@npmcli/arborist 6.1.3 → 6.1.5

package/lib/arborist/build-ideal-tree.js

@@ -619,14 +619,16 @@ module.exports = cls => class IdealTreeBuilder extends cls {
             continue
           }
 
-          const { isSemVerMajor, version } = fixAvailable
+          // name may be different if parent fixes the dep
+          // see Vuln fixAvailable setter
+          const { isSemVerMajor, version, name: fixName } = fixAvailable
           const breakingMessage = isSemVerMajor
             ? 'a SemVer major change'
             : 'outside your stated dependency range'
-          log.warn('audit', `Updating ${name} to ${version}, ` +
+          log.warn('audit', `Updating ${fixName} to ${version}, ` +
             `which is ${breakingMessage}.`)
 
-          await this[_add](node, { add: [`${name}@${version}`] })
+          await this[_add](node, { add: [`${fixName}@${version}`] })
           nodesTouched.add(node)
         }
       }

package/lib/arborist/reify.js

@@ -1531,16 +1531,12 @@ module.exports = cls => class Reifier extends cls {
     this.idealTree.meta.filename =
       this.idealTree.realpath + '/node_modules/.package-lock.json'
     this.idealTree.meta.hiddenLockfile = true
-    const resetMeta = this.idealTree.meta && this.idealTree.meta.lockfileVersion !== defaultLockfileVersion
     this.idealTree.meta.lockfileVersion = defaultLockfileVersion
 
     this.actualTree = this.idealTree
     this.idealTree = null
 
     if (!this[_global]) {
-      if (resetMeta) {
-        await this.actualTree.meta.reset()
-      }
       await this.actualTree.meta.save()
       const ignoreScripts = !!this.options.ignoreScripts
       // if we aren't doing a dry run or ignoring scripts and we actually made changes to the dep

package/lib/vuln.js

@@ -65,6 +65,9 @@ class Vuln {
     // - {name, version, isSemVerMajor} fix requires -f, is semver major
     // - {name, version} fix requires -f, not semver major
     // - true: fix does not require -f
+    // TODO: duped entries may require different fixes but the current
+    // structure does not support this, so the case were a top level fix
+    // corrects a duped entry may mean you have to run fix more than once
     for (const v of this.via) {
       // don't blow up on loops
       if (v.fixAvailable === f) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "6.1.3",
+  "version": "6.1.5",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
@@ -14,32 +14,32 @@
     "@npmcli/query": "^3.0.0",
     "@npmcli/run-script": "^6.0.0",
     "bin-links": "^4.0.1",
-    "cacache": "^17.0.2",
+    "cacache": "^17.0.3",
     "common-ancestor-path": "^1.0.1",
     "hosted-git-info": "^6.1.1",
     "json-parse-even-better-errors": "^3.0.0",
     "json-stringify-nice": "^1.1.4",
-    "minimatch": "^5.1.0",
+    "minimatch": "^5.1.1",
     "nopt": "^7.0.0",
     "npm-install-checks": "^6.0.0",
-    "npm-package-arg": "^10.0.0",
+    "npm-package-arg": "^10.1.0",
     "npm-pick-manifest": "^8.0.1",
-    "npm-registry-fetch": "^14.0.2",
+    "npm-registry-fetch": "^14.0.3",
     "npmlog": "^7.0.1",
-    "pacote": "^15.0.2",
+    "pacote": "^15.0.7",
     "parse-conflict-json": "^3.0.0",
     "proc-log": "^3.0.0",
     "promise-all-reject-late": "^1.0.0",
     "promise-call-limit": "^1.0.1",
     "read-package-json-fast": "^3.0.1",
     "semver": "^7.3.7",
-    "ssri": "^10.0.0",
+    "ssri": "^10.0.1",
     "treeverse": "^3.0.0",
     "walk-up-path": "^1.0.0"
   },
   "devDependencies": {
     "@npmcli/eslint-config": "^4.0.0",
-    "@npmcli/template-oss": "4.10.0",
+    "@npmcli/template-oss": "4.11.0",
     "benchmark": "^2.1.4",
     "chalk": "^4.1.0",
     "minify-registry-metadata": "^2.1.0",
@@ -101,7 +101,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.10.0",
+    "version": "4.11.0",
     "content": "../../scripts/template-oss/index.js"
   }
 }