await this[_buildQueues](nodes)
+
+    if (!this[_ignoreScripts]) {
+      await this[_runScripts]('preinstall')
+    }
+
     // links should run prepare scripts and only link bins after that
-    if (type !== 'links') {
-      if (!this[_ignoreScripts]) {
-        await this[_runScripts]('preinstall')
-      }
-      if (this[_binLinks]) {
-        await this[_linkAllBins]()
-      }
-      if (!this[_ignoreScripts]) {
-        await this[_runScripts]('install')
-        await this[_runScripts]('postinstall')
-      }
-    } else {
+    if (type === 'links') {
       await this[_runScripts]('prepare')
+    }
+    if (this[_binLinks]) {
+      await this[_linkAllBins]()
+    }
 
-      if (this[_binLinks]) {
-        await this[_linkAllBins]()
-      }
+    if (!this[_ignoreScripts]) {
+      await this[_runScripts]('install')
+      await this[_runScripts]('postinstall')
     }
 
     process.emit('timeEnd', `build:${type}`)

package/lib/arborist/reify.js

@@ -1105,7 +1105,8 @@ module.exports = cls => class Reifier extends cls {
       // skip links that only live within node_modules as they are most
       // likely managed by packages we installed, we only want to rebuild
       // unchanged links we directly manage
-      if (node.isLink && node.target.fsTop === tree) {
+      const linkedFromRoot = node.parent === tree || node.target.fsTop === tree
+      if (node.isLink && linkedFromRoot) {
         nodes.push(node)
       }
     }

package/lib/edge.js

@@ -92,7 +92,12 @@ class Edge {
       return false
     }
 
-    return depValid(node, this.spec, this.accept, this.from)
+    // NOTE: this condition means we explicitly do not support overriding
+    // bundled or shrinkwrapped dependencies
+    const spec = (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle)
+      ? this.rawSpec
+      : this.spec
+    return depValid(node, spec, this.accept, this.from)
   }
 
   explain (seen = []) {

package/lib/node.js

@@ -524,6 +524,18 @@ class Node {
     return this === this.root || this === this.root.target
   }
 
+  get isRegistryDependency () {
+    if (this.edgesIn.size === 0) {
+      return false
+    }
+    for (const edge of this.edgesIn) {
+      if (!npa(edge.spec).registry) {
+        return false
+      }
+    }
+    return true
+  }
+
   * ancestry () {
     for (let anc = this; anc; anc = anc.resolveParent) {
       yield anc

package/lib/override-resolves.js

@@ -0,0 +1,11 @@
+function overrideResolves (resolved, opts = {}) {
+  const { omitLockfileRegistryResolved = false } = opts
+
+  if (omitLockfileRegistryResolved) {
+    return undefined
+  }
+
+  return resolved
+}
+
+module.exports = { overrideResolves }

package/lib/shrinkwrap.js

@@ -95,6 +95,7 @@ const specFromResolved = resolved => {
 const relpath = require('./relpath.js')
 
 const consistentResolve = require('./consistent-resolve.js')
+const { overrideResolves } = require('./override-resolves.js')
 
 const maybeReadFile = file => {
   return readFile(file, 'utf8').then(d => d, er => {
@@ -265,7 +266,7 @@ class Shrinkwrap {
     return s
   }
 
-  static metaFromNode (node, path) {
+  static metaFromNode (node, path, options = {}) {
     if (node.isLink) {
       return {
         resolved: relpath(path, node.realpath),
@@ -299,7 +300,12 @@ class Shrinkwrap {
     })
 
     const resolved = consistentResolve(node.resolved, node.path, path, true)
-    if (resolved) {
+    // hide resolved from registry dependencies.
+    if (!resolved) {
+      // no-op
+    } else if (node.isRegistryDependency) {
+      meta.resolved = overrideResolves(resolved, options)
+    } else {
       meta.resolved = resolved
     }
 
@@ -330,6 +336,7 @@ class Shrinkwrap {
       shrinkwrapOnly = false,
       hiddenLockfile = false,
       lockfileVersion,
+      resolveOptions = {},
     } = options
 
     this.lockfileVersion = hiddenLockfile ? 3
@@ -347,6 +354,7 @@ class Shrinkwrap {
     this.yarnLock = null
     this.hiddenLockfile = hiddenLockfile
     this.loadingError = null
+    this.resolveOptions = resolveOptions
     // only load npm-shrinkwrap.json in dep trees, not package-lock
     this.shrinkwrapOnly = shrinkwrapOnly
   }
@@ -830,7 +838,7 @@ class Shrinkwrap {
           resolved,
           integrity,
           hasShrinkwrap,
-        } = Shrinkwrap.metaFromNode(node, this.path)
+        } = Shrinkwrap.metaFromNode(node, this.path, this.resolveOptions)
         node.resolved = node.resolved || resolved || null
         node.integrity = node.integrity || integrity || null
         node.hasShrinkwrap = node.hasShrinkwrap || hasShrinkwrap || false
@@ -886,7 +894,10 @@ class Shrinkwrap {
   [_updateWaitingNode] (loc) {
     const node = this[_awaitingUpdate].get(loc)
     this[_awaitingUpdate].delete(loc)
-    this.data.packages[loc] = Shrinkwrap.metaFromNode(node, this.path)
+    this.data.packages[loc] = Shrinkwrap.metaFromNode(
+      node,
+      this.path,
+      this.resolveOptions)
   }
 
   commit () {
@@ -894,7 +905,10 @@ class Shrinkwrap {
       if (this.yarnLock) {
         this.yarnLock.fromTree(this.tree)
       }
-      const root = Shrinkwrap.metaFromNode(this.tree.target, this.path)
+      const root = Shrinkwrap.metaFromNode(
+        this.tree.target,
+        this.path,
+        this.resolveOptions)
       this.data.packages = {}
       if (Object.keys(root).length) {
         this.data.packages[''] = root
@@ -905,7 +919,10 @@ class Shrinkwrap {
           continue
         }
         const loc = relpath(this.path, node.path)
-        this.data.packages[loc] = Shrinkwrap.metaFromNode(node, this.path)
+        this.data.packages[loc] = Shrinkwrap.metaFromNode(
+          node,
+          this.path,
+          this.resolveOptions)
       }
     } else if (this[_awaitingUpdate].size > 0) {
       for (const loc of this[_awaitingUpdate].keys()) {
@@ -1013,7 +1030,7 @@ class Shrinkwrap {
         spec.type !== 'git' &&
         spec.type !== 'file' &&
         spec.type !== 'remote') {
-      lock.resolved = node.resolved
+      lock.resolved = overrideResolves(node.resolved, this.resolveOptions)
     }
 
     if (node.integrity) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "5.1.1",
+  "version": "5.2.2",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
@@ -11,7 +11,7 @@
     "@npmcli/name-from-folder": "^1.0.1",
     "@npmcli/node-gyp": "^2.0.0",
     "@npmcli/package-json": "^2.0.0",
-    "@npmcli/run-script": "^3.0.0",
+    "@npmcli/run-script": "^4.1.0",
     "bin-links": "^3.0.0",
     "cacache": "^16.0.6",
     "common-ancestor-path": "^1.0.1",
@@ -25,7 +25,7 @@
     "npm-pick-manifest": "^7.0.0",
     "npm-registry-fetch": "^13.0.0",
     "npmlog": "^6.0.2",
-    "pacote": "^13.0.5",
+    "pacote": "^13.6.1",
     "parse-conflict-json": "^2.0.1",
     "proc-log": "^2.0.0",
     "promise-all-reject-late": "^1.0.0",
@@ -40,7 +40,7 @@
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "3.4.2",
+    "@npmcli/template-oss": "3.5.0",
     "benchmark": "^2.1.4",
     "chalk": "^4.1.0",
     "minify-registry-metadata": "^2.1.0",
@@ -101,6 +101,6 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "3.4.2"
+    "version": "3.5.0"
   }
 }