@npmcli/arborist 9.1.2 → 9.1.4

package/lib/arborist/build-ideal-tree.js

@@ -6,7 +6,7 @@ const pacote = require('pacote')
 const cacache = require('cacache')
 const { callLimit: promiseCallLimit } = require('promise-call-limit')
 const realpath = require('../../lib/realpath.js')
-const { resolve, dirname } = require('node:path')
+const { resolve, dirname, sep } = require('node:path')
 const treeCheck = require('../tree-check.js')
 const { readdirScoped } = require('@npmcli/fs')
 const { lstat, readlink } = require('node:fs/promises')
@@ -192,9 +192,11 @@ module.exports = cls => class IdealTreeBuilder extends cls {
   }
 
   async #checkEngineAndPlatform () {
-    const { engineStrict, npmVersion, nodeVersion } = this.options
+    const { engineStrict, npmVersion, nodeVersion, omit = [] } = this.options
+    const omitSet = new Set(omit)
+
     for (const node of this.idealTree.inventory.values()) {
-      if (!node.optional) {
+      if (!node.optional && !node.shouldOmit(omitSet)) {
         try {
           // if devEngines is present in the root node we ignore the engines check
           if (!(node.isRoot && node.package.devEngines)) {
@@ -1224,15 +1226,31 @@ This is a one-time fix-up, please be patient...
     const { installLinks, legacyPeerDeps } = this
     const isWorkspace = this.idealTree.workspaces && this.idealTree.workspaces.has(spec.name)
 
-    // spec is a directory, link it unless installLinks is set or it's a workspace
+    // spec is a directory, link it if:
+    // - it's a workspace, OR
+    // - it's a project-internal file: dependency (always linked), OR
+    // - it's external and installLinks is false
     // TODO post arborist refactor, will need to check for installStrategy=linked
-    if (spec.type === 'directory' && (isWorkspace || !installLinks)) {
+    let isProjectInternalFileSpec = false
+    if (edge?.rawSpec.startsWith('file:../') || edge?.rawSpec.startsWith('file:./')) {
+      const targetPath = resolve(parent.realpath, edge.rawSpec.slice(5))
+      const resolvedProjectRoot = resolve(this.idealTree.realpath)
+      // Check if the target is within the project root
+      isProjectInternalFileSpec = targetPath.startsWith(resolvedProjectRoot + sep) || targetPath === resolvedProjectRoot
+    }
+
+    // When using --install-links, we need to handle transitive file dependencies specially
+    // If the parent was installed (not linked) due to --install-links, and this is a file: dep, we should also install it rather than link it
+    const parentWasInstalled = parent && !parent.isLink && parent.resolved?.startsWith('file:')
+    const isTransitiveFileDep = spec.type === 'directory' && parentWasInstalled && installLinks
+
+    // Decide whether to link or copy the dependency
+    const shouldLink = (isWorkspace || isProjectInternalFileSpec || !installLinks) && !isTransitiveFileDep
+    if (spec.type === 'directory' && shouldLink) {
       return this.#linkFromSpec(name, spec, parent, edge)
     }
 
-    // if the spec matches a workspace name, then see if the workspace node will
-    // satisfy the edge. if it does, we return the workspace node to make sure it
-    // takes priority.
+    // if the spec matches a workspace name, then see if the workspace node will satisfy the edge. if it does, we return the workspace node to make sure it takes priority.
     if (isWorkspace) {
       const existingNode = this.idealTree.edgesOut.get(spec.name).to
       if (existingNode && existingNode.isWorkspace && existingNode.satisfies(edge)) {
@@ -1240,6 +1258,15 @@ This is a one-time fix-up, please be patient...
       }
     }
 
+    // For file: dependencies that we're installing (not linking), ensure proper resolution
+    if (isTransitiveFileDep && edge) {
+      // For transitive file deps, resolve relative to the parent's original source location
+      const parentOriginalPath = parent.resolved.slice(5) // Remove 'file:' prefix
+      const relativePath = edge.rawSpec.slice(5) // Remove 'file:' prefix
+      const absolutePath = resolve(parentOriginalPath, relativePath)
+      spec = npa.resolve(name, `file:${absolutePath}`)
+    }
+
     // spec isn't a directory, and either isn't a workspace or the workspace we have
     // doesn't satisfy the edge. try to fetch a manifest and build a node from that.
     return this.#fetchManifest(spec)
@@ -1292,6 +1319,12 @@ This is a one-time fix-up, please be patient...
       .sort(({ name: a }, { name: b }) => localeCompare(a, b))
 
     for (const edge of peerEdges) {
+      // node.parent gets mutated during loop execution due to recursive #nodeFromEdge calls.
+      // When a compatible peer is found (e.g. a@1.1.0 replaces a@1.2.0), the original node loses its parent.
+      // if node is detached/removed from the tree, or has no parent, so no need to check remaining edgesOut for that node.
+      if (!node.parent) {
+        break
+      }
       // already placed this one, and we're happy with it.
       if (edge.valid && edge.to) {
         continue
@@ -1476,11 +1509,6 @@ This is a one-time fix-up, please be patient...
     const needPrune = metaFromDisk && (mutateTree || flagsSuspect)
     if (this.#prune && needPrune) {
       this.#idealTreePrune()
-      for (const node of this.idealTree.inventory.values()) {
-        if (node.extraneous) {
-          node.parent = null
-        }
-      }
     }
 
     timeEnd()
@@ -1514,7 +1542,12 @@ This is a one-time fix-up, please be patient...
 
   #idealTreePrune () {
     for (const node of this.idealTree.inventory.values()) {
-      if (node.extraneous) {
+      // optional peer dependencies are meant to be added to the tree
+      // through an explicit required dependency (most commonly in the
+      // root package.json), at which point they won't be optional so
+      // any dependencies still marked as both optional and peer at
+      // this point can be pruned as a special kind of extraneous
+      if (node.extraneous || (node.peer && node.optional)) {
         node.parent = null
       }
     }

package/lib/arborist/reify.js

@@ -84,9 +84,7 @@ module.exports = cls => class Reifier extends cls {
   #bundleUnpacked = new Set() // the nodes we unpack to read their bundles
   #dryRun
   #nmValidated = new Set()
-  #omitDev
-  #omitPeer
-  #omitOptional
+  #omit
   #retiredPaths = {}
   #retiredUnchanged = {}
   #savePrefix
@@ -110,10 +108,7 @@ module.exports = cls => class Reifier extends cls {
       throw er
     }
 
-    const omit = new Set(options.omit || [])
-    this.#omitDev = omit.has('dev')
-    this.#omitOptional = omit.has('optional')
-    this.#omitPeer = omit.has('peer')
+    this.#omit = new Set(options.omit)
 
     // start tracker block
     this.addTracker('reify')
@@ -562,12 +557,11 @@ module.exports = cls => class Reifier extends cls {
   // adding to the trash list will skip reifying, and delete them
   // if they are currently in the tree and otherwise untouched.
   [_addOmitsToTrashList] () {
-    if (!this.#omitDev && !this.#omitOptional && !this.#omitPeer) {
+    if (!this.#omit.size) {
       return
     }
 
     const timeEnd = time.start('reify:trashOmits')
-
     for (const node of this.idealTree.inventory.values()) {
       const { top } = node
 
@@ -583,12 +577,7 @@ module.exports = cls => class Reifier extends cls {
       }
 
       // omit node if the dep type matches any omit flags that were set
-      if (
-        node.peer && this.#omitPeer ||
-        node.dev && this.#omitDev ||
-        node.optional && this.#omitOptional ||
-        node.devOptional && this.#omitOptional && this.#omitDev
-      ) {
+      if (node.shouldOmit(this.#omit)) {
         this[_addNodeToTrashList](node)
       }
     }
@@ -896,6 +885,7 @@ module.exports = cls => class Reifier extends cls {
         // Replace the host with the registry host while keeping the path intact
         resolvedURL.hostname = registryURL.hostname
         resolvedURL.port = registryURL.port
+        resolvedURL.protocol = registryURL.protocol
 
         // Make sure we don't double-include the path if it's already there
         const registryPath = registryURL.pathname.replace(/\/$/, '')

package/lib/audit-report.js

@@ -1,5 +1,4 @@
 // an object representing the set of vulnerabilities in a tree
-/* eslint camelcase: "off" */
 
 const localeCompare = require('@isaacs/string-locale-compare')('en')
 const npa = require('npm-package-arg')
@@ -8,16 +7,15 @@ const pickManifest = require('npm-pick-manifest')
 const Vuln = require('./vuln.js')
 const Calculator = require('@npmcli/metavuln-calculator')
 
-const _getReport = Symbol('getReport')
-const _fixAvailable = Symbol('fixAvailable')
-const _checkTopNode = Symbol('checkTopNode')
-const _init = Symbol('init')
-const _omit = Symbol('omit')
 const { log, time } = require('proc-log')
 
 const npmFetch = require('npm-registry-fetch')
 
 class AuditReport extends Map {
+  #omit
+  error = null
+  topVulns = new Map()
+
   static load (tree, opts) {
     return new AuditReport(tree, opts).run()
   }
@@ -91,22 +89,18 @@ class AuditReport extends Map {
 
   constructor (tree, opts = {}) {
     super()
-    const { omit } = opts
-    this[_omit] = new Set(omit || [])
-    this.topVulns = new Map()
-
+    this.#omit = new Set(opts.omit || [])
     this.calculator = new Calculator(opts)
-    this.error = null
     this.options = opts
     this.tree = tree
     this.filterSet = opts.filterSet
   }
 
   async run () {
-    this.report = await this[_getReport]()
+    this.report = await this.#getReport()
     log.silly('audit report', this.report)
     if (this.report) {
-      await this[_init]()
+      await this.#init()
     }
     return this
   }
@@ -116,7 +110,7 @@ class AuditReport extends Map {
     return !!(vuln && vuln.isVulnerable(node))
   }
 
-  async [_init] () {
+  async #init () {
     const timeEnd = time.start('auditReport:init')
 
     const promises = []
@@ -148,7 +142,7 @@ class AuditReport extends Map {
       if (!seen.has(k)) {
         const p = []
         for (const node of this.tree.inventory.query('packageName', name)) {
-          if (!shouldAudit(node, this[_omit], this.filterSet)) {
+          if (!this.shouldAudit(node)) {
             continue
           }
 
@@ -171,7 +165,15 @@ class AuditReport extends Map {
           vuln.nodes.add(node)
           for (const { from: dep, spec } of node.edgesIn) {
             if (dep.isTop && !vuln.topNodes.has(dep)) {
-              this[_checkTopNode](dep, vuln, spec)
+              vuln.fixAvailable = this.#fixAvailable(vuln, spec)
+              if (vuln.fixAvailable !== true) {
+                // now we know the top node is vulnerable, and cannot be
+                // upgraded out of the bad place without --force.  But, there's
+                // no need to add it to the actual vulns list, because nothing
+                // depends on root.
+                this.topVulns.set(vuln.name, vuln)
+                vuln.topNodes.add(dep)
+              }
             } else {
             // calculate a metavuln, if necessary
               const calc = this.calculator.calculate(dep.packageName, advisory)
@@ -214,33 +216,14 @@ class AuditReport extends Map {
     timeEnd()
   }
 
-  [_checkTopNode] (topNode, vuln, spec) {
-    vuln.fixAvailable = this[_fixAvailable](topNode, vuln, spec)
-
-    if (vuln.fixAvailable !== true) {
-      // now we know the top node is vulnerable, and cannot be
-      // upgraded out of the bad place without --force.  But, there's
-      // no need to add it to the actual vulns list, because nothing
-      // depends on root.
-      this.topVulns.set(vuln.name, vuln)
-      vuln.topNodes.add(topNode)
-    }
-  }
-
-  // check whether the top node is vulnerable.
-  // check whether we can get out of the bad place with --force, and if
-  // so, whether that update is SemVer Major
-  [_fixAvailable] (topNode, vuln, spec) {
-    // this will always be set to at least {name, versions:{}}
-    const paku = vuln.packument
-
+  // given the spec, see if there is a fix available at all, and note whether or not it's a semver major fix or not (i.e. will need --force)
+  #fixAvailable (vuln, spec) {
+    // TODO we return true, false, OR an object here. this is probably a bad pattern.
     if (!vuln.testSpec(spec)) {
       return true
     }
 
-    // similarly, even if we HAVE a packument, but we're looking for it
-    // somewhere other than the registry, and we got something vulnerable,
-    // then we're stuck with it.
+    // even if we HAVE a packument, if we're looking for it somewhere other than the registry and we have something vulnerable then we're stuck with it.
     const specObj = npa(spec)
     if (!specObj.registry) {
       return false
@@ -250,15 +233,13 @@ class AuditReport extends Map {
       spec = specObj.subSpec.rawSpec
     }
 
-    // We don't provide fixes for top nodes other than root, but we
-    // still check to see if the node is fixable with a different version,
-    // and if that is a semver major bump.
+    // we don't provide fixes for top nodes other than root, but we still check to see if the node is fixable with a different version, and note if that is a semver major bump.
     try {
       const {
         _isSemVerMajor: isSemVerMajor,
         version,
         name,
-      } = pickManifest(paku, spec, {
+      } = pickManifest(vuln.packument, spec, {
         ...this.options,
         before: null,
         avoid: vuln.range,
@@ -274,7 +255,7 @@ class AuditReport extends Map {
     throw new Error('do not call AuditReport.set() directly')
   }
 
-  async [_getReport] () {
+  async #getReport () {
     // if we're not auditing, just return false
     if (this.options.audit === false || this.options.offline === true || this.tree.inventory.size === 1) {
       return null
@@ -282,7 +263,7 @@ class AuditReport extends Map {
 
     const timeEnd = time.start('auditReport:getReport')
     try {
-      const body = prepareBulkData(this.tree, this[_omit], this.filterSet)
+      const body = this.prepareBulkData()
       log.silly('audit', 'bulk request', body)
 
       // no sense asking if we don't have anything to audit,
@@ -309,37 +290,39 @@ class AuditReport extends Map {
       timeEnd()
     }
   }
-}
-
-// return true if we should audit this one
-const shouldAudit = (node, omit, filterSet) =>
-  !node.version ? false
-  : node.isRoot ? false
-  : filterSet && filterSet.size !== 0 && !filterSet.has(node) ? false
-  : omit.size === 0 ? true
-  : !( // otherwise, just ensure we're not omitting this one
-    node.dev && omit.has('dev') ||
-    node.optional && omit.has('optional') ||
-    node.devOptional && omit.has('dev') && omit.has('optional') ||
-    node.peer && omit.has('peer')
-  )
-
-const prepareBulkData = (tree, omit, filterSet) => {
-  const payload = {}
-  for (const name of tree.inventory.query('packageName')) {
-    const set = new Set()
-    for (const node of tree.inventory.query('packageName', name)) {
-      if (!shouldAudit(node, omit, filterSet)) {
-        continue
-      }
 
-      set.add(node.version)
+  // return true if we should audit this one
+  shouldAudit (node) {
+    if (
+      !node.version ||
+      node.isRoot ||
+      (this.filterSet && this.filterSet?.size !== 0 && !this.filterSet?.has(node))
+    ) {
+      return false
     }
-    if (set.size) {
-      payload[name] = [...set]
+    if (this.#omit.size === 0) {
+      return true
+    }
+    return !node.shouldOmit(this.#omit)
+  }
+
+  prepareBulkData () {
+    const payload = {}
+    for (const name of this.tree.inventory.query('packageName')) {
+      const set = new Set()
+      for (const node of this.tree.inventory.query('packageName', name)) {
+        if (!this.shouldAudit(node)) {
+          continue
+        }
+
+        set.add(node.version)
+      }
+      if (set.size) {
+        payload[name] = [...set]
+      }
     }
+    return payload
   }
-  return payload
 }
 
 module.exports = AuditReport

package/lib/node.js

@@ -489,6 +489,15 @@ class Node {
     return false
   }
 
+  shouldOmit (omitSet) {
+    return (
+      this.peer && omitSet.has('peer') ||
+      this.dev && omitSet.has('dev') ||
+      this.optional && omitSet.has('optional') ||
+      this.devOptional && omitSet.has('optional') && omitSet.has('dev')
+    )
+  }
+
   getBundler (path = []) {
     // made a cycle, definitely not bundled!
     if (path.includes(this)) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.1.2",
+  "version": "9.1.4",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
@@ -41,7 +41,7 @@
   "devDependencies": {
     "@npmcli/eslint-config": "^5.0.1",
     "@npmcli/mock-registry": "^1.0.0",
-    "@npmcli/template-oss": "4.23.6",
+    "@npmcli/template-oss": "4.24.4",
     "benchmark": "^2.1.4",
     "minify-registry-metadata": "^4.0.0",
     "nock": "^13.3.3",
@@ -93,7 +93,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.23.6",
+    "version": "4.24.4",
     "content": "../../scripts/template-oss/index.js"
   }
 }