@npmcli/arborist 9.2.0 → 9.3.1

package/lib/arborist/build-ideal-tree.js

@@ -339,7 +339,8 @@ module.exports = cls => class IdealTreeBuilder extends cls {
           filter: node => node,
           visit: node => {
             for (const edge of node.edgesOut.values()) {
-              if ((!edge.to && edge.type !== 'peerOptional') || !edge.valid) {
+              const skipPeerOptional = edge.type === 'peerOptional' && this.options.save === false
+              if (!skipPeerOptional && (!edge.to || !edge.valid)) {
                 this.#depsQueue.push(node)
                 break // no need to continue the loop after the first hit
               }
@@ -966,9 +967,17 @@ This is a one-time fix-up, please be patient...
                 continue
               }
               const { from, valid, peerConflicted } = edgeIn
-              if (!peerConflicted && !valid && !this.#depsSeen.has(from)) {
-                this.addTracker('idealTree', from.name, from.location)
-                this.#depsQueue.push(edgeIn.from)
+              if (!peerConflicted && !valid) {
+                if (this.#depsSeen.has(from) && this.options.save) {
+                  // Re-queue already-processed nodes when a newly placed dep creates an invalid edge during npm install (save=true).
+                  // This handles the case where a peerOptional dep was valid (missing) when the node was first processed, but becomes invalid when the dep is later placed by another path with a version that doesn't satisfy the peer spec.
+                  // See npm/cli#8726.
+                  this.#depsSeen.delete(from)
+                  this.#depsQueue.push(from)
+                } else if (!this.#depsSeen.has(from)) {
+                  this.addTracker('idealTree', from.name, from.location)
+                  this.#depsQueue.push(from)
+                }
               }
             }
           } else {
@@ -1165,9 +1174,13 @@ This is a one-time fix-up, please be patient...
         continue
       }
 
-      // If the edge has an error, there's a problem.
+      // If the edge has an error, there's a problem, unless it's peerOptional and we're not saving (e.g. npm ci), in which case we trust the lockfile and skip re-resolution.
+      // When saving (npm install), peerOptional invalid edges ARE treated as problems so the lockfile gets fixed.
+      // See npm/cli#8726.
       if (!edge.valid) {
-        problems.push(edge)
+        if (edge.type !== 'peerOptional' || this.options.save !== false) {
+          problems.push(edge)
+        }
         continue
       }
 

package/lib/dep-valid.js

@@ -82,7 +82,7 @@ const depValid = (child, requested, requestor) => {
       const resRepo = npa(child.resolved || '')
       const resHost = resRepo.hosted
       const reqHost = requested.hosted
-      const reqCommit = /^[a-fA-F0-9]{40}$/.test(requested.gitCommittish || '')
+      const reqCommit = /^[a-fA-F0-9]{40,64}$/.test(requested.gitCommittish || '')
       const nc = { noCommittish: !reqCommit }
       if (!resHost) {
         if (resRepo.fetchSpec !== requested.fetchSpec) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.2.0",
+  "version": "9.3.1",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@isaacs/string-locale-compare": "^1.1.0",
@@ -40,7 +40,7 @@
   "devDependencies": {
     "@npmcli/eslint-config": "^5.0.1",
     "@npmcli/mock-registry": "^1.0.0",
-    "@npmcli/template-oss": "4.25.1",
+    "@npmcli/template-oss": "4.29.0",
     "benchmark": "^2.1.4",
     "minify-registry-metadata": "^4.0.0",
     "nock": "^13.3.3",
@@ -92,7 +92,7 @@
   },
   "templateOSS": {
     "//@npmcli/template-oss": "This file is partially managed by @npmcli/template-oss. Edits may be overwritten.",
-    "version": "4.25.1",
+    "version": "4.29.0",
     "content": "../../scripts/template-oss/index.js"
   }
 }