@npmcli/arborist 5.4.0 → 5.6.1

package/bin/index.js

@@ -99,6 +99,7 @@ for (const file of commandFiles) {
         if (bin.loglevel !== 'silent') {
           console[process.exitCode ? 'error' : 'log'](r)
         }
+        return r
       })
   }
 }

package/lib/add-rm-pkg-deps.js

@@ -4,8 +4,67 @@ const log = require('proc-log')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
 
 const add = ({ pkg, add, saveBundle, saveType }) => {
-  for (const spec of add) {
-    addSingle({ pkg, spec, saveBundle, saveType })
+  for (const { name, rawSpec } of add) {
+    // if the user does not give us a type, we infer which type(s)
+    // to keep based on the same order of priority we do when
+    // building the tree as defined in the _loadDeps method of
+    // the node class.
+    if (!saveType) {
+      saveType = inferSaveType(pkg, name)
+    }
+
+    if (saveType === 'prod') {
+      // a production dependency can only exist as production (rpj ensures it
+      // doesn't coexist w/ optional)
+      deleteSubKey(pkg, 'devDependencies', name, 'dependencies')
+      deleteSubKey(pkg, 'peerDependencies', name, 'dependencies')
+    } else if (saveType === 'dev') {
+      // a dev dependency may co-exist as peer, or optional, but not production
+      deleteSubKey(pkg, 'dependencies', name, 'devDependencies')
+    } else if (saveType === 'optional') {
+      // an optional dependency may co-exist as dev (rpj ensures it doesn't
+      // coexist w/ prod)
+      deleteSubKey(pkg, 'peerDependencies', name, 'optionalDependencies')
+    } else { // peer or peerOptional is all that's left
+      // a peer dependency may coexist as dev
+      deleteSubKey(pkg, 'dependencies', name, 'peerDependencies')
+      deleteSubKey(pkg, 'optionalDependencies', name, 'peerDependencies')
+    }
+
+    const depType = saveTypeMap.get(saveType)
+
+    pkg[depType] = pkg[depType] || {}
+    if (rawSpec !== '' || pkg[depType][name] === undefined) {
+      pkg[depType][name] = rawSpec || '*'
+    }
+    if (saveType === 'optional') {
+      // Affordance for previous npm versions that require this behaviour
+      pkg.dependencies = pkg.dependencies || {}
+      pkg.dependencies[name] = pkg.optionalDependencies[name]
+    }
+
+    if (saveType === 'peer' || saveType === 'peerOptional') {
+      const pdm = pkg.peerDependenciesMeta || {}
+      if (saveType === 'peer' && pdm[name] && pdm[name].optional) {
+        pdm[name].optional = false
+      } else if (saveType === 'peerOptional') {
+        pdm[name] = pdm[name] || {}
+        pdm[name].optional = true
+        pkg.peerDependenciesMeta = pdm
+      }
+      // peerDeps are often also a devDep, so that they can be tested when
+      // using package managers that don't auto-install peer deps
+      if (pkg.devDependencies && pkg.devDependencies[name] !== undefined) {
+        pkg.devDependencies[name] = pkg.peerDependencies[name]
+      }
+    }
+
+    if (saveBundle && saveType !== 'peer' && saveType !== 'peerOptional') {
+      // keep it sorted, keep it unique
+      const bd = new Set(pkg.bundleDependencies || [])
+      bd.add(name)
+      pkg.bundleDependencies = [...bd].sort(localeCompare)
+    }
   }
 
   return pkg
@@ -21,71 +80,6 @@ const saveTypeMap = new Map([
   ['peer', 'peerDependencies'],
 ])
 
-const addSingle = ({ pkg, spec, saveBundle, saveType }) => {
-  const { name, rawSpec } = spec
-
-  // if the user does not give us a type, we infer which type(s)
-  // to keep based on the same order of priority we do when
-  // building the tree as defined in the _loadDeps method of
-  // the node class.
-  if (!saveType) {
-    saveType = inferSaveType(pkg, spec.name)
-  }
-
-  if (saveType === 'prod') {
-    // a production dependency can only exist as production (rpj ensures it
-    // doesn't coexist w/ optional)
-    deleteSubKey(pkg, 'devDependencies', name, 'dependencies')
-    deleteSubKey(pkg, 'peerDependencies', name, 'dependencies')
-  } else if (saveType === 'dev') {
-    // a dev dependency may co-exist as peer, or optional, but not production
-    deleteSubKey(pkg, 'dependencies', name, 'devDependencies')
-  } else if (saveType === 'optional') {
-    // an optional dependency may co-exist as dev (rpj ensures it doesn't
-    // coexist w/ prod)
-    deleteSubKey(pkg, 'peerDependencies', name, 'optionalDependencies')
-  } else { // peer or peerOptional is all that's left
-    // a peer dependency may coexist as dev
-    deleteSubKey(pkg, 'dependencies', name, 'peerDependencies')
-    deleteSubKey(pkg, 'optionalDependencies', name, 'peerDependencies')
-  }
-
-  const depType = saveTypeMap.get(saveType)
-
-  pkg[depType] = pkg[depType] || {}
-  if (rawSpec !== '' || pkg[depType][name] === undefined) {
-    pkg[depType][name] = rawSpec || '*'
-  }
-  if (saveType === 'optional') {
-    // Affordance for previous npm versions that require this behaviour
-    pkg.dependencies = pkg.dependencies || {}
-    pkg.dependencies[name] = pkg.optionalDependencies[name]
-  }
-
-  if (saveType === 'peer' || saveType === 'peerOptional') {
-    const pdm = pkg.peerDependenciesMeta || {}
-    if (saveType === 'peer' && pdm[name] && pdm[name].optional) {
-      pdm[name].optional = false
-    } else if (saveType === 'peerOptional') {
-      pdm[name] = pdm[name] || {}
-      pdm[name].optional = true
-      pkg.peerDependenciesMeta = pdm
-    }
-    // peerDeps are often also a devDep, so that they can be tested when
-    // using package managers that don't auto-install peer deps
-    if (pkg.devDependencies && pkg.devDependencies[name] !== undefined) {
-      pkg.devDependencies[name] = pkg.peerDependencies[name]
-    }
-  }
-
-  if (saveBundle && saveType !== 'peer' && saveType !== 'peerOptional') {
-    // keep it sorted, keep it unique
-    const bd = new Set(pkg.bundleDependencies || [])
-    bd.add(spec.name)
-    pkg.bundleDependencies = [...bd].sort(localeCompare)
-  }
-}
-
 // Finds where the package is already in the spec and infers saveType from that
 const inferSaveType = (pkg, name) => {
   for (const saveType of saveTypeMap.keys()) {
@@ -103,9 +97,8 @@ const inferSaveType = (pkg, name) => {
   return 'prod'
 }
 
-const { hasOwnProperty } = Object.prototype
 const hasSubKey = (pkg, depType, name) => {
-  return pkg[depType] && hasOwnProperty.call(pkg[depType], name)
+  return pkg[depType] && Object.prototype.hasOwnProperty.call(pkg[depType], name)
 }
 
 // Removes a subkey and warns about it if it's being replaced

package/lib/arborist/build-ideal-tree.js

@@ -81,18 +81,11 @@ const _linkNodes = Symbol('linkNodes')
 const _follow = Symbol('follow')
 const _globalStyle = Symbol('globalStyle')
 const _globalRootNode = Symbol('globalRootNode')
-const _isVulnerable = Symbol.for('isVulnerable')
 const _usePackageLock = Symbol.for('usePackageLock')
 const _rpcache = Symbol.for('realpathCache')
 const _stcache = Symbol.for('statCache')
-const _updateFilePath = Symbol('updateFilePath')
-const _followSymlinkPath = Symbol('followSymlinkPath')
-const _getRelpathSpec = Symbol('getRelpathSpec')
-const _retrieveSpecName = Symbol('retrieveSpecName')
 const _strictPeerDeps = Symbol('strictPeerDeps')
 const _checkEngineAndPlatform = Symbol('checkEngineAndPlatform')
-const _checkEngine = Symbol('checkEngine')
-const _checkPlatform = Symbol('checkPlatform')
 const _virtualRoots = Symbol('virtualRoots')
 const _virtualRoot = Symbol('virtualRoot')
 const _includeWorkspaceRoot = Symbol.for('includeWorkspaceRoot')
@@ -228,34 +221,22 @@ module.exports = cls => class IdealTreeBuilder extends cls {
   }
 
   async [_checkEngineAndPlatform] () {
+    const { engineStrict, npmVersion, nodeVersion } = this.options
     for (const node of this.idealTree.inventory.values()) {
       if (!node.optional) {
-        this[_checkEngine](node)
-        this[_checkPlatform](node)
-      }
-    }
-  }
-
-  [_checkPlatform] (node) {
-    checkPlatform(node.package, this[_force])
-  }
-
-  [_checkEngine] (node) {
-    const { engineStrict, npmVersion, nodeVersion } = this.options
-    const c = () =>
-      checkEngine(node.package, npmVersion, nodeVersion, this[_force])
-
-    if (engineStrict) {
-      c()
-    } else {
-      try {
-        c()
-      } catch (er) {
-        log.warn(er.code, er.message, {
-          package: er.pkgid,
-          required: er.required,
-          current: er.current,
-        })
+        try {
+          checkEngine(node.package, npmVersion, nodeVersion, this[_force])
+        } catch (err) {
+          if (engineStrict) {
+            throw err
+          }
+          log.warn(err.code, err.message, {
+            package: err.pkgid,
+            required: err.required,
+            current: err.current,
+          })
+        }
+        checkPlatform(node.package, this[_force])
       }
     }
   }
@@ -378,6 +359,7 @@ Try using the package name instead, e.g:
         this.idealTree = tree
         this.virtualTree = null
         process.emit('timeEnd', 'idealTree:init')
+        return tree
       })
   }
 
@@ -529,84 +511,59 @@ Try using the package name instead, e.g:
     this[_depsQueue].push(tree)
   }
 
-  // This returns a promise because we might not have the name yet,
-  // and need to call pacote.manifest to find the name.
-  [_add] (tree, { add, saveType = null, saveBundle = false }) {
-    // get the name for each of the specs in the list.
-    // ie, doing `foo@bar` we just return foo
-    // but if it's a url or git, we don't know the name until we
-    // fetch it and look in its manifest.
-    return Promise.all(add.map(async rawSpec => {
-      // We do NOT provide the path to npa here, because user-additions
-      // need to be resolved relative to the CWD the user is in.
-      const spec = await this[_retrieveSpecName](npa(rawSpec))
-        .then(spec => this[_updateFilePath](spec))
-        .then(spec => this[_followSymlinkPath](spec))
-      spec.tree = tree
-      return spec
-    })).then(add => {
-      this[_resolvedAdd].push(...add)
-      // now add is a list of spec objects with names.
-      // find a home for each of them!
-      addRmPkgDeps.add({
-        pkg: tree.package,
-        add,
-        saveBundle,
-        saveType,
-        path: this.path,
-      })
-    })
-  }
-
-  async [_retrieveSpecName] (spec) {
-    // if it's just @'' then we reload whatever's there, or get latest
-    // if it's an explicit tag, we need to install that specific tag version
-    const isTag = spec.rawSpec && spec.type === 'tag'
-
-    if (spec.name && !isTag) {
-      return spec
-    }
-
-    const mani = await pacote.manifest(spec, { ...this.options })
-    // if it's a tag type, then we need to run it down to an actual version
-    if (isTag) {
-      return npa(`${mani.name}@${mani.version}`)
-    }
-
-    spec.name = mani.name
-    return spec
-  }
-
-  async [_updateFilePath] (spec) {
-    if (spec.type === 'file') {
-      return this[_getRelpathSpec](spec, spec.fetchSpec)
-    }
-
-    return spec
-  }
-
-  async [_followSymlinkPath] (spec) {
-    if (spec.type === 'directory') {
-      const real = await (
-        realpath(spec.fetchSpec, this[_rpcache], this[_stcache])
-          // TODO: create synthetic test case to simulate realpath failure
-          .catch(/* istanbul ignore next */() => null)
-      )
+  // This returns a promise because we might not have the name yet, and need to
+  // call pacote.manifest to find the name.
+  async [_add] (tree, { add, saveType = null, saveBundle = false }) {
+    // If we have a link it will need to be added relative to the target's path
+    const path = tree.target.path
 
-      return this[_getRelpathSpec](spec, real)
-    }
-    return spec
-  }
+    // get the name for each of the specs in the list.
+    // ie, doing `foo@bar` we just return foo but if it's a url or git, we
+    // don't know the name until we fetch it and look in its manifest.
+    await Promise.all(add.map(async rawSpec => {
+      // We do NOT provide the path to npa here, because user-additions need to
+      // be resolved relative to the tree being added to.
+      let spec = npa(rawSpec)
+
+      // if it's just @'' then we reload whatever's there, or get latest
+      // if it's an explicit tag, we need to install that specific tag version
+      const isTag = spec.rawSpec && spec.type === 'tag'
+
+      // look up the names of file/directory/git specs
+      if (!spec.name || isTag) {
+        const mani = await pacote.manifest(spec, { ...this.options })
+        if (isTag) {
+          // translate tag to a version
+          spec = npa(`${mani.name}@${mani.version}`)
+        }
+        spec.name = mani.name
+      }
 
-  [_getRelpathSpec] (spec, filepath) {
-    /* istanbul ignore else - should also be covered by realpath failure */
-    if (filepath) {
       const { name } = spec
-      const tree = this.idealTree.target
-      spec = npa(`file:${relpath(tree.path, filepath).replace(/#/g, '%23')}`, tree.path)
-      spec.name = name
-    }
-    return spec
+      if (spec.type === 'file') {
+        spec = npa(`file:${relpath(path, spec.fetchSpec).replace(/#/g, '%23')}`, path)
+        spec.name = name
+      } else if (spec.type === 'directory') {
+        try {
+          const real = await realpath(spec.fetchSpec, this[_rpcache], this[_stcache])
+          spec = npa(`file:${relpath(path, real).replace(/#/g, '%23')}`, path)
+          spec.name = name
+        } catch {
+          // TODO: create synthetic test case to simulate realpath failure
+        }
+      }
+      spec.tree = tree
+      this[_resolvedAdd].push(spec)
+    }))
+
+    // now this._resolvedAdd is a list of spec objects with names.
+    // find a home for each of them!
+    addRmPkgDeps.add({
+      pkg: tree.package,
+      add: this[_resolvedAdd],
+      saveBundle,
+      saveType,
+    })
   }
 
   // TODO: provide a way to fix bundled deps by exposing metadata about
@@ -686,10 +643,6 @@ Try using the package name instead, e.g:
     }
   }
 
-  [_isVulnerable] (node) {
-    return this.auditReport && this.auditReport.isVulnerable(node)
-  }
-
   [_avoidRange] (name) {
     if (!this.auditReport) {
       return null
@@ -781,17 +734,18 @@ This is a one-time fix-up, please be patient...
         const spec = npa.resolve(name, id, dirname(path))
         const t = `idealTree:inflate:${location}`
         this.addTracker(t)
-        await pacote.manifest(spec, {
-          ...this.options,
-          resolved: resolved,
-          integrity: integrity,
-          fullMetadata: false,
-        }).then(mani => {
+        try {
+          const mani = await pacote.manifest(spec, {
+            ...this.options,
+            resolved: resolved,
+            integrity: integrity,
+            fullMetadata: false,
+          })
           node.package = { ...mani, _id: `${mani.name}@${mani.version}` }
-        }).catch((er) => {
+        } catch (er) {
           const warning = `Could not fetch metadata for ${name}@${id}`
           log.warn(heading, warning, er)
-        })
+        }
         this.finishTracker(t)
       })
     }
@@ -1233,7 +1187,7 @@ This is a one-time fix-up, please be patient...
         }
 
         // fixing a security vulnerability with this package, problem
-        if (this[_isVulnerable](edge.to)) {
+        if (this.auditReport && this.auditReport.isVulnerable(edge.to)) {
           return true
         }
 

package/lib/arborist/index.js

@@ -134,7 +134,7 @@ class Arborist extends Base {
     return wsDepSet
   }
 
-  // returns a set of root dependencies, excluding depdencies that are
+  // returns a set of root dependencies, excluding dependencies that are
   // exclusively workspace dependencies
   excludeWorkspacesDependencySet (tree) {
     const rootDepSet = new Set()

package/lib/arborist/load-actual.js

@@ -115,6 +115,7 @@ module.exports = cls => class ActualLoader extends cls {
       root = null,
       transplantFilter = () => true,
       ignoreMissing = false,
+      forceActual = false,
     } = options
     this[_filter] = filter
     this[_transplantFilter] = transplantFilter
@@ -141,26 +142,30 @@ module.exports = cls => class ActualLoader extends cls {
 
     this[_actualTree].assertRootOverrides()
 
-    // Note: hidden lockfile will be rejected if it's not the latest thing
-    // in the folder, or if any of the entries in the hidden lockfile are
-    // missing.
-    const meta = await Shrinkwrap.load({
-      path: this[_actualTree].path,
-      hiddenLockfile: true,
-      resolveOptions: this.options,
-    })
-    if (meta.loadedFromDisk) {
-      this[_actualTree].meta = meta
-      return this[_loadActualVirtually]({ root })
-    } else {
+    // if forceActual is set, don't even try the hidden lockfile
+    if (!forceActual) {
+      // Note: hidden lockfile will be rejected if it's not the latest thing
+      // in the folder, or if any of the entries in the hidden lockfile are
+      // missing.
       const meta = await Shrinkwrap.load({
         path: this[_actualTree].path,
-        lockfileVersion: this.options.lockfileVersion,
+        hiddenLockfile: true,
         resolveOptions: this.options,
       })
-      this[_actualTree].meta = meta
-      return this[_loadActualActually]({ root, ignoreMissing })
+
+      if (meta.loadedFromDisk) {
+        this[_actualTree].meta = meta
+        return this[_loadActualVirtually]({ root })
+      }
     }
+
+    const meta = await Shrinkwrap.load({
+      path: this[_actualTree].path,
+      lockfileVersion: this.options.lockfileVersion,
+      resolveOptions: this.options,
+    })
+    this[_actualTree].meta = meta
+    return this[_loadActualActually]({ root, ignoreMissing })
   }
 
   async [_loadActualVirtually] ({ root }) {
@@ -342,6 +347,7 @@ module.exports = cls => class ActualLoader extends cls {
       // node_modules hierarchy, then load that node as well.
       return this[_loadFSTree](link.target).then(() => link)
     } else if (target.then) {
+      // eslint-disable-next-line promise/catch-or-return
       target.then(node => link.target = node)
     }
 

package/lib/arborist/rebuild.js

@@ -359,6 +359,9 @@ module.exports = cls => class Builder extends cls {
           pkg,
           path,
           event,
+          // I do not know why this needs to be on THIS line but refactoring
+          // this function would be quite a process
+          // eslint-disable-next-line promise/always-return
           cmd: args && args[args.length - 1],
           env,
           code,

package/lib/arborist/reify.js

@@ -69,7 +69,6 @@ const _symlink = Symbol('symlink')
 const _warnDeprecated = Symbol('warnDeprecated')
 const _loadBundlesAndUpdateTrees = Symbol.for('loadBundlesAndUpdateTrees')
 const _submitQuickAudit = Symbol('submitQuickAudit')
-const _awaitQuickAudit = Symbol('awaitQuickAudit')
 const _unpackNewModules = Symbol.for('unpackNewModules')
 const _moveContents = Symbol.for('moveContents')
 const _moveBackRetiredUnchanged = Symbol.for('moveBackRetiredUnchanged')
@@ -156,7 +155,8 @@ module.exports = cls => class Reifier extends cls {
     await this[_reifyPackages]()
     await this[_saveIdealTree](options)
     await this[_copyIdealToActual]()
-    await this[_awaitQuickAudit]()
+    // This is a very bad pattern and I can't wait to stop doing it
+    this.auditReport = await this.auditReport
 
     this.finishTracker('reify')
     process.emit('timeEnd', 'reify')
@@ -531,12 +531,12 @@ module.exports = cls => class Reifier extends cls {
     const targets = [...roots, ...Object.keys(this[_retiredPaths])]
     const unlinks = targets
       .map(path => rimraf(path).catch(er => failures.push([path, er])))
-    return promiseAllRejectLate(unlinks)
-      .then(() => {
-        if (failures.length) {
-          log.warn('cleanup', 'Failed to remove some directories', failures)
-        }
-      })
+    return promiseAllRejectLate(unlinks).then(() => {
+      // eslint-disable-next-line promise/always-return
+      if (failures.length) {
+        log.warn('cleanup', 'Failed to remove some directories', failures)
+      }
+    })
       .then(() => process.emit('timeEnd', 'reify:rollback:createSparse'))
       .then(() => this[_rollbackRetireShallowNodes](er))
   }
@@ -592,21 +592,21 @@ module.exports = cls => class Reifier extends cls {
     this.addTracker('reify', node.name, node.location)
 
     const { npmVersion, nodeVersion } = this.options
-    const p = Promise.resolve()
-      .then(async () => {
-        // when we reify an optional node, check the engine and platform
-        // first. be sure to ignore the --force and --engine-strict flags,
-        // since we always want to skip any optional packages we can't install.
-        // these checks throwing will result in a rollback and removal
-        // of the mismatches
-        if (node.optional) {
-          checkEngine(node.package, npmVersion, nodeVersion, false)
-          checkPlatform(node.package, false)
-        }
-        await this[_checkBins](node)
-        await this[_extractOrLink](node)
-        await this[_warnDeprecated](node)
-      })
+    const p = Promise.resolve().then(async () => {
+      // when we reify an optional node, check the engine and platform
+      // first. be sure to ignore the --force and --engine-strict flags,
+      // since we always want to skip any optional packages we can't install.
+      // these checks throwing will result in a rollback and removal
+      // of the mismatches
+      // eslint-disable-next-line promise/always-return
+      if (node.optional) {
+        checkEngine(node.package, npmVersion, nodeVersion, false)
+        checkPlatform(node.package, false)
+      }
+      await this[_checkBins](node)
+      await this[_extractOrLink](node)
+      await this[_warnDeprecated](node)
+    })
 
     return this[_handleOptionalFailure](node, p)
       .then(() => {
@@ -916,9 +916,10 @@ module.exports = cls => class Reifier extends cls {
     }
   }
 
-  [_submitQuickAudit] () {
+  async [_submitQuickAudit] () {
     if (this.options.audit === false) {
-      return this.auditReport = null
+      this.auditReport = null
+      return
     }
 
     // we submit the quick audit at this point in the process, as soon as
@@ -940,16 +941,10 @@ module.exports = cls => class Reifier extends cls {
       )
     }
 
-    this.auditReport = AuditReport.load(tree, options)
-      .then(res => {
-        process.emit('timeEnd', 'reify:audit')
-        this.auditReport = res
-      })
-  }
-
-  // return the promise if we're waiting for it, or the replaced result
-  [_awaitQuickAudit] () {
-    return this.auditReport
+    this.auditReport = AuditReport.load(tree, options).then(res => {
+      process.emit('timeEnd', 'reify:audit')
+      return res
+    })
   }
 
   // ok!  actually unpack stuff into their target locations!
@@ -1126,7 +1121,7 @@ module.exports = cls => class Reifier extends cls {
   // remove the retired folders, and any deleted nodes
   // If this fails, there isn't much we can do but tell the user about it.
   // Thankfully, it's pretty unlikely that it'll fail, since rimraf is a tank.
-  [_removeTrash] () {
+  async [_removeTrash] () {
     process.emit('time', 'reify:trash')
     const promises = []
     const failures = []
@@ -1136,12 +1131,11 @@ module.exports = cls => class Reifier extends cls {
       promises.push(rm(path))
     }
 
-    return promiseAllRejectLate(promises).then(() => {
-      if (failures.length) {
-        log.warn('cleanup', 'Failed to remove some directories', failures)
-      }
-    })
-      .then(() => process.emit('timeEnd', 'reify:trash'))
+    await promiseAllRejectLate(promises)
+    if (failures.length) {
+      log.warn('cleanup', 'Failed to remove some directories', failures)
+    }
+    process.emit('timeEnd', 'reify:trash')
   }
 
   // last but not least, we save the ideal tree metadata to the package-lock
@@ -1302,7 +1296,9 @@ module.exports = cls => class Reifier extends cls {
           if (semver.subset(edge.spec, node.version)) {
             return false
           }
-        } catch {}
+        } catch {
+          // ignore errors
+        }
       }
       return true
     }

package/lib/audit-report.js

@@ -175,7 +175,9 @@ class AuditReport extends Map {
             } else {
             // calculate a metavuln, if necessary
               const calc = this.calculator.calculate(dep.packageName, advisory)
+              // eslint-disable-next-line promise/always-return
               p.push(calc.then(meta => {
+                // eslint-disable-next-line promise/always-return
                 if (meta.testVersion(dep.version, spec)) {
                   advisories.add(meta)
                 }

package/lib/link.js

@@ -66,6 +66,7 @@ class Link extends Node {
       // can set to a promise during an async tree build operation
       // wait until then to assign it.
       this[_target] = target
+      // eslint-disable-next-line promise/always-return, promise/catch-or-return
       target.then(node => {
         this[_target] = null
         this.target = node

package/lib/node.js

@@ -334,6 +334,10 @@ class Node {
     return `${myname}@${alias}${version}`
   }
 
+  get overridden () {
+    return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+  }
+
   get package () {
     return this[_package]
   }
@@ -560,7 +564,8 @@ class Node {
     // this allows us to do new Node({...}) and then set the root later.
     // just make the assignment so we don't lose it, and move on.
     if (!this.path || !root.realpath || !root.path) {
-      return this[_root] = root
+      this[_root] = root
+      return
     }
 
     // temporarily become a root node

package/lib/query-selector-all.js

@@ -262,6 +262,10 @@ class Results {
       !internalSelector.has(node))
   }
 
+  overriddenPseudo () {
+    return this.initialItems.filter(node => node.overridden)
+  }
+
   pathPseudo () {
     return this.initialItems.filter(node => {
       if (!this.currentAstNode.pathValue) {

package/lib/shrinkwrap.js

@@ -184,34 +184,32 @@ const assertNoNewer = async (path, data, lockTime, dir = path, seen = null) => {
     ? Promise.resolve([{ name: 'node_modules', isDirectory: () => true }])
     : readdir(parent, { withFileTypes: true })
 
-  return children.catch(() => [])
-    .then(ents => Promise.all(ents.map(async ent => {
-      const child = resolve(parent, ent.name)
-      if (ent.isDirectory() && !/^\./.test(ent.name)) {
-        await assertNoNewer(path, data, lockTime, child, seen)
-      } else if (ent.isSymbolicLink()) {
-        const target = resolve(parent, await readlink(child))
-        const tstat = await stat(target).catch(
-          /* istanbul ignore next - windows */ () => null)
-        seen.add(relpath(path, child))
-        /* istanbul ignore next - windows cannot do this */
-        if (tstat && tstat.isDirectory() && !seen.has(relpath(path, target))) {
-          await assertNoNewer(path, data, lockTime, target, seen)
-        }
-      }
-    })))
-    .then(() => {
-      if (dir !== path) {
-        return
+  const ents = await children.catch(() => [])
+  await Promise.all(ents.map(async ent => {
+    const child = resolve(parent, ent.name)
+    if (ent.isDirectory() && !/^\./.test(ent.name)) {
+      await assertNoNewer(path, data, lockTime, child, seen)
+    } else if (ent.isSymbolicLink()) {
+      const target = resolve(parent, await readlink(child))
+      const tstat = await stat(target).catch(
+        /* istanbul ignore next - windows */ () => null)
+      seen.add(relpath(path, child))
+      /* istanbul ignore next - windows cannot do this */
+      if (tstat && tstat.isDirectory() && !seen.has(relpath(path, target))) {
+        await assertNoNewer(path, data, lockTime, target, seen)
       }
+    }
+  }))
+  if (dir !== path) {
+    return
+  }
 
-      // assert that all the entries in the lockfile were seen
-      for (const loc of new Set(Object.keys(data.packages))) {
-        if (!seen.has(loc)) {
-          throw 'missing from node_modules: ' + loc
-        }
-      }
-    })
+  // assert that all the entries in the lockfile were seen
+  for (const loc of new Set(Object.keys(data.packages))) {
+    if (!seen.has(loc)) {
+      throw 'missing from node_modules: ' + loc
+    }
+  }
 }
 
 const _awaitingUpdate = Symbol('_awaitingUpdate')
@@ -261,7 +259,9 @@ class Shrinkwrap {
           s.lockfileVersion = json.lockfileVersion
         }
       }
-    } catch (e) {}
+    } catch {
+      // ignore errors
+    }
 
     return s
   }
@@ -442,7 +442,7 @@ class Shrinkwrap {
     this.newline = newline !== undefined ? newline : this.newline
   }
 
-  load () {
+  async load () {
     // we don't need to load package-lock.json except for top of tree nodes,
     // only npm-shrinkwrap.json.
     return this[_maybeRead]().then(([sw, lock, yarn]) => {
@@ -464,7 +464,9 @@ class Shrinkwrap {
         // ignore invalid yarn data.  we'll likely clobber it later anyway.
         try {
           this.yarnLock.parse(yarn)
-        } catch (_) {}
+        } catch {
+          // ignore errors
+        }
       }
 
       return data ? parseJSON(data) : {}
@@ -515,8 +517,10 @@ class Shrinkwrap {
         !(lock.lockfileVersion >= 2) && !lock.requires
 
       // load old lockfile deps into the packages listing
+      // eslint-disable-next-line promise/always-return
       if (lock.dependencies && !lock.packages) {
         return rpj(this.path + '/package.json').then(pkg => pkg, er => ({}))
+        // eslint-disable-next-line promise/always-return
           .then(pkg => {
             this[_loadAll]('', null, this.data)
             this[_fixDependencies](pkg)

package/lib/signal-handling.js

@@ -19,7 +19,9 @@ const setup = fn => {
     for (const sig of signals) {
       try {
         process.removeListener(sig, sigListeners[sig])
-      } catch (er) {}
+      } catch {
+        // ignore errors
+      }
     }
     process.removeListener('beforeExit', onBeforeExit)
     sigListeners.loaded = false
@@ -62,7 +64,9 @@ const setup = fn => {
         process.setMaxListeners(length + 1)
       }
       process.on(sig, sigListeners[sig])
-    } catch (er) {}
+    } catch {
+      // ignore errors
+    }
   }
   sigListeners.loaded = true
 

package/lib/spec-from-lock.js

@@ -21,10 +21,12 @@ const specFromLock = (name, lock, where) => {
     if (lock.resolved) {
       return npa.resolve(name, lock.resolved, where)
     }
-  } catch (_) { }
+  } catch {
+    // ignore errors
+  }
   try {
     return npa.resolve(name, lock.version, where)
-  } catch (_) {
+  } catch {
     return {}
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "5.4.0",
+  "version": "5.6.1",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
@@ -11,20 +11,20 @@
     "@npmcli/name-from-folder": "^1.0.1",
     "@npmcli/node-gyp": "^2.0.0",
     "@npmcli/package-json": "^2.0.0",
-    "@npmcli/query": "^1.1.1",
+    "@npmcli/query": "^1.2.0",
     "@npmcli/run-script": "^4.1.3",
-    "bin-links": "^3.0.0",
-    "cacache": "^16.0.6",
+    "bin-links": "^3.0.3",
+    "cacache": "^16.1.3",
     "common-ancestor-path": "^1.0.1",
     "json-parse-even-better-errors": "^2.3.1",
     "json-stringify-nice": "^1.1.4",
     "minimatch": "^5.1.0",
     "mkdirp": "^1.0.4",
     "mkdirp-infer-owner": "^2.0.0",
-    "nopt": "^5.0.0",
+    "nopt": "^6.0.0",
     "npm-install-checks": "^5.0.0",
     "npm-package-arg": "^9.0.0",
-    "npm-pick-manifest": "^7.0.0",
+    "npm-pick-manifest": "^7.0.2",
     "npm-registry-fetch": "^13.0.0",
     "npmlog": "^6.0.2",
     "pacote": "^13.6.1",
@@ -41,8 +41,8 @@
     "walk-up-path": "^1.0.0"
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "3.5.0",
+    "@npmcli/eslint-config": "^3.1.0",
+    "@npmcli/template-oss": "3.8.0",
     "benchmark": "^2.1.4",
     "chalk": "^4.1.0",
     "minify-registry-metadata": "^2.1.0",
@@ -103,6 +103,6 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "3.5.0"
+    "version": "3.8.0"
   }
 }