@npmcli/arborist 9.1.4 → 9.1.6

package/README.md

@@ -6,7 +6,7 @@
 
 Inspect and manage `node_modules` trees.
 
-![a tree with the word ARBORIST superimposed on it](https://raw.githubusercontent.com/npm/arborist/main/docs/logo.svg?sanitize=true)
+![a tree with the word ARBORIST superimposed on it](https://raw.githubusercontent.com/npm/cli/latest/workspaces/arborist/docs/logo.svg?sanitize=true)
 
 There's more documentation [in the docs
 folder](https://github.com/npm/cli/tree/latest/workspaces/arborist/docs).

package/bin/index.js

@@ -37,7 +37,7 @@ ${message && '\n' + message + '\n'}
 
   Additionally:
 
-  * --loglevel=warn|--quiet will supppress the printing of package trees
+  * --loglevel=warn|--quiet will suppress the printing of package trees
   * --logfile <file|bool> will output logs to a file
   * --timing will show timing information
   * Instead of 'npm install <pkg>', use 'arborist reify --add=<pkg>'.

package/lib/arborist/build-ideal-tree.js

@@ -1,6 +1,6 @@
 // mixin implementing the buildIdealTree method
 const localeCompare = require('@isaacs/string-locale-compare')('en')
-const rpj = require('read-package-json-fast')
+const PackageJson = require('@npmcli/package-json')
 const npa = require('npm-package-arg')
 const pacote = require('pacote')
 const cacache = require('cacache')
@@ -192,7 +192,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
   }
 
   async #checkEngineAndPlatform () {
-    const { engineStrict, npmVersion, nodeVersion, omit = [] } = this.options
+    const { engineStrict, npmVersion, nodeVersion, omit = [], cpu, os, libc } = this.options
     const omitSet = new Set(omit)
 
     for (const node of this.idealTree.inventory.values()) {
@@ -214,6 +214,19 @@ module.exports = cls => class IdealTreeBuilder extends cls {
         }
         checkPlatform(node.package, this.options.force)
       }
+      if (node.optional && !node.inert) {
+        // Mark any optional packages we can't install as inert.
+        // We ignore the --force and --engine-strict flags.
+        try {
+          checkEngine(node.package, npmVersion, nodeVersion, false)
+          checkPlatform(node.package, false, { cpu, os, libc })
+        } catch (error) {
+          const set = optionalSet(node)
+          for (const node of set) {
+            node.inert = true
+          }
+        }
+      }
     }
   }
 
@@ -268,7 +281,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
       root = await this.#globalRootNode()
     } else {
       try {
-        const pkg = await rpj(this.path + '/package.json')
+        const { content: pkg } = await PackageJson.normalize(this.path)
         root = await this.#rootNodeFromPackage(pkg)
       } catch (err) {
         if (err.code === 'EJSONPARSE') {
@@ -324,7 +337,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
       })
 
       .then(tree => {
-        // search the virtual tree for invalid edges, if any are found add their source to
+        // search the virtual tree for missing/invalid edges, if any are found add their source to
         // the depsQueue so that we'll fix it later
         depth({
           tree,
@@ -338,7 +351,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
           filter: node => node,
           visit: node => {
             for (const edge of node.edgesOut.values()) {
-              if (!edge.valid) {
+              if (!edge.to || !edge.valid) {
                 this.#depsQueue.push(node)
                 break // no need to continue the loop after the first hit
               }
@@ -448,7 +461,6 @@ module.exports = cls => class IdealTreeBuilder extends cls {
       const paths = await readdirScoped(nm).catch(() => [])
       for (const p of paths) {
         const name = p.replace(/\\/g, '/')
-        tree.package.dependencies = tree.package.dependencies || {}
         const updateName = this[_updateNames].includes(name)
         if (this[_updateAll] || updateName) {
           if (updateName) {
@@ -812,7 +824,7 @@ This is a one-time fix-up, please be patient...
       node !== this.idealTree &&
       node.resolved &&
       (hasBundle || hasShrinkwrap) &&
-      !node.ideallyInert
+      !node.inert
     if (crackOpen) {
       const Arborist = this.constructor
       const opt = { ...this.options }
@@ -1012,7 +1024,7 @@ This is a one-time fix-up, please be patient...
           }
 
           // pre-fetch any problem edges, since we'll need these soon
-          // if it fails at this point, though, dont' worry because it
+          // if it fails at this point, though, don't worry because it
           // may well be an optional dep that has gone missing.  it'll
           // fail later anyway.
           for (const e of this.#problemEdges(placed)) {
@@ -1068,7 +1080,7 @@ This is a one-time fix-up, please be patient...
       ? await this.#nodeFromSpec(edge.name, spec2, parent, secondEdge)
       : null
 
-    // pick the second one if they're both happy with that, otherwise first
+    // pick the second one if they're both happy with that; otherwise, first
     const node = second && edge.valid ? second : first
     // ensure the one we want is the one that's placed
     node.parent = parent
@@ -1275,7 +1287,7 @@ This is a one-time fix-up, please be patient...
 
         // failed to load the spec, either because of enotarget or
         // fetch failure of some other sort.  save it so we can verify
-        // later that it's optional, otherwise the error is fatal.
+        // later that it's optional; otherwise, the error is fatal.
         const n = new Node({
           name,
           parent,
@@ -1288,14 +1300,15 @@ This is a one-time fix-up, please be patient...
       })
   }
 
-  #linkFromSpec (name, spec, parent) {
+  async #linkFromSpec (name, spec, parent) {
     const realpath = spec.fetchSpec
     const { installLinks, legacyPeerDeps } = this
-    return rpj(realpath + '/package.json').catch(() => ({})).then(pkg => {
-      const link = new Link({ name, parent, realpath, pkg, installLinks, legacyPeerDeps })
-      this.#linkNodes.add(link)
-      return link
+    const { content: pkg } = await PackageJson.normalize(realpath).catch(() => {
+      return { content: {} }
     })
+    const link = new Link({ name, parent, realpath, pkg, installLinks, legacyPeerDeps })
+    this.#linkNodes.add(link)
+    return link
   }
 
   // load all peer deps and meta-peer deps into the node's parent
@@ -1431,7 +1444,7 @@ This is a one-time fix-up, please be patient...
   // - if a path under an existing node, then assign that as the fsParent,
   //   and add it to the _depsQueue
   //
-  // call buildDepStep if anything was added to the queue, otherwise we're done
+  // call buildDepStep if anything was added to the queue; otherwise, we're done
   #resolveLinks () {
     for (const link of this.#linkNodes) {
       this.#linkNodes.delete(link)
@@ -1561,7 +1574,7 @@ This is a one-time fix-up, please be patient...
 
       const set = optionalSet(node)
       for (const node of set) {
-        node.ideallyInert = true
+        node.inert = true
       }
     }
   }
@@ -1582,7 +1595,7 @@ This is a one-time fix-up, please be patient...
           node.parent !== null
           && !node.isProjectRoot
           && !excludeNodes.has(node)
-          && !node.ideallyInert
+          && !node.inert
         ) {
           this[_addNodeToTrashList](node)
         }

package/lib/arborist/isolated-reifier.js

@@ -81,7 +81,7 @@ module.exports = cls => class IsolatedReifier extends cls {
         }
         queue.push(e.to)
       })
-      if (!next.isProjectRoot && !next.isWorkspace && !next.ideallyInert) {
+      if (!next.isProjectRoot && !next.isWorkspace && !next.inert) {
         root.external.push(await this.externalProxyMemo(next))
       }
     }
@@ -140,15 +140,15 @@ module.exports = cls => class IsolatedReifier extends cls {
 
   async assignCommonProperties (node, result) {
     function validEdgesOut (node) {
-      return [...node.edgesOut.values()].filter(e => e.to && e.to.target && !(node.package.bundledDepenedencies || node.package.bundleDependencies || []).includes(e.to.name))
+      return [...node.edgesOut.values()].filter(e => e.to && e.to.target && !(node.package.bundledDependencies || node.package.bundleDependencies || []).includes(e.to.name))
     }
     const edges = validEdgesOut(node)
     const optionalDeps = edges.filter(e => e.optional).map(e => e.to.target)
     const nonOptionalDeps = edges.filter(e => !e.optional).map(e => e.to.target)
 
     result.localDependencies = await Promise.all(nonOptionalDeps.filter(n => n.isWorkspace).map(this.workspaceProxyMemo))
-    result.externalDependencies = await Promise.all(nonOptionalDeps.filter(n => !n.isWorkspace && !n.ideallyInert).map(this.externalProxyMemo))
-    result.externalOptionalDependencies = await Promise.all(optionalDeps.filter(n => !n.ideallyInert).map(this.externalProxyMemo))
+    result.externalDependencies = await Promise.all(nonOptionalDeps.filter(n => !n.isWorkspace && !n.inert).map(this.externalProxyMemo))
+    result.externalOptionalDependencies = await Promise.all(optionalDeps.filter(n => !n.inert).map(this.externalProxyMemo))
     result.dependencies = [
       ...result.externalDependencies,
       ...result.localDependencies,

package/lib/arborist/load-actual.js

@@ -1,8 +1,8 @@
 // mix-in implementing the loadActual method
 
-const { relative, dirname, resolve, join, normalize } = require('node:path')
+const { dirname, join, normalize, relative, resolve } = require('node:path')
 
-const rpj = require('read-package-json-fast')
+const PackageJson = require('@npmcli/package-json')
 const { readdirScoped } = require('@npmcli/fs')
 const { walkUp } = require('walk-up-path')
 const ancestorPath = require('common-ancestor-path')
@@ -36,7 +36,7 @@ module.exports = cls => class ActualLoader extends cls {
   // We don't do fsParent as a magic getter/setter, because it'd be too costly
   // to keep up to date along the walk.
   // And, we know that it can ONLY be relevant when the node is a target of a
-  // link, otherwise it'd be in a node_modules folder, so take advantage of
+  // link; otherwise, it'd be in a node_modules folder, so take advantage of
   // that to limit the scans later.
   #topNodes = new Set()
   #transplantFilter
@@ -279,12 +279,16 @@ module.exports = cls => class ActualLoader extends cls {
       }
 
       try {
-        const pkg = await rpj(join(real, 'package.json'))
+        const { content: pkg } = await PackageJson.normalize(real)
         params.pkg = pkg
         if (useRootOverrides && root.overrides) {
           params.overrides = root.overrides.getNodeRule({ name: pkg.name, version: pkg.version })
         }
       } catch (err) {
+        if (err.code === 'EJSONPARSE') {
+          // TODO @npmcli/package-json should be doing this
+          err.path = join(real, 'package.json')
+        }
         params.error = err
       }
 

package/lib/arborist/load-virtual.js

@@ -1,16 +1,15 @@
+const { resolve } = require('node:path')
 // mixin providing the loadVirtual method
 const mapWorkspaces = require('@npmcli/map-workspaces')
-
-const { resolve } = require('node:path')
-
+const PackageJson = require('@npmcli/package-json')
 const nameFromFolder = require('@npmcli/name-from-folder')
+
 const consistentResolve = require('../consistent-resolve.js')
 const Shrinkwrap = require('../shrinkwrap.js')
 const Node = require('../node.js')
 const Link = require('../link.js')
 const relpath = require('../relpath.js')
 const calcDepFlags = require('../calc-dep-flags.js')
-const rpj = require('read-package-json-fast')
 const treeCheck = require('../tree-check.js')
 
 const flagsSuspect = Symbol.for('flagsSuspect')
@@ -54,10 +53,11 @@ module.exports = cls => class VirtualLoader extends cls {
 
     // when building the ideal tree, we pass in a root node to this function
     // otherwise, load it from the root package json or the lockfile
+    const pkg = await PackageJson.normalize(this.path).then(p => p.content).catch(() => s.data.packages[''] || {})
+    // TODO clean this up
     const {
-      root = await this.#loadRoot(s),
+      root = await this[setWorkspaces](this.#loadNode('', pkg, true)),
     } = options
-
     this.#rootOptionProvided = options.root
 
     await this.#loadFromShrinkwrap(s, root)
@@ -65,12 +65,6 @@ module.exports = cls => class VirtualLoader extends cls {
     return treeCheck(this.virtualTree)
   }
 
-  async #loadRoot (s) {
-    const pj = this.path + '/package.json'
-    const pkg = await rpj(pj).catch(() => s.data.packages['']) || {}
-    return this[setWorkspaces](this.#loadNode('', pkg, true))
-  }
-
   async #loadFromShrinkwrap (s, root) {
     if (!this.#rootOptionProvided) {
       // root is never any of these things, but might be a brand new
@@ -174,7 +168,7 @@ module.exports = cls => class VirtualLoader extends cls {
     }
   }
 
-  // separate out link metadatas, and create Node objects for nodes
+  // separate out link metadata, and create Node objects for nodes
   #resolveNodes (s, root) {
     const links = new Map()
     const nodes = new Map([['', root]])
@@ -219,11 +213,7 @@ To fix:
       // we always need to read the package.json for link targets
       // outside node_modules because they can be changed by the local user
       if (!link.target.parent) {
-        const pj = link.realpath + '/package.json'
-        const pkg = await rpj(pj).catch(() => null)
-        if (pkg) {
-          link.target.package = pkg
-        }
+        await PackageJson.normalize(link.realpath).then(p => link.target.package = p.content).catch(() => null)
       }
     }
   }
@@ -279,7 +269,6 @@ To fix:
       integrity: sw.integrity,
       resolved: consistentResolve(sw.resolved, this.path, path),
       pkg: sw,
-      ideallyInert: sw.ideallyInert,
       hasShrinkwrap: sw.hasShrinkwrap,
       dev,
       optional,

package/lib/arborist/rebuild.js

@@ -1,20 +1,19 @@
 // Arborist.rebuild({path = this.path}) will do all the binlinks and
 // bundle building needed.  Called by reify, and by `npm rebuild`.
 
+const PackageJson = require('@npmcli/package-json')
+const binLinks = require('bin-links')
 const localeCompare = require('@isaacs/string-locale-compare')('en')
-const { depth: dfwalk } = require('treeverse')
 const promiseAllRejectLate = require('promise-all-reject-late')
-const rpj = require('read-package-json-fast')
-const binLinks = require('bin-links')
 const runScript = require('@npmcli/run-script')
 const { callLimit: promiseCallLimit } = require('promise-call-limit')
-const { resolve } = require('node:path')
+const { depth: dfwalk } = require('treeverse')
 const { isNodeGypPackage, defaultGypInstallScript } = require('@npmcli/node-gyp')
 const { log, time } = require('proc-log')
+const { resolve } = require('node:path')
 
 const boolEnv = b => b ? '1' : ''
-const sortNodes = (a, b) =>
-  (a.depth - b.depth) || localeCompare(a.path, b.path)
+const sortNodes = (a, b) => (a.depth - b.depth) || localeCompare(a.path, b.path)
 
 const _checkBins = Symbol.for('checkBins')
 
@@ -250,7 +249,9 @@ module.exports = cls => class Builder extends cls {
       // add to the set then remove while we're reading the pj, so we
       // don't accidentally hit it multiple times.
       set.add(node)
-      const pkg = await rpj(node.path + '/package.json').catch(() => ({}))
+      const { content: pkg } = await PackageJson.normalize(node.path).catch(() => {
+        return { content: {} }
+      })
       set.delete(node)
 
       const { scripts = {} } = pkg

package/lib/arborist/reify.js

@@ -1,48 +1,36 @@
 // mixin implementing the reify method
-const onExit = require('../signal-handling.js')
-const pacote = require('pacote')
-const AuditReport = require('../audit-report.js')
-const { subset, intersects } = require('semver')
-const npa = require('npm-package-arg')
-const semver = require('semver')
-const debug = require('../debug.js')
-const { walkUp } = require('walk-up-path')
-const { log, time } = require('proc-log')
-const rpj = require('read-package-json-fast')
-const hgi = require('hosted-git-info')
-
-const { dirname, resolve, relative, join } = require('node:path')
-const { depth: dfwalk } = require('treeverse')
-const {
-  lstat,
-  mkdir,
-  rm,
-  symlink,
-} = require('node:fs/promises')
-const { moveFile } = require('@npmcli/fs')
 const PackageJson = require('@npmcli/package-json')
+const hgi = require('hosted-git-info')
+const npa = require('npm-package-arg')
 const packageContents = require('@npmcli/installed-package-contents')
+const pacote = require('pacote')
+const promiseAllRejectLate = require('promise-all-reject-late')
 const runScript = require('@npmcli/run-script')
-const { checkEngine, checkPlatform } = require('npm-install-checks')
+const { callLimit: promiseCallLimit } = require('promise-call-limit')
+const { depth: dfwalk } = require('treeverse')
+const { dirname, resolve, relative, join } = require('node:path')
+const { log, time } = require('proc-log')
+const { lstat, mkdir, rm, symlink } = require('node:fs/promises')
+const { moveFile } = require('@npmcli/fs')
+const { subset, intersects } = require('semver')
+const { walkUp } = require('walk-up-path')
 
-const treeCheck = require('../tree-check.js')
-const relpath = require('../relpath.js')
+const AuditReport = require('../audit-report.js')
 const Diff = require('../diff.js')
-const retirePath = require('../retire-path.js')
-const promiseAllRejectLate = require('promise-all-reject-late')
-const { callLimit: promiseCallLimit } = require('promise-call-limit')
-const optionalSet = require('../optional-set.js')
 const calcDepFlags = require('../calc-dep-flags.js')
+const debug = require('../debug.js')
+const onExit = require('../signal-handling.js')
+const optionalSet = require('../optional-set.js')
+const relpath = require('../relpath.js')
+const retirePath = require('../retire-path.js')
+const treeCheck = require('../tree-check.js')
+const { defaultLockfileVersion } = require('../shrinkwrap.js')
 const { saveTypeMap, hasSubKey } = require('../add-rm-pkg-deps.js')
 
-const Shrinkwrap = require('../shrinkwrap.js')
-const { defaultLockfileVersion } = Shrinkwrap
-
 // Part of steps (steps need refactoring before we can do anything about these)
 const _retireShallowNodes = Symbol.for('retireShallowNodes')
 const _loadBundlesAndUpdateTrees = Symbol.for('loadBundlesAndUpdateTrees')
 const _submitQuickAudit = Symbol('submitQuickAudit')
-const _addOmitsToTrashList = Symbol('addOmitsToTrashList')
 const _unpackNewModules = Symbol.for('unpackNewModules')
 const _build = Symbol.for('build')
 
@@ -141,11 +129,17 @@ module.exports = cls => class Reifier extends cls {
       this.idealTree = oldTree
     }
     await this[_saveIdealTree](options)
+    // clean inert
+    for (const node of this.idealTree.inventory.values()) {
+      if (node.inert) {
+        node.parent = null
+      }
+    }
     // clean up any trash that is still in the tree
     for (const path of this[_trashList]) {
       const loc = relpath(this.idealTree.realpath, path)
       const node = this.idealTree.inventory.get(loc)
-      if (node && node.root === this.idealTree && !node.ideallyInert) {
+      if (node && node.root === this.idealTree) {
         node.parent = null
       }
     }
@@ -233,18 +227,6 @@ module.exports = cls => class Reifier extends cls {
     this.idealTree.meta.hiddenLockfile = true
     this.idealTree.meta.lockfileVersion = defaultLockfileVersion
 
-    // Preserve inertness for failed stuff.
-    if (this.actualTree) {
-      for (const [loc, actual] of this.actualTree.inventory.entries()) {
-        if (actual.ideallyInert) {
-          const ideal = this.idealTree.inventory.get(loc)
-          if (ideal) {
-            ideal.ideallyInert = true
-          }
-        }
-      }
-    }
-
     this.actualTree = this.idealTree
     this.idealTree = null
 
@@ -315,7 +297,6 @@ module.exports = cls => class Reifier extends cls {
       ]],
       [_rollbackCreateSparseTree, [
         _createSparseTree,
-        _addOmitsToTrashList,
         _loadShrinkwrapsAndUpdateTrees,
         _loadBundlesAndUpdateTrees,
         _submitQuickAudit,
@@ -470,6 +451,7 @@ module.exports = cls => class Reifier extends cls {
     // find all the nodes that need to change between the actual
     // and ideal trees.
     this.diff = Diff.calculate({
+      omit: this.#omit,
       shrinkwrapInflated: this.#shrinkwrapInflated,
       filterNodes,
       actual: this.actualTree,
@@ -554,37 +536,6 @@ module.exports = cls => class Reifier extends cls {
       })
   }
 
-  // adding to the trash list will skip reifying, and delete them
-  // if they are currently in the tree and otherwise untouched.
-  [_addOmitsToTrashList] () {
-    if (!this.#omit.size) {
-      return
-    }
-
-    const timeEnd = time.start('reify:trashOmits')
-    for (const node of this.idealTree.inventory.values()) {
-      const { top } = node
-
-      // if the top is not the root or workspace then we do not want to omit it
-      if (!top.isProjectRoot && !top.isWorkspace) {
-        continue
-      }
-
-      // if a diff filter has been created, then we do not omit the node if the
-      // top node is not in that set
-      if (this.diff?.filterSet?.size && !this.diff.filterSet.has(top)) {
-        continue
-      }
-
-      // omit node if the dep type matches any omit flags that were set
-      if (node.shouldOmit(this.#omit)) {
-        this[_addNodeToTrashList](node)
-      }
-    }
-
-    timeEnd()
-  }
-
   [_createSparseTree] () {
     const timeEnd = time.start('reify:createSparse')
     // if we call this fn again, we look for the previous list
@@ -601,9 +552,6 @@ module.exports = cls => class Reifier extends cls {
     // retire the same path at the same time.
     const dirsChecked = new Set()
     return promiseAllRejectLate(leaves.map(async node => {
-      if (node.ideallyInert) {
-        return
-      }
       for (const d of walkUp(node.path)) {
         if (d === node.top.path) {
           break
@@ -683,7 +631,6 @@ module.exports = cls => class Reifier extends cls {
       // reload the diff and sparse tree because the ideal tree changed
       .then(() => this[_diffTrees]())
       .then(() => this[_createSparseTree]())
-      .then(() => this[_addOmitsToTrashList]())
       .then(() => this[_loadShrinkwrapsAndUpdateTrees]())
       .then(timeEnd)
   }
@@ -691,30 +638,14 @@ module.exports = cls => class Reifier extends cls {
   // create a symlink for Links, extract for Nodes
   // return the node object, since we usually want that
   // handle optional dep failures here
-  // If node is in trash list, skip it
   // If reifying fails, and the node is optional, add it and its optionalSet
   // to the trash list
   // Always return the node.
   [_reifyNode] (node) {
-    if (this[_trashList].has(node.path)) {
-      return node
-    }
-
     const timeEnd = time.start(`reifyNode:${node.location}`)
     this.addTracker('reify', node.name, node.location)
 
-    const { npmVersion, nodeVersion, cpu, os, libc } = this.options
     const p = Promise.resolve().then(async () => {
-      // when we reify an optional node, check the engine and platform
-      // first. be sure to ignore the --force and --engine-strict flags,
-      // since we always want to skip any optional packages we can't install.
-      // these checks throwing will result in a rollback and removal
-      // of the mismatches
-      // eslint-disable-next-line promise/always-return
-      if (node.optional) {
-        checkEngine(node.package, npmVersion, nodeVersion, false)
-        checkPlatform(node.package, false, { cpu, os, libc })
-      }
       await this[_checkBins](node)
       await this.#extractOrLink(node)
       const { _id, deprecated } = node.package
@@ -748,10 +679,6 @@ module.exports = cls => class Reifier extends cls {
   }
 
   async #extractOrLink (node) {
-    if (node.ideallyInert) {
-      return
-    }
-
     const nm = resolve(node.parent.path, 'node_modules')
     await this.#validateNodeModules(nm)
 
@@ -803,7 +730,7 @@ module.exports = cls => class Reifier extends cls {
       })
       // store nodes don't use Node class so node.package doesn't get updated
       if (node.isInStore) {
-        const pkg = await rpj(join(node.path, 'package.json'))
+        const { content: pkg } = await PackageJson.normalize(node.path)
         node.package.scripts = pkg.scripts
       }
       return
@@ -832,9 +759,9 @@ module.exports = cls => class Reifier extends cls {
   [_handleOptionalFailure] (node, p) {
     return (node.optional ? p.catch(() => {
       const set = optionalSet(node)
-      for (node of set) {
+      for (const node of set) {
         log.verbose('reify', 'failed optional dependency', node.path)
-        node.ideallyInert = true
+        node.inert = true
         this[_addNodeToTrashList](node)
       }
     }) : p).then(() => node)
@@ -1206,9 +1133,6 @@ module.exports = cls => class Reifier extends cls {
 
       this.#retiredUnchanged[retireFolder] = []
       return promiseAllRejectLate(diff.unchanged.map(node => {
-        if (node.ideallyInert) {
-          return
-        }
         // no need to roll back links, since we'll just delete them anyway
         if (node.isLink) {
           return mkdir(dirname(node.path), { recursive: true, force: true })
@@ -1288,7 +1212,7 @@ module.exports = cls => class Reifier extends cls {
       // skip links that only live within node_modules as they are most
       // likely managed by packages we installed, we only want to rebuild
       // unchanged links we directly manage
-      const linkedFromRoot = (node.parent === tree && !node.ideallyInert) || node.target.fsTop === tree
+      const linkedFromRoot = (node.parent === tree && !node.inert) || node.target.fsTop === tree
       if (node.isLink && linkedFromRoot) {
         nodes.push(node)
       }
@@ -1399,7 +1323,7 @@ module.exports = cls => class Reifier extends cls {
           const alias = name !== pname
           newSpec = alias ? `npm:${pname}@${range}` : range
         } else if (req.hosted) {
-          // save the git+https url if it has auth, otherwise shortcut
+          // save the git+https url if it has auth; otherwise, shortcut
           const h = req.hosted
           const opt = { noCommittish: false }
           if (h.https && h.auth) {
@@ -1432,8 +1356,7 @@ module.exports = cls => class Reifier extends cls {
         if (options.saveType) {
           const depType = saveTypeMap.get(options.saveType)
           pkg[depType][name] = newSpec
-          // rpj will have moved it here if it was in both
-          // if it is empty it will be deleted later
+          // PackageJson.normalize will have moved it here if it was in both, if it is empty it will be deleted later
           if (options.saveType === 'prod' && pkg.optionalDependencies) {
             delete pkg.optionalDependencies[name]
           }
@@ -1469,12 +1392,12 @@ module.exports = cls => class Reifier extends cls {
 
     // Returns true if any of the edges from this node has a semver
     // range definition that is an exact match to the version installed
-    // e.g: should return true if for a given an installed version 1.0.0,
+    // e.g: should return true if for a given and installed version 1.0.0,
     // range is either =1.0.0 or 1.0.0
     const exactVersion = node => {
       for (const edge of node.edgesIn) {
         try {
-          if (semver.subset(edge.spec, node.version)) {
+          if (subset(edge.spec, node.version)) {
             return false
           }
         } catch {

package/lib/calc-dep-flags.js

@@ -22,6 +22,7 @@ const calcDepFlagsStep = (node) => {
   // or normal dependency graphs overlap deep in the dep graph.
   // Since we're only walking through deps that are not already flagged
   // as non-dev/non-optional, it's typically a very shallow traversal
+
   node.extraneous = false
   resetParents(node, 'extraneous')
   resetParents(node, 'dev')
@@ -47,10 +48,16 @@ const calcDepFlagsStep = (node) => {
     if (!to) {
       return
     }
-
     // everything with any kind of edge into it is not extraneous
     to.extraneous = false
 
+    // If this is a peer edge, mark the target as peer
+    if (peer) {
+      to.peer = true
+    } else if (to.peer && !hasIncomingPeerEdge(to)) {
+      unsetFlag(to, 'peer')
+    }
+
     // devOptional is the *overlap* of the dev and optional tree.
     // however, for convenience and to save an extra rewalk, we leave
     // it set when we are in *either* tree, and then omit it from the
@@ -61,11 +68,6 @@ const calcDepFlagsStep = (node) => {
     // either the dev or opt trees
     const unsetDev = unsetDevOpt || !node.dev && !dev
     const unsetOpt = unsetDevOpt || !node.optional && !optional
-    const unsetPeer = !node.peer && !peer
-
-    if (unsetPeer) {
-      unsetFlag(to, 'peer')
-    }
 
     if (unsetDevOpt) {
       unsetFlag(to, 'devOptional')
@@ -83,6 +85,16 @@ const calcDepFlagsStep = (node) => {
   return node
 }
 
+const hasIncomingPeerEdge = (node) => {
+  const target = node.isLink && node.target ? node.target : node
+  for (const edge of target.edgesIn) {
+    if (edge.type === 'peer') {
+      return true
+    }
+  }
+  return false
+}
+
 const resetParents = (node, flag) => {
   if (node[flag]) {
     return
@@ -109,12 +121,19 @@ const unsetFlag = (node, flag) => {
         const children = []
         const targetNode = node.isLink && node.target ? node.target : node
         for (const edge of targetNode.edgesOut.values()) {
-          if (
-            edge.to &&
-            edge.to[flag] &&
-            ((flag !== 'peer' && edge.type === 'peer') || edge.type === 'prod')
-          ) {
-            children.push(edge.to)
+          if (edge.to?.[flag]) {
+            // For the peer flag, only follow peer edges to unset the flag
+            // Don't propagate peer flag through prod/dev/optional edges
+            if (flag === 'peer') {
+              if (edge.type === 'peer') {
+                children.push(edge.to)
+              }
+            } else {
+              // For other flags, follow prod edges (and peer edges for non-peer flags)
+              if (edge.type === 'prod' || edge.type === 'peer') {
+                children.push(edge.to)
+              }
+            }
           }
         }
         return children

package/lib/diff.js

@@ -11,7 +11,8 @@ const { existsSync } = require('node:fs')
 const ssri = require('ssri')
 
 class Diff {
-  constructor ({ actual, ideal, filterSet, shrinkwrapInflated }) {
+  constructor ({ actual, ideal, filterSet, shrinkwrapInflated, omit }) {
+    this.omit = omit
     this.filterSet = filterSet
     this.shrinkwrapInflated = shrinkwrapInflated
     this.children = []
@@ -36,6 +37,7 @@ class Diff {
     ideal,
     filterNodes = [],
     shrinkwrapInflated = new Set(),
+    omit = new Set(),
   }) {
     // if there's a filterNode, then:
     // - get the path from the root to the filterNode.  The root or
@@ -94,7 +96,7 @@ class Diff {
     }
 
     return depth({
-      tree: new Diff({ actual, ideal, filterSet, shrinkwrapInflated }),
+      tree: new Diff({ actual, ideal, filterSet, shrinkwrapInflated, omit }),
       getChildren,
       leave,
     })
@@ -184,6 +186,7 @@ const getChildren = diff => {
     removed,
     filterSet,
     shrinkwrapInflated,
+    omit,
   } = diff
 
   // Note: we DON'T diff fsChildren themselves, because they are either
@@ -214,6 +217,7 @@ const getChildren = diff => {
       removed,
       filterSet,
       shrinkwrapInflated,
+      omit,
     })
   }
 
@@ -232,11 +236,24 @@ const diffNode = ({
   removed,
   filterSet,
   shrinkwrapInflated,
+  omit,
 }) => {
   if (filterSet.size && !(filterSet.has(ideal) || filterSet.has(actual))) {
     return
   }
 
+  if (ideal?.shouldOmit?.(omit)) {
+    ideal.inert = true
+  }
+
+  // Treat inert nodes as undefined for the purposes of diffing.
+  if (ideal?.inert) {
+    ideal = undefined
+  }
+  if (!actual && !ideal) {
+    return
+  }
+
   const action = getAction({ actual, ideal })
 
   // if it's a match, then get its children
@@ -245,7 +262,7 @@ const diffNode = ({
     if (action === 'REMOVE') {
       removed.push(actual)
     }
-    children.push(new Diff({ actual, ideal, filterSet, shrinkwrapInflated }))
+    children.push(new Diff({ actual, ideal, filterSet, shrinkwrapInflated, omit }))
   } else {
     unchanged.push(ideal)
     // !*! Weird dirty hack warning !*!
@@ -285,6 +302,7 @@ const diffNode = ({
       removed,
       filterSet,
       shrinkwrapInflated,
+      omit,
     }))
   }
 }

package/lib/gather-dep-set.js

@@ -20,7 +20,7 @@ const gatherDepSet = (set, edgeFilter) => {
     }
   }
 
-  // now remove all nodes in the set that have a dependant outside the set
+  // now remove all nodes in the set that have a dependent outside the set
   // if any change is made, then re-check
   // continue until no changes made, or deps set evaporates fully.
   let changed = true

package/lib/node.js

@@ -28,22 +28,28 @@
 // where we need to quickly find all instances of a given package name within a
 // tree.
 
-const semver = require('semver')
+const PackageJson = require('@npmcli/package-json')
 const nameFromFolder = require('@npmcli/name-from-folder')
+const npa = require('npm-package-arg')
+const semver = require('semver')
+const util = require('node:util')
+const { getPaths: getBinPaths } = require('bin-links')
+const { log } = require('proc-log')
+const { resolve, relative, dirname, basename } = require('node:path')
+const { walkUp } = require('walk-up-path')
+
+const CaseInsensitiveMap = require('./case-insensitive-map.js')
 const Edge = require('./edge.js')
 const Inventory = require('./inventory.js')
 const OverrideSet = require('./override-set.js')
-const { normalize } = require('read-package-json-fast')
-const { getPaths: getBinPaths } = require('bin-links')
-const npa = require('npm-package-arg')
+const consistentResolve = require('./consistent-resolve.js')
 const debug = require('./debug.js')
 const gatherDepSet = require('./gather-dep-set.js')
+const printableTree = require('./printable.js')
+const querySelectorAll = require('./query-selector-all.js')
+const relpath = require('./relpath.js')
 const treeCheck = require('./tree-check.js')
-const { walkUp } = require('walk-up-path')
-const { log } = require('proc-log')
 
-const { resolve, relative, dirname, basename } = require('node:path')
-const util = require('node:util')
 const _package = Symbol('_package')
 const _parent = Symbol('_parent')
 const _target = Symbol.for('_target')
@@ -58,14 +64,6 @@ const _delistFromMeta = Symbol.for('_delistFromMeta')
 const _explain = Symbol('_explain')
 const _explanation = Symbol('_explanation')
 
-const relpath = require('./relpath.js')
-const consistentResolve = require('./consistent-resolve.js')
-
-const printableTree = require('./printable.js')
-const CaseInsensitiveMap = require('./case-insensitive-map.js')
-
-const querySelectorAll = require('./query-selector-all.js')
-
 class Node {
   #global
   #meta
@@ -103,7 +101,7 @@ class Node {
       global = false,
       dummy = false,
       sourceReference = null,
-      ideallyInert = false,
+      inert = false,
     } = options
     // this object gives querySelectorAll somewhere to stash context about a node
     // while processing a query
@@ -121,14 +119,25 @@ class Node {
     // package's dependencies in a virtual root.
     this.sourceReference = sourceReference
 
-    // TODO if this came from pacote.manifest we don't have to do this,
-    // we can be told to skip this step
-    const pkg = sourceReference ? sourceReference.package
-      : normalize(options.pkg || {})
+    // have to set the internal package ref before assigning the parent, because this.package is read when adding to inventory
+    if (sourceReference) {
+      this[_package] = sourceReference.package
+    } else {
+      // TODO if this came from pacote.manifest we don't have to do this, we can be told to skip this step
+      const pkg = new PackageJson()
+      let content = {}
+      // TODO this is overly guarded.  If pkg is not an object we should not allow it at all.
+      if (options.pkg && typeof options.pkg === 'object') {
+        content = options.pkg
+      }
+      pkg.fromContent(content)
+      pkg.syncNormalize()
+      this[_package] = pkg.content
+    }
 
     this.name = name ||
-      nameFromFolder(path || pkg.name || realpath) ||
-      pkg.name ||
+      nameFromFolder(path || this.package.name || realpath) ||
+      this.package.name ||
       null
 
     // should be equal if not a link
@@ -156,13 +165,13 @@ class Node {
       // probably what we're getting from pacote, which IS trustworthy.
       //
       // Otherwise, hopefully a shrinkwrap will help us out.
-      const resolved = consistentResolve(pkg._resolved)
-      if (resolved && !(/^file:/.test(resolved) && pkg._where)) {
+      const resolved = consistentResolve(this.package._resolved)
+      if (resolved && !(/^file:/.test(resolved) && this.package._where)) {
         this.resolved = resolved
       }
     }
-    this.integrity = integrity || pkg._integrity || null
-    this.hasShrinkwrap = hasShrinkwrap || pkg._hasShrinkwrap || false
+    this.integrity = integrity || this.package._integrity || null
+    this.hasShrinkwrap = hasShrinkwrap || this.package._hasShrinkwrap || false
     this.installLinks = installLinks
     this.legacyPeerDeps = legacyPeerDeps
 
@@ -198,22 +207,18 @@ class Node {
       this.extraneous = false
     }
 
-    this.ideallyInert = ideallyInert
+    this.inert = inert
 
     this.edgesIn = new Set()
     this.edgesOut = new CaseInsensitiveMap()
 
-    // have to set the internal package ref before assigning the parent,
-    // because this.package is read when adding to inventory
-    this[_package] = pkg && typeof pkg === 'object' ? pkg : {}
-
     if (overrides) {
       this.overrides = overrides
     } else if (loadOverrides) {
-      const overrides = this[_package].overrides || {}
+      const overrides = this.package.overrides || {}
       if (Object.keys(overrides).length > 0) {
         this.overrides = new OverrideSet({
-          overrides: this[_package].overrides,
+          overrides: this.package.overrides,
         })
       }
     }
@@ -243,7 +248,7 @@ class Node {
     this.fsParent = fsParent || null
 
     // see parent/root setters below.
-    // root is set to parent's root if we have a parent, otherwise if it's
+    // root is set to parent's root if we have a parent; otherwise, if it's
     // null, then it's set to the node itself.
     if (!parent && !fsParent) {
       this.root = root || null
@@ -314,7 +319,7 @@ class Node {
     }
 
     return getBinPaths({
-      pkg: this[_package],
+      pkg: this.package,
       path: this.path,
       global: this.global,
       top: this.globalTop,
@@ -328,11 +333,11 @@ class Node {
   }
 
   get version () {
-    return this[_package].version || ''
+    return this.package.version || ''
   }
 
   get packageName () {
-    return this[_package].name || null
+    return this.package.name || null
   }
 
   get pkgid () {
@@ -490,6 +495,18 @@ class Node {
   }
 
   shouldOmit (omitSet) {
+    if (!omitSet.size) {
+      return false
+    }
+
+    const { top } = this
+
+    // if the top is not the root or workspace then we do not want to omit it
+    if (!top.isProjectRoot && !top.isWorkspace) {
+      return false
+    }
+
+    // omit node if the dep type matches any omit flags that were set
     return (
       this.peer && omitSet.has('peer') ||
       this.dev && omitSet.has('dev') ||
@@ -815,7 +832,7 @@ class Node {
         edge.reload()
       }
     }
-    // reload all edgesOut where root doens't match, or is missing, since
+    // reload all edgesOut where root doesn't match, or is missing, since
     // it might not be missing in the new tree
     for (const edge of this.edgesOut.values()) {
       if (!edge.to || edge.to.root !== root) {
@@ -1251,7 +1268,7 @@ class Node {
   // with another by the same name (eg, to update or dedupe).
   // This does a couple of walks out on the node_modules tree, recursing
   // into child nodes.  However, as setting the parent is typically done
-  // with nodes that don't have have many children, and (deduped) package
+  // with nodes that don't have many children, and (deduped) package
   // trees tend to be broad rather than deep, it's not that bad.
   // The only walk that starts from the parent rather than this node is
   // limited by edge name.
@@ -1395,7 +1412,7 @@ class Node {
   }
 
   recalculateOutEdgesOverrides () {
-    // For each edge out propogate the new overrides through.
+    // For each edge out propagate the new overrides through.
     for (const edge of this.edgesOut.values()) {
       edge.reload(true)
       if (edge.to) {

package/lib/optional-set.js

@@ -29,10 +29,8 @@ const optionalSet = node => {
   }
 
   // now that we've hit the boundary, gather the rest of the nodes in
-  // the optional section.  that's the set of dependencies that are only
-  // depended upon by other nodes within the set, or optional dependencies
-  // from outside the set.
-  return gatherDepSet(set, edge => !edge.optional)
+  // the optional section that don't have dependents outside the set.
+  return gatherDepSet(set, edge => !set.has(edge.to))
 }
 
 module.exports = optionalSet

package/lib/packument-cache.js

@@ -30,7 +30,7 @@ class PackumentCache extends LRUCache {
       maxSize,
       maxEntrySize,
       sizeCalculation: (p) => {
-        // Don't cache if we dont know the size
+        // Don't cache if we don't know the size
         // Some versions of pacote set this to `0`, newer versions set it to `null`
         if (!p[sizeKey]) {
           return maxEntrySize + 1

package/lib/place-dep.js

@@ -203,7 +203,7 @@ class PlaceDep {
         this.warnPeerConflict()
       }
 
-      // if we get a KEEP in a update scenario, then we MAY have something
+      // if we get a KEEP in an update scenario, then we MAY have something
       // already duplicating this unnecessarily!  For example:
       // ```
       // root (dep: y@1)
@@ -317,7 +317,7 @@ class PlaceDep {
         force: this.force,
         installLinks: this.installLinks,
         installStrategy: this.installStrategy,
-        legacyPeerDeps: this.legaycPeerDeps,
+        legacyPeerDeps: this.legacyPeerDeps,
         preferDedupe: this.preferDedupe,
         strictPeerDeps: this.strictPeerDeps,
         updateNames: this.updateName,
@@ -421,7 +421,7 @@ class PlaceDep {
   // prune all the nodes in a branch of the tree that can be safely removed
   // This is only the most basic duplication detection; it finds if there
   // is another satisfying node further up the tree, and if so, dedupes.
-  // Even in installStategy is nested, we do this amount of deduplication.
+  // Even if installStrategy is nested, we do this amount of deduplication.
   pruneDedupable (node, descend = true) {
     if (node.canDedupe(this.preferDedupe, this.explicitRequest)) {
       // gather up all deps that have no valid edges in from outside

package/lib/query-selector-all.js

@@ -785,7 +785,7 @@ const hasParent = (node, compareNodes) => {
       compareNode = compareNode.target
     }
 
-    // follows logical parent for link anscestors
+    // follows logical parent for link ancestors
     if (node.isTop && (node.resolveParent === compareNode)) {
       return true
     }

package/lib/shrinkwrap.js

@@ -109,7 +109,6 @@ const nodeMetaKeys = [
   'inBundle',
   'hasShrinkwrap',
   'hasInstallScript',
-  'ideallyInert',
 ]
 
 const metaFieldFromPkg = (pkg, key) => {
@@ -136,10 +135,6 @@ const assertNoNewer = async (path, data, lockTime, dir, seen) => {
 
   const parent = isParent ? dir : resolve(dir, 'node_modules')
   const rel = relpath(path, dir)
-  const inert = data.packages[rel]?.ideallyInert
-  if (inert) {
-    return
-  }
   seen.add(rel)
   let entries
   if (dir === path) {
@@ -178,7 +173,7 @@ const assertNoNewer = async (path, data, lockTime, dir, seen) => {
 
   // assert that all the entries in the lockfile were seen
   for (const loc in data.packages) {
-    if (!seen.has(loc) && !data.packages[loc].ideallyInert) {
+    if (!seen.has(loc)) {
       throw new Error(`missing from node_modules: ${loc}`)
     }
   }
@@ -436,7 +431,7 @@ class Shrinkwrap {
       const [sw, lock, yarn] = await this.loadFiles
       data = sw || lock || '{}'
 
-      // use shrinkwrap only for deps, otherwise prefer package-lock
+      // use shrinkwrap only for deps; otherwise, prefer package-lock
       // and ignore npm-shrinkwrap if both are present.
       // TODO: emit a warning here or something if both are present.
       if (this.hiddenLockfile) {
@@ -788,10 +783,6 @@ class Shrinkwrap {
       // ok, I did my best!  good luck!
     }
 
-    if (lock.ideallyInert) {
-      meta.ideallyInert = true
-    }
-
     if (lock.bundled) {
       meta.inBundle = true
     }
@@ -962,12 +953,6 @@ class Shrinkwrap {
       this.#buildLegacyLockfile(this.tree, this.data)
     }
 
-    if (!this.hiddenLockfile) {
-      for (const node of Object.values(this.data.packages)) {
-        delete node.ideallyInert
-      }
-    }
-
     // lf version 1 = dependencies only
     // lf version 2 = dependencies and packages
     // lf version 3 = packages only
@@ -993,7 +978,7 @@ class Shrinkwrap {
 
     // npm v6 and before tracked 'from', meaning "the request that led
     // to this package being installed".  However, that's inherently
-    // racey and non-deterministic in a world where deps are deduped
+    // racy and non-deterministic in a world where deps are deduped
     // ahead of fetch time.  In order to maintain backwards compatibility
     // with v6 in the lockfile, we do this trick where we pick a valid
     // dep link out of the edgesIn set.  Choose the edge with the fewest

package/package.json

@@ -1,38 +1,37 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.1.4",
+  "version": "9.1.6",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
     "@npmcli/fs": "^4.0.0",
     "@npmcli/installed-package-contents": "^3.0.0",
-    "@npmcli/map-workspaces": "^4.0.1",
-    "@npmcli/metavuln-calculator": "^9.0.0",
+    "@npmcli/map-workspaces": "^5.0.0",
+    "@npmcli/metavuln-calculator": "^9.0.2",
     "@npmcli/name-from-folder": "^3.0.0",
     "@npmcli/node-gyp": "^4.0.0",
-    "@npmcli/package-json": "^6.0.1",
+    "@npmcli/package-json": "^7.0.0",
     "@npmcli/query": "^4.0.0",
     "@npmcli/redact": "^3.0.0",
-    "@npmcli/run-script": "^9.0.1",
+    "@npmcli/run-script": "^10.0.0",
     "bin-links": "^5.0.0",
-    "cacache": "^19.0.1",
+    "cacache": "^20.0.1",
     "common-ancestor-path": "^1.0.1",
-    "hosted-git-info": "^8.0.0",
+    "hosted-git-info": "^9.0.0",
     "json-stringify-nice": "^1.1.4",
-    "lru-cache": "^10.2.2",
-    "minimatch": "^9.0.4",
+    "lru-cache": "^11.2.1",
+    "minimatch": "^10.0.3",
     "nopt": "^8.0.0",
     "npm-install-checks": "^7.1.0",
-    "npm-package-arg": "^12.0.0",
-    "npm-pick-manifest": "^10.0.0",
-    "npm-registry-fetch": "^18.0.1",
-    "pacote": "^21.0.0",
+    "npm-package-arg": "^13.0.0",
+    "npm-pick-manifest": "^11.0.1",
+    "npm-registry-fetch": "^19.0.0",
+    "pacote": "^21.0.2",
     "parse-conflict-json": "^4.0.0",
     "proc-log": "^5.0.0",
     "proggy": "^3.0.0",
     "promise-all-reject-late": "^1.0.0",
     "promise-call-limit": "^3.0.1",
-    "read-package-json-fast": "^4.0.0",
     "semver": "^7.3.7",
     "ssri": "^12.0.0",
     "treeverse": "^3.0.0",
@@ -41,7 +40,7 @@
   "devDependencies": {
     "@npmcli/eslint-config": "^5.0.1",
     "@npmcli/mock-registry": "^1.0.0",
-    "@npmcli/template-oss": "4.24.4",
+    "@npmcli/template-oss": "4.25.1",
     "benchmark": "^2.1.4",
     "minify-registry-metadata": "^4.0.0",
     "nock": "^13.3.3",
@@ -93,7 +92,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.24.4",
+    "version": "4.25.1",
     "content": "../../scripts/template-oss/index.js"
   }
 }