@npmcli/arborist 9.1.6 → 9.1.7

package/lib/arborist/build-ideal-tree.js

@@ -42,7 +42,6 @@ const _flagsSuspect = Symbol.for('flagsSuspect')
 const _setWorkspaces = Symbol.for('setWorkspaces')
 const _updateNames = Symbol.for('updateNames')
 const _resolvedAdd = Symbol.for('resolvedAdd')
-const _usePackageLock = Symbol.for('usePackageLock')
 const _rpcache = Symbol.for('realpathCache')
 const _stcache = Symbol.for('statCache')
 
@@ -101,39 +100,28 @@ module.exports = cls => class IdealTreeBuilder extends cls {
   constructor (options) {
     super(options)
 
-    // normalize trailing slash
-    const registry = options.registry || 'https://registry.npmjs.org'
-    options.registry = this.registry = registry.replace(/\/+$/, '') + '/'
-
     const {
       follow = false,
       installStrategy = 'hoisted',
-      idealTree = null,
-      installLinks = false,
-      legacyPeerDeps = false,
-      packageLock = true,
       strictPeerDeps = false,
-      workspaces,
       global,
     } = options
 
     this.#strictPeerDeps = !!strictPeerDeps
 
-    this.idealTree = idealTree
-    this.installLinks = installLinks
-    this.legacyPeerDeps = legacyPeerDeps
-
-    this[_usePackageLock] = packageLock
     this.#installStrategy = global ? 'shallow' : installStrategy
     this.#follow = !!follow
 
-    if (workspaces?.length && global) {
-      throw new Error('Cannot operate on workspaces in global mode')
-    }
-
     this[_updateAll] = false
     this[_updateNames] = []
     this[_resolvedAdd] = []
+
+    // caches for cached realpath calls
+    const cwd = process.cwd()
+    // assume that the cwd is real enough for our purposes
+    this[_rpcache] = new Map([[cwd, cwd]])
+    this[_stcache] = new Map()
+    this[_flagsSuspect] = false
   }
 
   get explicitRequests () {
@@ -298,7 +286,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
       .then(root => {
         if (this.options.global) {
           return root
-        } else if (!this[_usePackageLock] || this[_updateAll]) {
+        } else if (!this.options.usePackageLock || this[_updateAll]) {
           return Shrinkwrap.reset({
             path: this.path,
             lockfileVersion: this.options.lockfileVersion,
@@ -351,7 +339,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
           filter: node => node,
           visit: node => {
             for (const edge of node.edgesOut.values()) {
-              if (!edge.to || !edge.valid) {
+              if ((!edge.to && edge.type !== 'peerOptional') || !edge.valid) {
                 this.#depsQueue.push(node)
                 break // no need to continue the loop after the first hit
               }
@@ -754,6 +742,7 @@ This is a one-time fix-up, please be patient...
 
     // have to re-calc dep flags, because the nodes don't have edges
     // until their packages get assigned, so everything looks extraneous
+    resetDepFlags(this.idealTree)
     calcDepFlags(this.idealTree)
 
     // yes, yes, this isn't the "original" version, but now that it's been
@@ -1230,7 +1219,7 @@ This is a one-time fix-up, please be patient...
     }
   }
 
-  #nodeFromSpec (name, spec, parent, edge) {
+  async #nodeFromSpec (name, spec, parent, edge) {
     // pacote will slap integrity on its options, so we have to clone
     // the object so it doesn't get mutated.
     // Don't bother to load the manifest for link deps, because the target
@@ -1259,7 +1248,13 @@ This is a one-time fix-up, please be patient...
     // Decide whether to link or copy the dependency
     const shouldLink = (isWorkspace || isProjectInternalFileSpec || !installLinks) && !isTransitiveFileDep
     if (spec.type === 'directory' && shouldLink) {
-      return this.#linkFromSpec(name, spec, parent, edge)
+      const realpath = spec.fetchSpec
+      const { content: pkg } = await PackageJson.normalize(realpath).catch(() => {
+        return { content: {} }
+      })
+      const link = new Link({ name, parent, realpath, pkg, installLinks, legacyPeerDeps })
+      this.#linkNodes.add(link)
+      return link
     }
 
     // if the spec matches a workspace name, then see if the workspace node will satisfy the edge. if it does, we return the workspace node to make sure it takes priority.
@@ -1300,17 +1295,6 @@ This is a one-time fix-up, please be patient...
       })
   }
 
-  async #linkFromSpec (name, spec, parent) {
-    const realpath = spec.fetchSpec
-    const { installLinks, legacyPeerDeps } = this
-    const { content: pkg } = await PackageJson.normalize(realpath).catch(() => {
-      return { content: {} }
-    })
-    const link = new Link({ name, parent, realpath, pkg, installLinks, legacyPeerDeps })
-    this.#linkNodes.add(link)
-    return link
-  }
-
   // load all peer deps and meta-peer deps into the node's parent
   // At the end of this, the node's peer-type outward edges are all
   // resolved, and so are all of theirs, but other dep types are not.
@@ -1445,6 +1429,7 @@ This is a one-time fix-up, please be patient...
   //   and add it to the _depsQueue
   //
   // call buildDepStep if anything was added to the queue; otherwise, we're done
+  // XXX load-virtual also has a #resolveLinks, is there overlap?
   #resolveLinks () {
     for (const link of this.#linkNodes) {
       this.#linkNodes.delete(link)
@@ -1508,11 +1493,7 @@ This is a one-time fix-up, please be patient...
     } else {
       // otherwise just unset all the flags on the root node
       // since they will sometimes have the default value
-      this.idealTree.extraneous = false
-      this.idealTree.dev = false
-      this.idealTree.optional = false
-      this.idealTree.devOptional = false
-      this.idealTree.peer = false
+      this.idealTree.unsetDepFlags()
     }
 
     // at this point, any node marked as extraneous should be pruned.
@@ -1555,12 +1536,7 @@ This is a one-time fix-up, please be patient...
 
   #idealTreePrune () {
     for (const node of this.idealTree.inventory.values()) {
-      // optional peer dependencies are meant to be added to the tree
-      // through an explicit required dependency (most commonly in the
-      // root package.json), at which point they won't be optional so
-      // any dependencies still marked as both optional and peer at
-      // this point can be pruned as a special kind of extraneous
-      if (node.extraneous || (node.peer && node.optional)) {
+      if (node.extraneous) {
         node.parent = null
       }
     }

package/lib/arborist/index.js

@@ -68,6 +68,34 @@ class Arborist extends Base {
   constructor (options = {}) {
     const timeEnd = time.start('arborist:ctor')
     super(options)
+
+    // normalize trailing slash
+    const registry = options.registry || 'https://registry.npmjs.org'
+    options.registry = this.registry = registry.replace(/(?<!\/)\/+$/, '') + '/'
+
+    // TODO as we consolidate constructors it's more apparent that we are not parsing options and using this.options consistently
+    const {
+      actualTree,
+      global,
+      idealTree = null,
+      installLinks = false,
+      legacyPeerDeps = false,
+      virtualTree,
+      workspaces,
+    } = options
+
+    if (workspaces?.length && global) {
+      throw new Error('Cannot operate on workspaces in global mode')
+    }
+
+    // the tree of nodes on disk
+    this.actualTree = actualTree
+    this.idealTree = idealTree
+    this.installLinks = installLinks
+    this.legacyPeerDeps = legacyPeerDeps
+    // the virtual tree we load from a shrinkwrap
+    this.virtualTree = virtualTree
+
     this.options = {
       nodeVersion: process.version,
       ...options,
@@ -88,6 +116,7 @@ class Arborist extends Base {
       replaceRegistryHost: options.replaceRegistryHost,
       savePrefix: 'savePrefix' in options ? options.savePrefix : '^',
       scriptShell: options.scriptShell,
+      usePackageLock: 'packageLock' in options ? options.packageLock : true,
       workspaces: options.workspaces || [],
       workspacesEnabled: options.workspacesEnabled !== false,
     }
@@ -104,6 +133,7 @@ class Arborist extends Base {
     this.cache = resolve(this.options.cache)
     this.diff = null
     this.path = resolve(this.options.path)
+    this.scriptsRun = new Set()
     timeEnd()
   }
 

package/lib/arborist/isolated-reifier.js

@@ -1,6 +1,5 @@
 const _makeIdealGraph = Symbol('makeIdealGraph')
 const _createIsolatedTree = Symbol.for('createIsolatedTree')
-const _createBundledTree = Symbol('createBundledTree')
 const { mkdirSync } = require('node:fs')
 const pacote = require('pacote')
 const { join } = require('node:path')
@@ -162,7 +161,7 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.hasInstallScript = node.hasInstallScript
   }
 
-  async [_createBundledTree] () {
+  async #createBundledTree () {
     // TODO: make sure that idealTree object exists
     const idealTree = this.idealTree
     // TODO: test workspaces having bundled deps
@@ -217,7 +216,7 @@ module.exports = cls => class IsolatedReifier extends cls {
 
     const proxiedIdealTree = this.idealGraph
 
-    const bundledTree = await this[_createBundledTree]()
+    const bundledTree = await this.#createBundledTree()
 
     const treeHash = (startNode) => {
       // generate short hash based on the dependency tree

package/lib/arborist/load-actual.js

@@ -41,19 +41,6 @@ module.exports = cls => class ActualLoader extends cls {
   #topNodes = new Set()
   #transplantFilter
 
-  constructor (options) {
-    super(options)
-
-    // the tree of nodes on disk
-    this.actualTree = options.actualTree
-
-    // caches for cached realpath calls
-    const cwd = process.cwd()
-    // assume that the cwd is real enough for our purposes
-    this[_rpcache] = new Map([[cwd, cwd]])
-    this[_stcache] = new Map()
-  }
-
   // public method
   // TODO remove options param in next semver major
   async loadActual (options = {}) {

package/lib/arborist/load-virtual.js

@@ -18,14 +18,6 @@ const setWorkspaces = Symbol.for('setWorkspaces')
 module.exports = cls => class VirtualLoader extends cls {
   #rootOptionProvided
 
-  constructor (options) {
-    super(options)
-
-    // the virtual tree we load from a shrinkwrap
-    this.virtualTree = options.virtualTree
-    this[flagsSuspect] = false
-  }
-
   // public method
   async loadVirtual (options = {}) {
     if (this.virtualTree) {
@@ -69,11 +61,7 @@ module.exports = cls => class VirtualLoader extends cls {
     if (!this.#rootOptionProvided) {
       // root is never any of these things, but might be a brand new
       // baby Node object that never had its dep flags calculated.
-      root.extraneous = false
-      root.dev = false
-      root.optional = false
-      root.devOptional = false
-      root.peer = false
+      root.unsetDepFlags()
     } else {
       this[flagsSuspect] = true
     }
@@ -81,7 +69,21 @@ module.exports = cls => class VirtualLoader extends cls {
     this.#checkRootEdges(s, root)
     root.meta = s
     this.virtualTree = root
-    const { links, nodes } = this.#resolveNodes(s, root)
+    // separate out link metadata, and create Node objects for nodes
+    const links = new Map()
+    const nodes = new Map([['', root]])
+    for (const [location, meta] of Object.entries(s.data.packages)) {
+      // skip the root because we already got it
+      if (!location) {
+        continue
+      }
+
+      if (meta.link) {
+        links.set(location, meta)
+      } else {
+        nodes.set(location, this.#loadNode(location, meta))
+      }
+    }
     await this.#resolveLinks(links, nodes)
     if (!(s.originalLockfileVersion >= 2)) {
       this.#assignBundles(nodes)
@@ -93,11 +95,7 @@ module.exports = cls => class VirtualLoader extends cls {
         if (node.isRoot || node === this.#rootOptionProvided) {
           continue
         }
-        node.extraneous = true
-        node.dev = true
-        node.optional = true
-        node.devOptional = true
-        node.peer = true
+        node.resetDepFlags()
       }
       calcDepFlags(this.virtualTree, !this.#rootOptionProvided)
     }
@@ -168,27 +166,9 @@ module.exports = cls => class VirtualLoader extends cls {
     }
   }
 
-  // separate out link metadata, and create Node objects for nodes
-  #resolveNodes (s, root) {
-    const links = new Map()
-    const nodes = new Map([['', root]])
-    for (const [location, meta] of Object.entries(s.data.packages)) {
-      // skip the root because we already got it
-      if (!location) {
-        continue
-      }
-
-      if (meta.link) {
-        links.set(location, meta)
-      } else {
-        nodes.set(location, this.#loadNode(location, meta))
-      }
-    }
-    return { links, nodes }
-  }
-
   // links is the set of metadata, and nodes is the map of non-Link nodes
   // Set the targets to nodes in the set, if we have them (we might not)
+  // XXX build-ideal-tree also has a #resolveLinks, is there overlap?
   async #resolveLinks (links, nodes) {
     for (const [location, meta] of links.entries()) {
       const targetPath = resolve(this.path, meta.resolved)
@@ -255,11 +235,6 @@ To fix:
       sw.name = nameFromFolder(path)
     }
 
-    const dev = sw.dev
-    const optional = sw.optional
-    const devOptional = dev || optional || sw.devOptional
-    const peer = sw.peer
-
     const node = new Node({
       installLinks: this.installLinks,
       legacyPeerDeps: this.legacyPeerDeps,
@@ -270,18 +245,15 @@ To fix:
       resolved: consistentResolve(sw.resolved, this.path, path),
       pkg: sw,
       hasShrinkwrap: sw.hasShrinkwrap,
-      dev,
-      optional,
-      devOptional,
-      peer,
       loadOverrides,
+      // cast to boolean because they're undefined in the lock file when false
+      extraneous: !!sw.extraneous,
+      devOptional: !!(sw.devOptional || sw.dev || sw.optional),
+      peer: !!sw.peer,
+      optional: !!sw.optional,
+      dev: !!sw.dev,
     })
-    // cast to boolean because they're undefined in the lock file when false
-    node.extraneous = !!sw.extraneous
-    node.devOptional = !!(sw.devOptional || sw.dev || sw.optional)
-    node.peer = !!sw.peer
-    node.optional = !!sw.optional
-    node.dev = !!sw.dev
+
     return node
   }
 

package/lib/arborist/rebuild.js

@@ -24,13 +24,12 @@ const _trashList = Symbol.for('trashList')
 module.exports = cls => class Builder extends cls {
   #doHandleOptionalFailure
   #oldMeta = null
-  #queues
-
-  constructor (options) {
-    super(options)
-
-    this.scriptsRun = new Set()
-    this.#resetQueues()
+  #queues = {
+    preinstall: [],
+    install: [],
+    postinstall: [],
+    prepare: [],
+    bin: [],
   }
 
   async rebuild ({ nodes, handleOptionalFailure = false } = {}) {
@@ -62,7 +61,13 @@ module.exports = cls => class Builder extends cls {
 
     // build link deps
     if (linkNodes.size) {
-      this.#resetQueues()
+      this.#queues = {
+        preinstall: [],
+        install: [],
+        postinstall: [],
+        prepare: [],
+        bin: [],
+      }
       await this.#build(linkNodes, { type: 'links' })
     }
 
@@ -132,16 +137,6 @@ module.exports = cls => class Builder extends cls {
     }
   }
 
-  #resetQueues () {
-    this.#queues = {
-      preinstall: [],
-      install: [],
-      postinstall: [],
-      prepare: [],
-      bin: [],
-    }
-  }
-
   async #build (nodes, { type = 'deps' }) {
     const timeEnd = time.start(`build:${type}`)
 

package/lib/arborist/reify.js

@@ -57,11 +57,9 @@ const _rollbackRetireShallowNodes = Symbol.for('rollbackRetireShallowNodes')
 const _rollbackCreateSparseTree = Symbol.for('rollbackCreateSparseTree')
 const _rollbackMoveBackRetiredUnchanged = Symbol.for('rollbackMoveBackRetiredUnchanged')
 const _saveIdealTree = Symbol.for('saveIdealTree')
-const _reifyPackages = Symbol.for('reifyPackages')
 
 // defined by build-ideal-tree mixin
 const _resolvedAdd = Symbol.for('resolvedAdd')
-const _usePackageLock = Symbol.for('usePackageLock')
 // used by build-ideal-tree mixin
 const _addNodeToTrashList = Symbol.for('addNodeToTrashList')
 
@@ -70,12 +68,10 @@ const _createIsolatedTree = Symbol.for('createIsolatedTree')
 module.exports = cls => class Reifier extends cls {
   #bundleMissing = new Set() // child nodes we'd EXPECT to be included in a bundle, but aren't
   #bundleUnpacked = new Set() // the nodes we unpack to read their bundles
-  #dryRun
   #nmValidated = new Set()
   #omit
   #retiredPaths = {}
   #retiredUnchanged = {}
-  #savePrefix
   #shrinkwrapInflated = new Set()
   #sparseTreeDirs = new Set()
   #sparseTreeRoots = new Set()
@@ -122,7 +118,7 @@ module.exports = cls => class Reifier extends cls {
       this.idealTree = await this[_createIsolatedTree]()
     }
     await this[_diffTrees]()
-    await this[_reifyPackages]()
+    await this.#reifyPackages()
     if (linked) {
       // swap back in the idealTree
       // so that the lockfile is preserved
@@ -261,7 +257,7 @@ module.exports = cls => class Reifier extends cls {
     return treeCheck(this.actualTree)
   }
 
-  async [_reifyPackages] () {
+  async #reifyPackages () {
     // we don't submit the audit report or write to disk on dry runs
     if (this.options.dryRun) {
       return
@@ -817,9 +813,17 @@ module.exports = cls => class Reifier extends cls {
         // Make sure we don't double-include the path if it's already there
         const registryPath = registryURL.pathname.replace(/\/$/, '')
 
-        if (registryPath && registryPath !== '/' && !resolvedURL.pathname.startsWith(registryPath)) {
-          // Since hostname is changed, we need to ensure the registry path is included
-          resolvedURL.pathname = registryPath + resolvedURL.pathname
+        if (registryPath && registryPath !== '/') {
+          // Check if the resolved pathname already starts with the registry path
+          // We need to ensure it's a proper path prefix, not just a string prefix
+          // e.g., registry path '/npm' should not match '/npm-run-path'
+          const hasRegistryPath = resolvedURL.pathname === registryPath ||
+                                  resolvedURL.pathname.startsWith(registryPath + '/')
+
+          if (!hasRegistryPath) {
+            // Since hostname is changed, we need to ensure the registry path is included
+            resolvedURL.pathname = registryPath + resolvedURL.pathname
+          }
         }
 
         return resolvedURL.toString()
@@ -1496,7 +1500,7 @@ module.exports = cls => class Reifier extends cls {
 
     // before now edge specs could be changing, affecting the `requires` field
     // in the package lock, so we hold off saving to the very last action
-    if (this[_usePackageLock]) {
+    if (this.options.usePackageLock) {
       // preserve indentation, if possible
       let format = this.idealTree.package[Symbol.for('indent')]
       if (format === undefined) {

package/lib/calc-dep-flags.js

@@ -1,144 +1,102 @@
-const { depth } = require('treeverse')
-
+// Dep flag (dev, peer, etc.) calculation requires default or reset flags.
+// Flags are true by default and are unset to false as we walk deps.
+// We iterate outward edges looking for dep flags that can
+// be unset based on the current nodes flags and edge type.
+// Examples:
+// - a non-optional node with a non-optional edge out, the edge node should not be optional
+// - a non-peer node with a non-peer edge out, the edge node should not be peer
+// If a node is changed, we add to the queue and continue until no more changes.
+// Flags that remain after all this unsetting should be valid.
+// Examples:
+// - a node still flagged optional must only be reachable via optional edges
+// - a node still flagged peer must only be reachable via peer edges
 const calcDepFlags = (tree, resetRoot = true) => {
   if (resetRoot) {
-    tree.dev = false
-    tree.optional = false
-    tree.devOptional = false
-    tree.peer = false
+    tree.unsetDepFlags()
   }
-  const ret = depth({
-    tree,
-    visit: node => calcDepFlagsStep(node),
-    filter: node => node,
-    getChildren: (node, tree) =>
-      [...tree.edgesOut.values()].map(edge => edge.to),
-  })
-  return ret
-}
-
-const calcDepFlagsStep = (node) => {
-  // This rewalk is necessary to handle cases where devDep and optional
-  // or normal dependency graphs overlap deep in the dep graph.
-  // Since we're only walking through deps that are not already flagged
-  // as non-dev/non-optional, it's typically a very shallow traversal
-
-  node.extraneous = false
-  resetParents(node, 'extraneous')
-  resetParents(node, 'dev')
-  resetParents(node, 'peer')
-  resetParents(node, 'devOptional')
-  resetParents(node, 'optional')
-
-  // for links, map their hierarchy appropriately
-  if (node.isLink) {
-    // node.target can be null, we check to ensure it's not null before proceeding
-    if (node.target == null) {
-      return node
-    }
-    node.target.dev = node.dev
-    node.target.optional = node.optional
-    node.target.devOptional = node.devOptional
-    node.target.peer = node.peer
-    return calcDepFlagsStep(node.target)
-  }
-
-  node.edgesOut.forEach(({ peer, optional, dev, to }) => {
-    // if the dep is missing, then its flags are already maximally unset
-    if (!to) {
-      return
-    }
-    // everything with any kind of edge into it is not extraneous
-    to.extraneous = false
-
-    // If this is a peer edge, mark the target as peer
-    if (peer) {
-      to.peer = true
-    } else if (to.peer && !hasIncomingPeerEdge(to)) {
-      unsetFlag(to, 'peer')
-    }
 
-    // devOptional is the *overlap* of the dev and optional tree.
-    // however, for convenience and to save an extra rewalk, we leave
-    // it set when we are in *either* tree, and then omit it from the
-    // package-lock if either dev or optional are set.
-    const unsetDevOpt = !node.devOptional && !node.dev && !node.optional && !dev && !optional
+  const seen = new Set()
+  const queue = [tree]
 
-    // if we are not in the devOpt tree, then we're also not in
-    // either the dev or opt trees
-    const unsetDev = unsetDevOpt || !node.dev && !dev
-    const unsetOpt = unsetDevOpt || !node.optional && !optional
+  let node
+  while (node = queue.pop()) {
+    seen.add(node)
 
-    if (unsetDevOpt) {
-      unsetFlag(to, 'devOptional')
+    // Unset extraneous from all parents to avoid removal of children.
+    if (!node.extraneous) {
+      for (let n = node.resolveParent; n?.extraneous; n = n.resolveParent) {
+        n.extraneous = false
+      }
     }
 
-    if (unsetDev) {
-      unsetFlag(to, 'dev')
+    // for links, map their hierarchy appropriately
+    if (node.isLink) {
+      // node.target can be null, we check to ensure it's not null before proceeding
+      if (node.target == null) {
+        continue
+      }
+      node.target.dev = node.dev
+      node.target.optional = node.optional
+      node.target.devOptional = node.devOptional
+      node.target.peer = node.peer
+      node.target.extraneous = node.extraneous
+      queue.push(node.target)
+      continue
     }
 
-    if (unsetOpt) {
-      unsetFlag(to, 'optional')
-    }
-  })
-
-  return node
-}
-
-const hasIncomingPeerEdge = (node) => {
-  const target = node.isLink && node.target ? node.target : node
-  for (const edge of target.edgesIn) {
-    if (edge.type === 'peer') {
-      return true
+    for (const { peer, optional, dev, to } of node.edgesOut.values()) {
+      // if the dep is missing, then its flags are already maximally unset
+      if (!to) {
+        continue
+      }
+
+      let changed = false
+
+      // only optional peer dependencies should stay extraneous
+      if (to.extraneous && !node.extraneous && !(peer && optional)) {
+        to.extraneous = false
+        changed = true
+      }
+
+      if (to.dev && !node.dev && !dev) {
+        to.dev = false
+        changed = true
+      }
+
+      if (to.optional && !node.optional && !optional) {
+        to.optional = false
+        changed = true
+      }
+
+      // devOptional is the *overlap* of the dev and optional tree.
+      // A node may be depended on by separate dev and optional nodes.
+      // It SHOULD NOT be removed when pruning dev OR optional.
+      // It SHOULD be removed when pruning dev AND optional.
+      // We only unset here if a node is not dev AND not optional because
+      // if we did unset, it would prevent any overlap deeper in the tree.
+      // We correct this later by removing if dev OR optional is set.
+      if (to.devOptional && !node.devOptional && !node.dev && !node.optional && !dev && !optional) {
+        to.devOptional = false
+        changed = true
+      }
+
+      if (to.peer && !node.peer && !peer) {
+        to.peer = false
+        changed = true
+      }
+
+      if (changed) {
+        queue.push(to)
+      }
     }
   }
-  return false
-}
 
-const resetParents = (node, flag) => {
-  if (node[flag]) {
-    return
-  }
-
-  for (let p = node; p && (p === node || p[flag]); p = p.resolveParent) {
-    p[flag] = false
-  }
-}
-
-// typically a short walk, since it only traverses deps that have the flag set.
-const unsetFlag = (node, flag) => {
-  if (node[flag]) {
-    node[flag] = false
-    depth({
-      tree: node,
-      visit: node => {
-        node.extraneous = node[flag] = false
-        if (node.isLink && node.target) {
-          node.target.extraneous = node.target[flag] = false
-        }
-      },
-      getChildren: node => {
-        const children = []
-        const targetNode = node.isLink && node.target ? node.target : node
-        for (const edge of targetNode.edgesOut.values()) {
-          if (edge.to?.[flag]) {
-            // For the peer flag, only follow peer edges to unset the flag
-            // Don't propagate peer flag through prod/dev/optional edges
-            if (flag === 'peer') {
-              if (edge.type === 'peer') {
-                children.push(edge.to)
-              }
-            } else {
-              // For other flags, follow prod edges (and peer edges for non-peer flags)
-              if (edge.type === 'prod' || edge.type === 'peer') {
-                children.push(edge.to)
-              }
-            }
-          }
-        }
-        return children
-      },
-    })
+  // Remove incorrect devOptional flags now that we have walked all deps.
+  seen.delete(tree)
+  for (const node of seen.values()) {
+    if (node.devOptional && (node.dev || node.optional)) {
+      node.devOptional = false
+    }
   }
 }
 

package/lib/edge.js

@@ -276,9 +276,15 @@ class Edge {
       } else if (!this.satisfiedBy(this.#to)) {
         this.#error = 'INVALID'
       } else if (this.overrides && this.#to.edgesOut.size && OverrideSet.doOverrideSetsConflict(this.overrides, this.#to.overrides)) {
-        // Any inconsistency between the edge's override set and the target's override set is potentially problematic.
-        // But we only say the edge is in error if the override sets are plainly conflicting.
-        // Note that if the target doesn't have any dependencies of their own, then this inconsistency is irrelevant.
+        // Check for conflicts between the edge's override set and the target node's override set.
+        // This catches cases where different parts of the tree have genuinely incompatible
+        // version requirements for the same package.
+        // The improved conflict detection uses semantic comparison (checking for incompatible
+        // version ranges) rather than pure structural equality, avoiding false positives from:
+        // - Reference overrides ($syntax) that resolve to compatible versions
+        // - Peer dependencies with different but compatible override contexts
+        // Note: We only check if the target has dependencies (edgesOut.size > 0), since
+        // override conflicts are only relevant if the target has its own dependencies.
         this.#error = 'INVALID'
       } else {
         this.#error = 'OK'

package/lib/node.js

@@ -1613,6 +1613,22 @@ class Node {
   [util.inspect.custom] () {
     return this.toJSON()
   }
+
+  resetDepFlags () {
+    this.extraneous = true
+    this.dev = true
+    this.optional = true
+    this.devOptional = true
+    this.peer = true
+  }
+
+  unsetDepFlags () {
+    this.extraneous = false
+    this.dev = false
+    this.optional = false
+    this.devOptional = false
+    this.peer = false
+  }
 }
 
 module.exports = Node

package/lib/optional-set.js

@@ -10,10 +10,6 @@
 
 const gatherDepSet = require('./gather-dep-set.js')
 const optionalSet = node => {
-  if (!node.optional) {
-    return new Set()
-  }
-
   // start with the node, then walk up the dependency graph until we
   // get to the boundaries that define the optional set.  since the
   // node is optional, we know that all paths INTO this area of the

package/lib/override-set.js

@@ -201,8 +201,82 @@ class OverrideSet {
 
   static doOverrideSetsConflict (first, second) {
     // If override sets contain one another then we can try to use the more specific one.
-    // If neither one is more specific, then we consider them to be in conflict.
-    return (this.findSpecificOverrideSet(first, second) === undefined)
+    // If neither one is more specific, check for semantic conflicts.
+    const specificSet = this.findSpecificOverrideSet(first, second)
+    if (specificSet !== undefined) {
+      // One contains the other, so no conflict
+      return false
+    }
+
+    // The override sets are structurally incomparable, but this doesn't necessarily
+    // mean they conflict. We need to check if they have conflicting version requirements
+    // for any package that appears in both rulesets.
+    return this.haveConflictingRules(first, second)
+  }
+
+  static haveConflictingRules (first, second) {
+    // Get all rules from both override sets
+    const firstRules = first.ruleset
+    const secondRules = second.ruleset
+
+    // Check each package that appears in both rulesets
+    for (const [key, firstRule] of firstRules) {
+      const secondRule = secondRules.get(key)
+      if (!secondRule) {
+        // Package only appears in one ruleset, no conflict
+        continue
+      }
+
+      // Same rule object means no conflict
+      if (firstRule === secondRule || firstRule.isEqual(secondRule)) {
+        continue
+      }
+
+      // Both rulesets have rules for this package with different values.
+      // Check if the version requirements are actually incompatible.
+      const firstValue = firstRule.value
+      const secondValue = secondRule.value
+
+      // If either value is a reference (starts with $), we can't determine
+      // compatibility here - the reference might resolve to compatible versions.
+      // We defer to runtime resolution rather than failing early.
+      if (firstValue.startsWith('$') || secondValue.startsWith('$')) {
+        continue
+      }
+
+      // Check if the version ranges are compatible using semver
+      // If both specify version ranges, they conflict only if they have no overlap
+      try {
+        const firstSpec = npa(`${firstRule.name}@${firstValue}`)
+        const secondSpec = npa(`${secondRule.name}@${secondValue}`)
+
+        // For range/version types, check if they intersect
+        if ((firstSpec.type === 'range' || firstSpec.type === 'version') &&
+            (secondSpec.type === 'range' || secondSpec.type === 'version')) {
+          // Check if the ranges intersect
+          const firstRange = firstSpec.fetchSpec
+          const secondRange = secondSpec.fetchSpec
+
+          // If the ranges don't intersect, we have a real conflict
+          if (!semver.intersects(firstRange, secondRange)) {
+            log.silly('Found conflicting override rules', {
+              package: firstRule.name,
+              first: firstValue,
+              second: secondValue,
+            })
+            return true
+          }
+        }
+        // For other types (git, file, directory, tag), we can't easily determine
+        // compatibility, so we conservatively assume no conflict
+      } catch {
+        // If we can't parse the specs, conservatively assume no conflict
+        // Real conflicts will be caught during dependency resolution
+      }
+    }
+
+    // No conflicting rules found
+    return false
   }
 }
 

package/lib/reset-dep-flags.js

@@ -6,10 +6,6 @@
 // we can find the set that is actually extraneous.
 module.exports = tree => {
   for (const node of tree.inventory.values()) {
-    node.extraneous = true
-    node.dev = true
-    node.devOptional = true
-    node.peer = true
-    node.optional = true
+    node.resetDepFlags()
   }
 }

package/package.json

@@ -1,20 +1,20 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.1.6",
+  "version": "9.1.7",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
     "@npmcli/fs": "^4.0.0",
-    "@npmcli/installed-package-contents": "^3.0.0",
+    "@npmcli/installed-package-contents": "^4.0.0",
     "@npmcli/map-workspaces": "^5.0.0",
     "@npmcli/metavuln-calculator": "^9.0.2",
-    "@npmcli/name-from-folder": "^3.0.0",
-    "@npmcli/node-gyp": "^4.0.0",
+    "@npmcli/name-from-folder": "^4.0.0",
+    "@npmcli/node-gyp": "^5.0.0",
     "@npmcli/package-json": "^7.0.0",
     "@npmcli/query": "^4.0.0",
-    "@npmcli/redact": "^3.0.0",
+    "@npmcli/redact": "^4.0.0",
     "@npmcli/run-script": "^10.0.0",
-    "bin-links": "^5.0.0",
+    "bin-links": "^6.0.0",
     "cacache": "^20.0.1",
     "common-ancestor-path": "^1.0.1",
     "hosted-git-info": "^9.0.0",
@@ -22,18 +22,18 @@
     "lru-cache": "^11.2.1",
     "minimatch": "^10.0.3",
     "nopt": "^8.0.0",
-    "npm-install-checks": "^7.1.0",
+    "npm-install-checks": "^8.0.0",
     "npm-package-arg": "^13.0.0",
     "npm-pick-manifest": "^11.0.1",
     "npm-registry-fetch": "^19.0.0",
     "pacote": "^21.0.2",
-    "parse-conflict-json": "^4.0.0",
-    "proc-log": "^5.0.0",
+    "parse-conflict-json": "^5.0.1",
+    "proc-log": "^6.0.0",
     "proggy": "^3.0.0",
     "promise-all-reject-late": "^1.0.0",
     "promise-call-limit": "^3.0.1",
     "semver": "^7.3.7",
-    "ssri": "^12.0.0",
+    "ssri": "^13.0.0",
     "treeverse": "^3.0.0",
     "walk-up-path": "^4.0.0"
   },