@npmcli/arborist 9.1.5 → 9.1.7

package/lib/optional-set.js

@@ -10,10 +10,6 @@
 
 const gatherDepSet = require('./gather-dep-set.js')
 const optionalSet = node => {
-  if (!node.optional) {
-    return new Set()
-  }
-
   // start with the node, then walk up the dependency graph until we
   // get to the boundaries that define the optional set.  since the
   // node is optional, we know that all paths INTO this area of the
@@ -29,10 +25,8 @@ const optionalSet = node => {
   }
 
   // now that we've hit the boundary, gather the rest of the nodes in
-  // the optional section.  that's the set of dependencies that are only
-  // depended upon by other nodes within the set, or optional dependencies
-  // from outside the set.
-  return gatherDepSet(set, edge => !edge.optional)
+  // the optional section that don't have dependents outside the set.
+  return gatherDepSet(set, edge => !set.has(edge.to))
 }
 
 module.exports = optionalSet

package/lib/override-set.js

@@ -201,8 +201,82 @@ class OverrideSet {
 
   static doOverrideSetsConflict (first, second) {
     // If override sets contain one another then we can try to use the more specific one.
-    // If neither one is more specific, then we consider them to be in conflict.
-    return (this.findSpecificOverrideSet(first, second) === undefined)
+    // If neither one is more specific, check for semantic conflicts.
+    const specificSet = this.findSpecificOverrideSet(first, second)
+    if (specificSet !== undefined) {
+      // One contains the other, so no conflict
+      return false
+    }
+
+    // The override sets are structurally incomparable, but this doesn't necessarily
+    // mean they conflict. We need to check if they have conflicting version requirements
+    // for any package that appears in both rulesets.
+    return this.haveConflictingRules(first, second)
+  }
+
+  static haveConflictingRules (first, second) {
+    // Get all rules from both override sets
+    const firstRules = first.ruleset
+    const secondRules = second.ruleset
+
+    // Check each package that appears in both rulesets
+    for (const [key, firstRule] of firstRules) {
+      const secondRule = secondRules.get(key)
+      if (!secondRule) {
+        // Package only appears in one ruleset, no conflict
+        continue
+      }
+
+      // Same rule object means no conflict
+      if (firstRule === secondRule || firstRule.isEqual(secondRule)) {
+        continue
+      }
+
+      // Both rulesets have rules for this package with different values.
+      // Check if the version requirements are actually incompatible.
+      const firstValue = firstRule.value
+      const secondValue = secondRule.value
+
+      // If either value is a reference (starts with $), we can't determine
+      // compatibility here - the reference might resolve to compatible versions.
+      // We defer to runtime resolution rather than failing early.
+      if (firstValue.startsWith('$') || secondValue.startsWith('$')) {
+        continue
+      }
+
+      // Check if the version ranges are compatible using semver
+      // If both specify version ranges, they conflict only if they have no overlap
+      try {
+        const firstSpec = npa(`${firstRule.name}@${firstValue}`)
+        const secondSpec = npa(`${secondRule.name}@${secondValue}`)
+
+        // For range/version types, check if they intersect
+        if ((firstSpec.type === 'range' || firstSpec.type === 'version') &&
+            (secondSpec.type === 'range' || secondSpec.type === 'version')) {
+          // Check if the ranges intersect
+          const firstRange = firstSpec.fetchSpec
+          const secondRange = secondSpec.fetchSpec
+
+          // If the ranges don't intersect, we have a real conflict
+          if (!semver.intersects(firstRange, secondRange)) {
+            log.silly('Found conflicting override rules', {
+              package: firstRule.name,
+              first: firstValue,
+              second: secondValue,
+            })
+            return true
+          }
+        }
+        // For other types (git, file, directory, tag), we can't easily determine
+        // compatibility, so we conservatively assume no conflict
+      } catch {
+        // If we can't parse the specs, conservatively assume no conflict
+        // Real conflicts will be caught during dependency resolution
+      }
+    }
+
+    // No conflicting rules found
+    return false
   }
 }
 

package/lib/packument-cache.js

@@ -30,7 +30,7 @@ class PackumentCache extends LRUCache {
       maxSize,
       maxEntrySize,
       sizeCalculation: (p) => {
-        // Don't cache if we dont know the size
+        // Don't cache if we don't know the size
         // Some versions of pacote set this to `0`, newer versions set it to `null`
         if (!p[sizeKey]) {
           return maxEntrySize + 1

package/lib/place-dep.js

@@ -203,7 +203,7 @@ class PlaceDep {
         this.warnPeerConflict()
       }
 
-      // if we get a KEEP in a update scenario, then we MAY have something
+      // if we get a KEEP in an update scenario, then we MAY have something
       // already duplicating this unnecessarily!  For example:
       // ```
       // root (dep: y@1)
@@ -317,7 +317,7 @@ class PlaceDep {
         force: this.force,
         installLinks: this.installLinks,
         installStrategy: this.installStrategy,
-        legacyPeerDeps: this.legaycPeerDeps,
+        legacyPeerDeps: this.legacyPeerDeps,
         preferDedupe: this.preferDedupe,
         strictPeerDeps: this.strictPeerDeps,
         updateNames: this.updateName,
@@ -421,7 +421,7 @@ class PlaceDep {
   // prune all the nodes in a branch of the tree that can be safely removed
   // This is only the most basic duplication detection; it finds if there
   // is another satisfying node further up the tree, and if so, dedupes.
-  // Even in installStategy is nested, we do this amount of deduplication.
+  // Even if installStrategy is nested, we do this amount of deduplication.
   pruneDedupable (node, descend = true) {
     if (node.canDedupe(this.preferDedupe, this.explicitRequest)) {
       // gather up all deps that have no valid edges in from outside

package/lib/query-selector-all.js

@@ -785,7 +785,7 @@ const hasParent = (node, compareNodes) => {
       compareNode = compareNode.target
     }
 
-    // follows logical parent for link anscestors
+    // follows logical parent for link ancestors
     if (node.isTop && (node.resolveParent === compareNode)) {
       return true
     }

package/lib/reset-dep-flags.js

@@ -6,10 +6,6 @@
 // we can find the set that is actually extraneous.
 module.exports = tree => {
   for (const node of tree.inventory.values()) {
-    node.extraneous = true
-    node.dev = true
-    node.devOptional = true
-    node.peer = true
-    node.optional = true
+    node.resetDepFlags()
   }
 }

package/lib/shrinkwrap.js

@@ -109,7 +109,6 @@ const nodeMetaKeys = [
   'inBundle',
   'hasShrinkwrap',
   'hasInstallScript',
-  'ideallyInert',
 ]
 
 const metaFieldFromPkg = (pkg, key) => {
@@ -136,10 +135,6 @@ const assertNoNewer = async (path, data, lockTime, dir, seen) => {
 
   const parent = isParent ? dir : resolve(dir, 'node_modules')
   const rel = relpath(path, dir)
-  const inert = data.packages[rel]?.ideallyInert
-  if (inert) {
-    return
-  }
   seen.add(rel)
   let entries
   if (dir === path) {
@@ -178,7 +173,7 @@ const assertNoNewer = async (path, data, lockTime, dir, seen) => {
 
   // assert that all the entries in the lockfile were seen
   for (const loc in data.packages) {
-    if (!seen.has(loc) && !data.packages[loc].ideallyInert) {
+    if (!seen.has(loc)) {
       throw new Error(`missing from node_modules: ${loc}`)
     }
   }
@@ -436,7 +431,7 @@ class Shrinkwrap {
       const [sw, lock, yarn] = await this.loadFiles
       data = sw || lock || '{}'
 
-      // use shrinkwrap only for deps, otherwise prefer package-lock
+      // use shrinkwrap only for deps; otherwise, prefer package-lock
       // and ignore npm-shrinkwrap if both are present.
       // TODO: emit a warning here or something if both are present.
       if (this.hiddenLockfile) {
@@ -788,10 +783,6 @@ class Shrinkwrap {
       // ok, I did my best!  good luck!
     }
 
-    if (lock.ideallyInert) {
-      meta.ideallyInert = true
-    }
-
     if (lock.bundled) {
       meta.inBundle = true
     }
@@ -962,12 +953,6 @@ class Shrinkwrap {
       this.#buildLegacyLockfile(this.tree, this.data)
     }
 
-    if (!this.hiddenLockfile) {
-      for (const node of Object.values(this.data.packages)) {
-        delete node.ideallyInert
-      }
-    }
-
     // lf version 1 = dependencies only
     // lf version 2 = dependencies and packages
     // lf version 3 = packages only
@@ -993,7 +978,7 @@ class Shrinkwrap {
 
     // npm v6 and before tracked 'from', meaning "the request that led
     // to this package being installed".  However, that's inherently
-    // racey and non-deterministic in a world where deps are deduped
+    // racy and non-deterministic in a world where deps are deduped
     // ahead of fetch time.  In order to maintain backwards compatibility
     // with v6 in the lockfile, we do this trick where we pick a valid
     // dep link out of the edgesIn set.  Choose the edge with the fewest

package/package.json

@@ -1,20 +1,20 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.1.5",
+  "version": "9.1.7",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
     "@npmcli/fs": "^4.0.0",
-    "@npmcli/installed-package-contents": "^3.0.0",
+    "@npmcli/installed-package-contents": "^4.0.0",
     "@npmcli/map-workspaces": "^5.0.0",
     "@npmcli/metavuln-calculator": "^9.0.2",
-    "@npmcli/name-from-folder": "^3.0.0",
-    "@npmcli/node-gyp": "^4.0.0",
+    "@npmcli/name-from-folder": "^4.0.0",
+    "@npmcli/node-gyp": "^5.0.0",
     "@npmcli/package-json": "^7.0.0",
     "@npmcli/query": "^4.0.0",
-    "@npmcli/redact": "^3.0.0",
+    "@npmcli/redact": "^4.0.0",
     "@npmcli/run-script": "^10.0.0",
-    "bin-links": "^5.0.0",
+    "bin-links": "^6.0.0",
     "cacache": "^20.0.1",
     "common-ancestor-path": "^1.0.1",
     "hosted-git-info": "^9.0.0",
@@ -22,18 +22,18 @@
     "lru-cache": "^11.2.1",
     "minimatch": "^10.0.3",
     "nopt": "^8.0.0",
-    "npm-install-checks": "^7.1.0",
+    "npm-install-checks": "^8.0.0",
     "npm-package-arg": "^13.0.0",
     "npm-pick-manifest": "^11.0.1",
     "npm-registry-fetch": "^19.0.0",
     "pacote": "^21.0.2",
-    "parse-conflict-json": "^4.0.0",
-    "proc-log": "^5.0.0",
+    "parse-conflict-json": "^5.0.1",
+    "proc-log": "^6.0.0",
     "proggy": "^3.0.0",
     "promise-all-reject-late": "^1.0.0",
     "promise-call-limit": "^3.0.1",
     "semver": "^7.3.7",
-    "ssri": "^12.0.0",
+    "ssri": "^13.0.0",
     "treeverse": "^3.0.0",
     "walk-up-path": "^4.0.0"
   },