@npmcli/arborist 5.5.0 → 6.0.0-pre.0

package/lib/arborist/reify.js

@@ -69,7 +69,6 @@ const _symlink = Symbol('symlink')
 const _warnDeprecated = Symbol('warnDeprecated')
 const _loadBundlesAndUpdateTrees = Symbol.for('loadBundlesAndUpdateTrees')
 const _submitQuickAudit = Symbol('submitQuickAudit')
-const _awaitQuickAudit = Symbol('awaitQuickAudit')
 const _unpackNewModules = Symbol.for('unpackNewModules')
 const _moveContents = Symbol.for('moveContents')
 const _moveBackRetiredUnchanged = Symbol.for('moveBackRetiredUnchanged')
@@ -156,7 +155,8 @@ module.exports = cls => class Reifier extends cls {
     await this[_reifyPackages]()
     await this[_saveIdealTree](options)
     await this[_copyIdealToActual]()
-    await this[_awaitQuickAudit]()
+    // This is a very bad pattern and I can't wait to stop doing it
+    this.auditReport = await this.auditReport
 
     this.finishTracker('reify')
     process.emit('timeEnd', 'reify')
@@ -531,12 +531,12 @@ module.exports = cls => class Reifier extends cls {
     const targets = [...roots, ...Object.keys(this[_retiredPaths])]
     const unlinks = targets
       .map(path => rimraf(path).catch(er => failures.push([path, er])))
-    return promiseAllRejectLate(unlinks)
-      .then(() => {
-        if (failures.length) {
-          log.warn('cleanup', 'Failed to remove some directories', failures)
-        }
-      })
+    return promiseAllRejectLate(unlinks).then(() => {
+      // eslint-disable-next-line promise/always-return
+      if (failures.length) {
+        log.warn('cleanup', 'Failed to remove some directories', failures)
+      }
+    })
       .then(() => process.emit('timeEnd', 'reify:rollback:createSparse'))
       .then(() => this[_rollbackRetireShallowNodes](er))
   }
@@ -592,21 +592,21 @@ module.exports = cls => class Reifier extends cls {
     this.addTracker('reify', node.name, node.location)
 
     const { npmVersion, nodeVersion } = this.options
-    const p = Promise.resolve()
-      .then(async () => {
-        // when we reify an optional node, check the engine and platform
-        // first. be sure to ignore the --force and --engine-strict flags,
-        // since we always want to skip any optional packages we can't install.
-        // these checks throwing will result in a rollback and removal
-        // of the mismatches
-        if (node.optional) {
-          checkEngine(node.package, npmVersion, nodeVersion, false)
-          checkPlatform(node.package, false)
-        }
-        await this[_checkBins](node)
-        await this[_extractOrLink](node)
-        await this[_warnDeprecated](node)
-      })
+    const p = Promise.resolve().then(async () => {
+      // when we reify an optional node, check the engine and platform
+      // first. be sure to ignore the --force and --engine-strict flags,
+      // since we always want to skip any optional packages we can't install.
+      // these checks throwing will result in a rollback and removal
+      // of the mismatches
+      // eslint-disable-next-line promise/always-return
+      if (node.optional) {
+        checkEngine(node.package, npmVersion, nodeVersion, false)
+        checkPlatform(node.package, false)
+      }
+      await this[_checkBins](node)
+      await this[_extractOrLink](node)
+      await this[_warnDeprecated](node)
+    })
 
     return this[_handleOptionalFailure](node, p)
       .then(() => {
@@ -916,9 +916,10 @@ module.exports = cls => class Reifier extends cls {
     }
   }
 
-  [_submitQuickAudit] () {
+  async [_submitQuickAudit] () {
     if (this.options.audit === false) {
-      return this.auditReport = null
+      this.auditReport = null
+      return
     }
 
     // we submit the quick audit at this point in the process, as soon as
@@ -940,16 +941,10 @@ module.exports = cls => class Reifier extends cls {
       )
     }
 
-    this.auditReport = AuditReport.load(tree, options)
-      .then(res => {
-        process.emit('timeEnd', 'reify:audit')
-        this.auditReport = res
-      })
-  }
-
-  // return the promise if we're waiting for it, or the replaced result
-  [_awaitQuickAudit] () {
-    return this.auditReport
+    this.auditReport = AuditReport.load(tree, options).then(res => {
+      process.emit('timeEnd', 'reify:audit')
+      return res
+    })
   }
 
   // ok!  actually unpack stuff into their target locations!
@@ -1126,7 +1121,7 @@ module.exports = cls => class Reifier extends cls {
   // remove the retired folders, and any deleted nodes
   // If this fails, there isn't much we can do but tell the user about it.
   // Thankfully, it's pretty unlikely that it'll fail, since rimraf is a tank.
-  [_removeTrash] () {
+  async [_removeTrash] () {
     process.emit('time', 'reify:trash')
     const promises = []
     const failures = []
@@ -1136,12 +1131,11 @@ module.exports = cls => class Reifier extends cls {
       promises.push(rm(path))
     }
 
-    return promiseAllRejectLate(promises).then(() => {
-      if (failures.length) {
-        log.warn('cleanup', 'Failed to remove some directories', failures)
-      }
-    })
-      .then(() => process.emit('timeEnd', 'reify:trash'))
+    await promiseAllRejectLate(promises)
+    if (failures.length) {
+      log.warn('cleanup', 'Failed to remove some directories', failures)
+    }
+    process.emit('timeEnd', 'reify:trash')
   }
 
   // last but not least, we save the ideal tree metadata to the package-lock
@@ -1302,7 +1296,9 @@ module.exports = cls => class Reifier extends cls {
           if (semver.subset(edge.spec, node.version)) {
             return false
           }
-        } catch {}
+        } catch {
+          // ignore errors
+        }
       }
       return true
     }

package/lib/audit-report.js

@@ -175,7 +175,9 @@ class AuditReport extends Map {
             } else {
             // calculate a metavuln, if necessary
               const calc = this.calculator.calculate(dep.packageName, advisory)
+              // eslint-disable-next-line promise/always-return
               p.push(calc.then(meta => {
+                // eslint-disable-next-line promise/always-return
                 if (meta.testVersion(dep.version, spec)) {
                   advisories.add(meta)
                 }

package/lib/dep-valid.js

@@ -109,8 +109,8 @@ const depValid = (child, requested, requestor) => {
 const linkValid = (child, requested, requestor) => {
   const isLink = !!child.isLink
   // if we're installing links and the node is a link, then it's invalid because we want
-  // a real node to be there
-  if (requestor.installLinks) {
+  // a real node to be there.  Except for workspaces. They are always links.
+  if (requestor.installLinks && !child.isWorkspace) {
     return !isLink
   }
 

package/lib/link.js

@@ -1,4 +1,3 @@
-const debug = require('./debug.js')
 const relpath = require('./relpath.js')
 const Node = require('./node.js')
 const _loadDeps = Symbol.for('Arborist.Node._loadDeps')
@@ -53,26 +52,6 @@ class Link extends Node {
       return
     }
 
-    if (current && current.then) {
-      debug(() => {
-        throw Object.assign(new Error('cannot set target while awaiting'), {
-          path: this.path,
-          realpath: this.realpath,
-        })
-      })
-    }
-
-    if (target && target.then) {
-      // can set to a promise during an async tree build operation
-      // wait until then to assign it.
-      this[_target] = target
-      target.then(node => {
-        this[_target] = null
-        this.target = node
-      })
-      return
-    }
-
     if (!target) {
       if (current && current.linksIn) {
         current.linksIn.delete(this)

package/lib/node.js

@@ -334,6 +334,10 @@ class Node {
     return `${myname}@${alias}${version}`
   }
 
+  get overridden () {
+    return !!(this.overrides && this.overrides.value && this.overrides.name === this.name)
+  }
+
   get package () {
     return this[_package]
   }
@@ -560,7 +564,8 @@ class Node {
     // this allows us to do new Node({...}) and then set the root later.
     // just make the assignment so we don't lose it, and move on.
     if (!this.path || !root.realpath || !root.path) {
-      return this[_root] = root
+      this[_root] = root
+      return
     }
 
     // temporarily become a root node

package/lib/query-selector-all.js

@@ -3,8 +3,9 @@
 const { resolve } = require('path')
 const { parser, arrayDelimiter } = require('@npmcli/query')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
-const npa = require('npm-package-arg')
+const log = require('proc-log')
 const minimatch = require('minimatch')
+const npa = require('npm-package-arg')
 const semver = require('semver')
 
 // handle results for parsed query asts, results are stored in a map that has a
@@ -262,6 +263,10 @@ class Results {
       !internalSelector.has(node))
   }
 
+  overriddenPseudo () {
+    return this.initialItems.filter(node => node.overridden)
+  }
+
   pathPseudo () {
     return this.initialItems.filter(node => {
       if (!this.currentAstNode.pathValue) {
@@ -287,11 +292,115 @@ class Results {
   }
 
   semverPseudo () {
-    if (!this.currentAstNode.semverValue) {
+    const {
+      attributeMatcher,
+      lookupProperties,
+      semverFunc = 'infer',
+      semverValue,
+    } = this.currentAstNode
+    const { qualifiedAttribute } = attributeMatcher
+
+    if (!semverValue) {
+      // DEPRECATED: remove this warning and throw an error as part of @npmcli/arborist@6
+      log.warn('query', 'usage of :semver() with no parameters is deprecated')
       return this.initialItems
     }
-    return this.initialItems.filter(node =>
-      semver.satisfies(node.version, this.currentAstNode.semverValue))
+
+    if (!semver.valid(semverValue) && !semver.validRange(semverValue)) {
+      throw Object.assign(
+        new Error(`\`${semverValue}\` is not a valid semver version or range`),
+        { code: 'EQUERYINVALIDSEMVER' })
+    }
+
+    const valueIsVersion = !!semver.valid(semverValue)
+
+    const nodeMatches = (node, obj) => {
+      // if we already have an operator, the user provided some test as part of the selector
+      // we evaluate that first because if it fails we don't want this node anyway
+      if (attributeMatcher.operator) {
+        if (!attributeMatch(attributeMatcher, obj)) {
+          // if the initial operator doesn't match, we're done
+          return false
+        }
+      }
+
+      const attrValue = obj[qualifiedAttribute]
+      // both valid and validRange return null for undefined, so this will skip both nodes that
+      // do not have the attribute defined as well as those where the attribute value is invalid
+      // and those where the value from the package.json is not a string
+      if ((!semver.valid(attrValue) && !semver.validRange(attrValue)) ||
+          typeof attrValue !== 'string') {
+        return false
+      }
+
+      const attrIsVersion = !!semver.valid(attrValue)
+
+      let actualFunc = semverFunc
+
+      // if we're asked to infer, we examine outputs to make a best guess
+      if (actualFunc === 'infer') {
+        if (valueIsVersion && attrIsVersion) {
+          // two versions -> semver.eq
+          actualFunc = 'eq'
+        } else if (!valueIsVersion && !attrIsVersion) {
+          // two ranges -> semver.intersects
+          actualFunc = 'intersects'
+        } else {
+          // anything else -> semver.satisfies
+          actualFunc = 'satisfies'
+        }
+      }
+
+      if (['eq', 'neq', 'gt', 'gte', 'lt', 'lte'].includes(actualFunc)) {
+        // both sides must be versions, but one is not
+        if (!valueIsVersion || !attrIsVersion) {
+          return false
+        }
+
+        return semver[actualFunc](attrValue, semverValue)
+      } else if (['gtr', 'ltr', 'satisfies'].includes(actualFunc)) {
+        // at least one side must be a version, but neither is
+        if (!valueIsVersion && !attrIsVersion) {
+          return false
+        }
+
+        return valueIsVersion
+          ? semver[actualFunc](semverValue, attrValue)
+          : semver[actualFunc](attrValue, semverValue)
+      } else if (['intersects', 'subset'].includes(actualFunc)) {
+        // these accept two ranges and since a version is also a range, anything goes
+        return semver[actualFunc](attrValue, semverValue)
+      } else {
+        // user provided a function we don't know about, throw an error
+        throw Object.assign(new Error(`\`semver.${actualFunc}\` is not a supported operator.`),
+          { code: 'EQUERYINVALIDOPERATOR' })
+      }
+    }
+
+    return this.initialItems.filter((node) => {
+      // no lookupProperties just means its a top level property, see if it matches
+      if (!lookupProperties.length) {
+        return nodeMatches(node, node.package)
+      }
+
+      // this code is mostly duplicated from attrPseudo to traverse into the package until we get
+      // to our deepest requested object
+      let objs = [node.package]
+      for (const prop of lookupProperties) {
+        if (prop === arrayDelimiter) {
+          objs = objs.flat()
+          continue
+        }
+
+        objs = objs.flatMap(obj => obj[prop] || [])
+        const noAttr = objs.every(obj => !obj)
+        if (noAttr) {
+          return false
+        }
+
+        return objs.some(obj => nodeMatches(node, obj))
+      }
+    })
   }
 
   typePseudo () {
@@ -354,6 +463,7 @@ const attributeOperator = ({ attr, value, insensitive, operator }) => {
   if (insensitive) {
     attr = attr.toLowerCase()
   }
+
   return attributeOperators[operator]({
     attr,
     insensitive,

package/lib/shrinkwrap.js

@@ -184,34 +184,32 @@ const assertNoNewer = async (path, data, lockTime, dir = path, seen = null) => {
     ? Promise.resolve([{ name: 'node_modules', isDirectory: () => true }])
     : readdir(parent, { withFileTypes: true })
 
-  return children.catch(() => [])
-    .then(ents => Promise.all(ents.map(async ent => {
-      const child = resolve(parent, ent.name)
-      if (ent.isDirectory() && !/^\./.test(ent.name)) {
-        await assertNoNewer(path, data, lockTime, child, seen)
-      } else if (ent.isSymbolicLink()) {
-        const target = resolve(parent, await readlink(child))
-        const tstat = await stat(target).catch(
-          /* istanbul ignore next - windows */ () => null)
-        seen.add(relpath(path, child))
-        /* istanbul ignore next - windows cannot do this */
-        if (tstat && tstat.isDirectory() && !seen.has(relpath(path, target))) {
-          await assertNoNewer(path, data, lockTime, target, seen)
-        }
-      }
-    })))
-    .then(() => {
-      if (dir !== path) {
-        return
+  const ents = await children.catch(() => [])
+  await Promise.all(ents.map(async ent => {
+    const child = resolve(parent, ent.name)
+    if (ent.isDirectory() && !/^\./.test(ent.name)) {
+      await assertNoNewer(path, data, lockTime, child, seen)
+    } else if (ent.isSymbolicLink()) {
+      const target = resolve(parent, await readlink(child))
+      const tstat = await stat(target).catch(
+        /* istanbul ignore next - windows */ () => null)
+      seen.add(relpath(path, child))
+      /* istanbul ignore next - windows cannot do this */
+      if (tstat && tstat.isDirectory() && !seen.has(relpath(path, target))) {
+        await assertNoNewer(path, data, lockTime, target, seen)
       }
+    }
+  }))
+  if (dir !== path) {
+    return
+  }
 
-      // assert that all the entries in the lockfile were seen
-      for (const loc of new Set(Object.keys(data.packages))) {
-        if (!seen.has(loc)) {
-          throw 'missing from node_modules: ' + loc
-        }
-      }
-    })
+  // assert that all the entries in the lockfile were seen
+  for (const loc of new Set(Object.keys(data.packages))) {
+    if (!seen.has(loc)) {
+      throw 'missing from node_modules: ' + loc
+    }
+  }
 }
 
 const _awaitingUpdate = Symbol('_awaitingUpdate')
@@ -261,7 +259,9 @@ class Shrinkwrap {
           s.lockfileVersion = json.lockfileVersion
         }
       }
-    } catch (e) {}
+    } catch {
+      // ignore errors
+    }
 
     return s
   }
@@ -442,7 +442,7 @@ class Shrinkwrap {
     this.newline = newline !== undefined ? newline : this.newline
   }
 
-  load () {
+  async load () {
     // we don't need to load package-lock.json except for top of tree nodes,
     // only npm-shrinkwrap.json.
     return this[_maybeRead]().then(([sw, lock, yarn]) => {
@@ -464,7 +464,9 @@ class Shrinkwrap {
         // ignore invalid yarn data.  we'll likely clobber it later anyway.
         try {
           this.yarnLock.parse(yarn)
-        } catch (_) {}
+        } catch {
+          // ignore errors
+        }
       }
 
       return data ? parseJSON(data) : {}
@@ -515,8 +517,10 @@ class Shrinkwrap {
         !(lock.lockfileVersion >= 2) && !lock.requires
 
       // load old lockfile deps into the packages listing
+      // eslint-disable-next-line promise/always-return
       if (lock.dependencies && !lock.packages) {
         return rpj(this.path + '/package.json').then(pkg => pkg, er => ({}))
+        // eslint-disable-next-line promise/always-return
           .then(pkg => {
             this[_loadAll]('', null, this.data)
             this[_fixDependencies](pkg)

package/lib/signal-handling.js

@@ -19,7 +19,9 @@ const setup = fn => {
     for (const sig of signals) {
       try {
         process.removeListener(sig, sigListeners[sig])
-      } catch (er) {}
+      } catch {
+        // ignore errors
+      }
     }
     process.removeListener('beforeExit', onBeforeExit)
     sigListeners.loaded = false
@@ -62,7 +64,9 @@ const setup = fn => {
         process.setMaxListeners(length + 1)
       }
       process.on(sig, sigListeners[sig])
-    } catch (er) {}
+    } catch {
+      // ignore errors
+    }
   }
   sigListeners.loaded = true
 

package/lib/spec-from-lock.js

@@ -21,10 +21,12 @@ const specFromLock = (name, lock, where) => {
     if (lock.resolved) {
       return npa.resolve(name, lock.resolved, where)
     }
-  } catch (_) { }
+  } catch {
+    // ignore errors
+  }
   try {
     return npa.resolve(name, lock.version, where)
-  } catch (_) {
+  } catch {
     return {}
   }
 }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "5.5.0",
+  "version": "6.0.0-pre.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
@@ -11,10 +11,10 @@
     "@npmcli/name-from-folder": "^1.0.1",
     "@npmcli/node-gyp": "^2.0.0",
     "@npmcli/package-json": "^2.0.0",
-    "@npmcli/query": "^1.1.1",
+    "@npmcli/query": "^1.2.0",
     "@npmcli/run-script": "^4.1.3",
-    "bin-links": "^3.0.0",
-    "cacache": "^16.0.6",
+    "bin-links": "^3.0.3",
+    "cacache": "^16.1.3",
     "common-ancestor-path": "^1.0.1",
     "json-parse-even-better-errors": "^2.3.1",
     "json-stringify-nice": "^1.1.4",
@@ -24,7 +24,7 @@
     "nopt": "^6.0.0",
     "npm-install-checks": "^5.0.0",
     "npm-package-arg": "^9.0.0",
-    "npm-pick-manifest": "^7.0.0",
+    "npm-pick-manifest": "^7.0.2",
     "npm-registry-fetch": "^13.0.0",
     "npmlog": "^6.0.2",
     "pacote": "^13.6.1",
@@ -41,8 +41,8 @@
     "walk-up-path": "^1.0.0"
   },
   "devDependencies": {
-    "@npmcli/eslint-config": "^3.0.1",
-    "@npmcli/template-oss": "3.5.0",
+    "@npmcli/eslint-config": "^3.1.0",
+    "@npmcli/template-oss": "4.0.0",
     "benchmark": "^2.1.4",
     "chalk": "^4.1.0",
     "minify-registry-metadata": "^2.1.0",
@@ -56,9 +56,6 @@
     "snap": "tap",
     "postsnap": "npm run lintfix",
     "test-proxy": "ARBORIST_TEST_PROXY=1 tap --snapshot",
-    "preversion": "npm test",
-    "postversion": "npm publish",
-    "prepublishOnly": "git push origin --follow-tags",
     "eslint": "eslint",
     "lint": "eslint \"**/*.js\"",
     "lintfix": "npm run lint -- --fix",
@@ -99,10 +96,10 @@
     "timeout": "360"
   },
   "engines": {
-    "node": "^12.13.0 || ^14.15.0 || >=16.0.0"
+    "node": "^14.17.0 || ^16.13.0 || >=18.0.0"
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "3.5.0"
+    "version": "4.0.0"
   }
 }