@npmcli/arborist 9.5.0 → 10.0.0-pre.0.0

package/README.md

@@ -60,7 +60,7 @@ arb.loadActual().then(tree => {
   // tree is also stored at arb.virtualTree
 })
 
-// read just what the package-lock.json/npm-shrinkwrap says
+// read just what the package-lock.json says
 // This *also* loads the yarn.lock file, but that's only relevant
 // when building the ideal tree.
 arb.loadVirtual().then(tree => {
@@ -301,7 +301,7 @@ pruning nodes from the tree.
   that the dep is brought in by a peer dep at some point, rather than a
   normal non-peer dependency.
 
-Note: `devOptional` is only set in the shrinkwrap/package-lock file if
+Note: `devOptional` is only set in the package-lock file if
 _neither_ `dev` nor `optional` are set, as it would be redundant.
 
 ## BIN

package/bin/index.js

@@ -20,8 +20,7 @@ ${message && '\n' + message + '\n'}
   * prune: prune the ideal tree and reify (like npm prune)
   * ideal: generate and print the ideal tree
   * actual: read and print the actual tree in node_modules
-  * virtual: read and print the virtual tree in the local shrinkwrap file
-  * shrinkwrap: load a local shrinkwrap and print its data
+  * virtual: read and print the virtual tree in the local package-lock.json
   * audit: perform a security audit on project dependencies
   * funding: query funding information in the local package tree.  A second
     positional argument after the path name can limit to a package name.

package/lib/arborist/build-ideal-tree.js

@@ -28,6 +28,15 @@ const Shrinkwrap = require('../shrinkwrap.js')
 const { defaultLockfileVersion } = Shrinkwrap
 const Node = require('../node.js')
 const Link = require('../link.js')
+
+// Maps a parsed spec.type to the corresponding allow-* arborist option name.
+// Hoisted to module scope so #checkAllow doesn't re-allocate it per call.
+const ALLOW_OPTION_FOR_TYPE = {
+  git: 'allowGit',
+  remote: 'allowRemote',
+  file: 'allowFile',
+  directory: 'allowDirectory',
+}
 const addRmPkgDeps = require('../add-rm-pkg-deps.js')
 const optionalSet = require('../optional-set.js')
 const { checkEngine, checkPlatform } = require('npm-install-checks')
@@ -649,6 +658,45 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     return vuln.range
   }
 
+  // Enforces the allow-git / allow-file / allow-directory / allow-remote configs at the arborist resolution layer, before any branching into the symlink (Link) path or the manifest-fetch path.
+  // Pacote also enforces these inside FetcherBase.get() as defense-in-depth, but the symlink branch never reaches pacote, and the manifest cache here would bypass pacote on a cached hit.
+  // Throws the same { code: EALLOW${TYPE} } shape pacote uses, so callers and downstream consumers stay consistent.
+  #checkAllow (spec, edge) {
+    const optName = ALLOW_OPTION_FOR_TYPE[spec.type]
+    if (!optName) {
+      return
+    }
+    const allow = this.options[optName] ?? 'all'
+    if (allow === 'all') {
+      return
+    }
+    const isRoot = !!(edge?.from?.isProjectRoot || edge?.from?.isWorkspace)
+    if (allow !== 'none' && isRoot) {
+      return
+    }
+    throw Object.assign(
+      new Error(`Fetching${allow === 'root' ? ' non-root' : ''} packages of type "${spec.type}" have been disabled`),
+      {
+        code: `EALLOW${spec.type.toUpperCase()}`,
+        package: spec.toString(),
+      }
+    )
+  }
+
+  // Builds a Node representing a spec we failed to load (allow-* gate, network failure, ENOTARGET, etc.) and records it in #loadFailures so #pruneFailedOptional can later decide whether the failure is fatal or silently dropped for optional deps.
+  #failureNode (name, parent, error, edge) {
+    error.requiredBy = edge?.from?.location || '.'
+    const n = new Node({
+      name,
+      parent,
+      error,
+      installLinks: this.installLinks,
+      legacyPeerDeps: this.legacyPeerDeps,
+    })
+    this.#loadFailures.add(n)
+    return n
+  }
+
   #queueNamedUpdates () {
     // ignore top nodes, since they are not loaded the same way, and
     // probably have their own project associated with them.
@@ -663,7 +711,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     for (const node of this.idealTree.inventory.values()) {
       // XXX add any invalid edgesOut to the queue
       if (this[_updateNames].includes(node.name) &&
-        !node.isTop && !node.inDepBundle && !node.inShrinkwrap) {
+        !node.isTop && !node.inDepBundle) {
         for (const edge of node.edgesIn) {
           this.addTracker('idealTree', edge.from.name, edge.from.location)
           this.#depsQueue.push(edge.from)
@@ -786,15 +834,11 @@ This is a one-time fix-up, please be patient...
     const node = this.#depsQueue.pop()
     const bd = node.package.bundleDependencies
     const hasBundle = bd && Array.isArray(bd) && bd.length
-    const { hasShrinkwrap } = node
 
     // if the node was already visited, or has since been removed from the
-    // tree, skip over it and process the rest of the queue.  If a node has
-    // a shrinkwrap, also skip it, because it's going to get its deps
-    // satisfied by whatever's in that file anyway.
+    // tree, skip over it and process the rest of the queue.
     if (this.#depsSeen.has(node) ||
-        node.root !== this.idealTree ||
-        hasShrinkwrap && !this.#complete) {
+        node.root !== this.idealTree) {
       return this.#buildDepStep()
     }
 
@@ -804,15 +848,15 @@ This is a one-time fix-up, please be patient...
 
     // if we're loading a _complete_ ideal tree, for a --package-lock-only
     // installation for example, we have to crack open the tarball and
-    // look inside if it has bundle deps or shrinkwraps.  note that this is
+    // look inside if it has bundle deps.  note that this is
     // not necessary during a reification, because we just update the
-    // ideal tree by reading bundles/shrinkwraps in place.
+    // ideal tree by reading bundles in place.
     // Don't bother if the node is from the actual tree and hasn't
     // been resolved, because we can't fetch it anyway, could be anything!
     const crackOpen = this.#complete &&
       node !== this.idealTree &&
       node.resolved &&
-      (hasBundle || hasShrinkwrap) &&
+      hasBundle &&
       !node.inert
     if (crackOpen) {
       const Arborist = this.constructor
@@ -825,15 +869,8 @@ This is a one-time fix-up, please be patient...
           integrity: node.integrity,
         })
 
-        if (hasShrinkwrap) {
-          await new Arborist({ ...this.options, path })
-            .loadVirtual({ root: node })
-        }
-
-        if (hasBundle) {
-          await new Arborist({ ...this.options, path })
-            .loadActual({ root: node, ignoreMissing: true })
-        }
+        await new Arborist({ ...this.options, path })
+          .loadActual({ root: node, ignoreMissing: true })
       })
     }
 
@@ -1040,7 +1077,7 @@ This is a one-time fix-up, please be patient...
             // This can't be changed or removed till we figure out why
             // The test is named "tarball deps with transitive tarball deps"
             promises.push(() =>
-              this.#fetchManifest(npa.resolve(e.name, e.spec, fromPath(placed, e)), parent)
+              this.#fetchManifest(npa.resolve(e.name, e.spec, fromPath(placed, e)), parent, e)
                 .catch(() => null)
             )
           }
@@ -1180,11 +1217,6 @@ This is a one-time fix-up, please be patient...
         continue
       }
 
-      // If it's shrinkwrapped, we use what the shrinkwap wants.
-      if (edge.to && edge.to.inShrinkwrap) {
-        continue
-      }
-
       // If the edge has no destination, that's a problem, unless
       // if it's peerOptional and not explicitly requested.
       if (!edge.to) {
@@ -1231,12 +1263,14 @@ This is a one-time fix-up, please be patient...
     return problems
   }
 
-  async #fetchManifest (spec, parent) {
+  async #fetchManifest (spec, parent, edge) {
+    // Enforce allow-* gates before consulting the manifest cache so a cached entry from a different edge cannot bypass the policy.
+    this.#checkAllow(spec, edge)
     const options = {
       ...this.options,
       avoid: this.#avoidRange(spec.name),
       fullMetadata: true,
-      _isRoot: parent?.isProjectRoot || parent?.isWorkspace,
+      _isRoot: !!(edge?.from?.isProjectRoot || edge?.from?.isWorkspace),
     }
     // get the intended spec and stored metadata from yarn.lock file,
     // if available and valid.
@@ -1253,6 +1287,14 @@ This is a one-time fix-up, please be patient...
   }
 
   async #nodeFromSpec (name, spec, parent, edge) {
+    // Enforce allow-git / allow-file / allow-directory / allow-remote before any branching, so the symlink (Link) path is enforced as well as the manifest-fetch path.
+    // Route the failure through #loadFailures so optional-dep semantics apply (e.g. a transitive optionalDependencies entry that resolves to a disallowed git URL is silently dropped rather than failing the install).
+    try {
+      this.#checkAllow(spec, edge)
+    } catch (error) {
+      return this.#failureNode(name, parent, error, edge)
+    }
+
     // pacote will slap integrity on its options, so we have to clone the object so it doesn't get mutated.
     // Don't bother to load the manifest for link deps, because the target might be within another package that doesn't exist yet.
     const { installLinks, legacyPeerDeps } = this
@@ -1307,23 +1349,26 @@ This is a one-time fix-up, please be patient...
 
     // spec isn't a directory, and either isn't a workspace or the workspace we have
     // doesn't satisfy the edge. try to fetch a manifest and build a node from that.
-    return this.#fetchManifest(spec, parent)
-      .then(pkg => new Node({ name, pkg, parent, installLinks, legacyPeerDeps }), error => {
-        error.requiredBy = edge.from.location || '.'
-
-        // failed to load the spec, either because of enotarget or
-        // fetch failure of some other sort.  save it so we can verify
-        // later that it's optional; otherwise, the error is fatal.
-        const n = new Node({
-          name,
-          parent,
-          error,
-          installLinks,
-          legacyPeerDeps,
-        })
-        this.#loadFailures.add(n)
-        return n
-      })
+    return this.#fetchManifest(spec, parent, edge)
+      .then(
+        pkg => {
+          // When a proxy/upstream registry returns an incomplete manifest
+          // (e.g. missing version field for platform-specific packages it
+          // hasn't cached), treat it as a load failure so that optional deps
+          // are properly pruned instead of written to the lockfile without
+          // version metadata.  Only apply to registry specs — file: deps
+          // legitimately omit version.
+          if (!pkg.version && spec.registry) {
+            const error = Object.assign(
+              new Error(`incomplete manifest for ${name}, missing version`),
+              { code: 'EINCOMPLETEMANIFEST' }
+            )
+            return this.#failureNode(name, parent, error, edge)
+          }
+          return new Node({ name, pkg, parent, installLinks, legacyPeerDeps })
+        },
+        error => this.#failureNode(name, parent, error, edge)
+      )
   }
 
   // load all peer deps and meta-peer deps into the node's parent

package/lib/arborist/isolated-reifier.js

@@ -1,5 +1,3 @@
-const { mkdirSync } = require('node:fs')
-const pacote = require('pacote')
 const { join } = require('node:path')
 const { depth } = require('treeverse')
 const crypto = require('node:crypto')
@@ -97,7 +95,9 @@ module.exports = cls => class IsolatedReifier extends cls {
     }
     this.counter = 0
 
-    this.idealGraph.workspaces = await Promise.all(Array.from(idealTree.fsChildren.values(), w => this.#workspaceProxy(w)))
+    // Skip extraneous fsChildren: workspaces removed from the root manifest can linger in fsChildren via the lockfile, and re-materializing them here would re-create a directory the user just deleted.
+    const fsChildren = Array.from(idealTree.fsChildren.values()).filter(w => !w.extraneous)
+    this.idealGraph.workspaces = await Promise.all(fsChildren.map(w => this.#workspaceProxy(w)))
     const processed = new Set()
     const queue = [idealTree, ...idealTree.fsChildren]
     while (queue.length !== 0) {
@@ -147,50 +147,14 @@ module.exports = cls => class IsolatedReifier extends cls {
     const result = {}
     // XXX this goes recursive if we don't set here because assignCommonProperties also calls this.#externalProxy
     this.#externalProxies.set(node, result)
-    await this.#assignCommonProperties(node, result, !node.hasShrinkwrap)
-    if (node.hasShrinkwrap) {
-      const dir = join(
-        node.root.path,
-        'node_modules',
-        '.store',
-        `${node.packageName}@${node.version}`
-      )
-      mkdirSync(dir, { recursive: true })
-      // TODO this approach feels wrong and shouldn't be necessary for shrinkwraps
-      await pacote.extract(node.resolved, dir, {
-        ...this.options,
-        resolved: node.resolved,
-        integrity: node.integrity,
-        // TODO _isRoot
-      })
-      const Arborist = this.constructor
-      const arb = new Arborist({ ...this.options, path: dir })
-      // Make sure that the ideal tree is build as the rest of the algorithm depends on it.
-      await arb.buildIdealTree({
-        complete: false,
-        dev: false,
-      })
-      await arb.makeIdealGraph()
-      this.idealGraph.external.push(...arb.idealGraph.external)
-      for (const edge of arb.idealGraph.external) {
-        edge.root = this.idealGraph
-        edge.id = `${node.id}=>${edge.id}`
-      }
-      result.localDependencies = []
-      result.externalDependencies = arb.idealGraph.externalDependencies
-      result.externalOptionalDependencies = arb.idealGraph.externalOptionalDependencies
-      result.dependencies = [
-        ...result.externalDependencies,
-        ...result.externalOptionalDependencies,
-      ]
-    }
+    await this.#assignCommonProperties(node, result)
     result.optional = node.optional
     result.resolved = node.resolved
     result.version = node.version
     return result
   }
 
-  async #assignCommonProperties (node, result, populateDeps = true) {
+  async #assignCommonProperties (node, result) {
     result.root = this.idealGraph
     // XXX does anything need this?
     result.id = this.counter++
@@ -200,10 +164,6 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.package = { ...node.package }
     result.package.bundleDependencies = undefined
 
-    if (!populateDeps) {
-      return
-    }
-
     let edges = [...node.edgesOut.values()].filter(edge =>
       edge.to?.target &&
       !(node.package.bundledDependencies || node.package.bundleDependencies)?.includes(edge.to.name)

package/lib/arborist/load-virtual.js

@@ -39,7 +39,7 @@ module.exports = cls => class VirtualLoader extends cls {
       resolveOptions: this.options,
     })
     if (!s.loadedFromDisk && !options.root) {
-      const er = new Error('loadVirtual requires existing shrinkwrap file')
+      const er = new Error('loadVirtual requires existing package-lock.json file')
       throw Object.assign(er, { code: 'ENOLOCK' })
     }
 
@@ -244,7 +244,6 @@ To fix:
       integrity: sw.integrity,
       resolved: consistentResolve(sw.resolved, this.path, path),
       pkg: sw,
-      hasShrinkwrap: sw.hasShrinkwrap,
       loadOverrides,
       // cast to boolean because they're undefined in the lock file when false
       extraneous: !!sw.extraneous,

package/lib/arborist/reify.js

@@ -4,6 +4,7 @@ const hgi = require('hosted-git-info')
 const npa = require('npm-package-arg')
 const packageContents = require('@npmcli/installed-package-contents')
 const pacote = require('pacote')
+const { pickRegistry } = require('npm-registry-fetch')
 const promiseAllRejectLate = require('promise-all-reject-late')
 const runScript = require('@npmcli/run-script')
 const { callLimit: promiseCallLimit } = require('promise-call-limit')
@@ -47,7 +48,6 @@ const _checkBins = Symbol.for('checkBins')
 // TODO tests should not be this deep into internals
 const _diffTrees = Symbol.for('diffTrees')
 const _createSparseTree = Symbol.for('createSparseTree')
-const _loadShrinkwrapsAndUpdateTrees = Symbol.for('loadShrinkwrapsAndUpdateTrees')
 const _reifyNode = Symbol.for('reifyNode')
 const _updateAll = Symbol.for('updateAll')
 const _updateNames = Symbol.for('updateNames')
@@ -72,7 +72,6 @@ module.exports = cls => class Reifier extends cls {
   #omit
   #retiredPaths = {}
   #retiredUnchanged = {}
-  #shrinkwrapInflated = new Set()
   #sparseTreeDirs = new Set()
   #sparseTreeRoots = new Set()
   #linkedActualForDiff = null
@@ -305,7 +304,6 @@ module.exports = cls => class Reifier extends cls {
       ]],
       [_rollbackCreateSparseTree, [
         _createSparseTree,
-        _loadShrinkwrapsAndUpdateTrees,
         _loadBundlesAndUpdateTrees,
         _submitQuickAudit,
         _unpackNewModules,
@@ -465,7 +463,6 @@ module.exports = cls => class Reifier extends cls {
     // and ideal trees.
     this.diff = Diff.calculate({
       omit: this.#omit,
-      shrinkwrapInflated: this.#shrinkwrapInflated,
       filterNodes,
       actual: this.#linkedActualForDiff || this.actualTree,
       ideal: this.idealTree,
@@ -616,39 +613,6 @@ module.exports = cls => class Reifier extends cls {
       .then(() => this[_rollbackRetireShallowNodes](er))
   }
 
-  // shrinkwrap nodes define their dependency branches with a file, so
-  // we need to unpack them, read that shrinkwrap file, and then update
-  // the tree by calling loadVirtual with the node as the root.
-  [_loadShrinkwrapsAndUpdateTrees] () {
-    const seen = this.#shrinkwrapInflated
-    const shrinkwraps = this.diff.leaves
-      .filter(d => (d.action === 'CHANGE' || d.action === 'ADD' || !d.action) &&
-        d.ideal.hasShrinkwrap && !seen.has(d.ideal) &&
-        !this[_trashList].has(d.ideal.path))
-
-    if (!shrinkwraps.length) {
-      return
-    }
-
-    const timeEnd = time.start('reify:loadShrinkwraps')
-
-    const Arborist = this.constructor
-    return promiseAllRejectLate(shrinkwraps.map(diff => {
-      const node = diff.ideal
-      seen.add(node)
-      return diff.action ? this[_reifyNode](node) : node
-    }))
-      .then(nodes => promiseAllRejectLate(nodes.map(node => new Arborist({
-        ...this.options,
-        path: node.path,
-      }).loadVirtual({ root: node }))))
-      // reload the diff and sparse tree because the ideal tree changed
-      .then(() => this[_diffTrees]())
-      .then(() => this[_createSparseTree]())
-      .then(() => this[_loadShrinkwrapsAndUpdateTrees]())
-      .then(timeEnd)
-  }
-
   // create a symlink for Links, extract for Nodes
   // return the node object, since we usually want that
   // handle optional dep failures here
@@ -741,7 +705,14 @@ module.exports = cls => class Reifier extends cls {
         ...this.options,
         resolved: node.resolved,
         integrity: node.integrity,
-        _isRoot: node.parent?.isProjectRoot || node.parent?.isWorkspace,
+        // A node counts as "root" for allow-* enforcement if it satisfies at least one valid dependency edge declared by the project root or a workspace.
+        // node.parent is unsafe here: after hoisting, transitive packages can have the project root as their tree parent.
+        _isRoot: [...node.edgesIn].some(e =>
+          e.valid && (e.from?.isProjectRoot || e.from?.isWorkspace)
+        ),
+        // pacote's npa re-parses our `name@URL` spec as type=remote, so allowRemote would mis-fire on registry tarballs.
+        // Override only when we can prove the URL is registry-mediated; see #isRegistryResolvedTarball.
+        ...(this.#isRegistryResolvedTarball(node) ? { allowRemote: 'all' } : {}),
       })
       // store nodes don't use Node class so node.package doesn't get updated
       if (node.isInStore) {
@@ -865,6 +836,24 @@ module.exports = cls => class Reifier extends cls {
     return wrapper
   }
 
+  // When extracting a registry-resolved package, the spec we hand to pacote is name@URL.
+  // pacote re-parses that with npa and gets spec.type === 'remote', so without an override the allow-remote gate would fire on every registry tarball (both =none and =root mis-fire).
+  // Returns true only when we are confident this is a registry-mediated install: the node's inbound edges must all be registry-typed (no exotic spec smuggled the URL in) AND the resolved URL's host must match the registry npm-registry-fetch selected for this spec, so a tampered lockfile pointing at an attacker host still hits the gate.
+  #isRegistryResolvedTarball (node) {
+    if (!node.resolved || !node.isRegistryDependency) {
+      return false
+    }
+    try {
+      // Hostnames are case-insensitive; lowercase both sides for safety even though WHATWG URL already normalizes.
+      const resolvedHost = new URL(node.resolved).hostname.toLowerCase()
+      // pickRegistry only consults spec.scope, so a bare-name (tag) parse is sufficient and avoids a node.version dependency.
+      const registryHost = new URL(pickRegistry(npa(node.name), this.options)).hostname.toLowerCase()
+      return resolvedHost === registryHost
+    } catch {
+      return false
+    }
+  }
+
   #registryResolved (resolved) {
     // the default registry url is a magic value meaning "the currently
     // configured registry".
@@ -1150,7 +1139,6 @@ module.exports = cls => class Reifier extends cls {
 
         const node = diff.ideal
         const bd = this.#bundleUnpacked.has(node)
-        const sw = this.#shrinkwrapInflated.has(node)
         const bundleMissing = this.#bundleMissing.has(node)
 
         // check whether we still need to unpack this one.
@@ -1160,8 +1148,6 @@ module.exports = cls => class Reifier extends cls {
           !node.isRoot &&
           // already unpacked to read bundle
           !bd &&
-          // already unpacked to read sw
-          !sw &&
           // already unpacked by another dep's bundle
           (bundleMissing || !node.inDepBundle)
 

package/lib/diff.js

@@ -11,10 +11,9 @@ const { existsSync } = require('node:fs')
 const ssri = require('ssri')
 
 class Diff {
-  constructor ({ actual, ideal, filterSet, shrinkwrapInflated, omit }) {
+  constructor ({ actual, ideal, filterSet, omit }) {
     this.omit = omit
     this.filterSet = filterSet
-    this.shrinkwrapInflated = shrinkwrapInflated
     this.children = []
     this.actual = actual
     this.ideal = ideal
@@ -36,7 +35,6 @@ class Diff {
     actual,
     ideal,
     filterNodes = [],
-    shrinkwrapInflated = new Set(),
     omit = new Set(),
   }) {
     // if there's a filterNode, then:
@@ -102,7 +100,7 @@ class Diff {
     }
 
     return depth({
-      tree: new Diff({ actual, ideal, filterSet, shrinkwrapInflated, omit }),
+      tree: new Diff({ actual, ideal, filterSet, omit }),
       getChildren,
       leave,
     })
@@ -191,26 +189,16 @@ const getChildren = diff => {
     unchanged,
     removed,
     filterSet,
-    shrinkwrapInflated,
     omit,
   } = diff
 
   // Note: we DON'T diff fsChildren themselves, because they are either
-  // included in the package contents, or part of some other project, and
-  // will never appear in legacy shrinkwraps anyway.  but we _do_ include the
-  // child nodes of fsChildren, because those are nodes that we are typically
-  // responsible for installing.
+  // included in the package contents, or part of some other project.
+  // But we _do_ include the child nodes of fsChildren, because those are
+  // nodes that we are typically responsible for installing.
   const actualKids = allChildren(actual)
   const idealKids = allChildren(ideal)
 
-  if (ideal && ideal.hasShrinkwrap && !shrinkwrapInflated.has(ideal)) {
-    // Guaranteed to get a diff.leaves here, because we always
-    // be called with a proper Diff object when ideal has a shrinkwrap
-    // that has not been inflated.
-    diff.leaves.push(diff)
-    return children
-  }
-
   const paths = new Set([...actualKids.keys(), ...idealKids.keys()])
   for (const path of paths) {
     const actual = actualKids.get(path)
@@ -222,7 +210,6 @@ const getChildren = diff => {
       unchanged,
       removed,
       filterSet,
-      shrinkwrapInflated,
       omit,
     })
   }
@@ -241,7 +228,6 @@ const diffNode = ({
   unchanged,
   removed,
   filterSet,
-  shrinkwrapInflated,
   omit,
 }) => {
   if (filterSet.size && !(filterSet.has(ideal) || filterSet.has(actual))) {
@@ -264,11 +250,11 @@ const diffNode = ({
 
   // if it's a match, then get its children
   // otherwise, this is the child diff node
-  if (action || (!shrinkwrapInflated.has(ideal) && ideal.hasShrinkwrap)) {
+  if (action) {
     if (action === 'REMOVE') {
       removed.push(actual)
     }
-    children.push(new Diff({ actual, ideal, filterSet, shrinkwrapInflated, omit }))
+    children.push(new Diff({ actual, ideal, filterSet, omit }))
   } else {
     unchanged.push(ideal)
     // !*! Weird dirty hack warning !*!
@@ -307,7 +293,6 @@ const diffNode = ({
       unchanged,
       removed,
       filterSet,
-      shrinkwrapInflated,
       omit,
     }))
   }

package/lib/edge.js

@@ -109,8 +109,8 @@ class Edge {
     }
 
     // NOTE: this condition means we explicitly do not support overriding
-    // bundled or shrinkwrapped dependencies
-    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
+    // bundled dependencies
+    if (node.inDepBundle) {
       return depValid(node, this.rawSpec, this.#accept, this.#from)
     }
 

package/lib/isolated-classes.js

@@ -16,7 +16,6 @@ class IsolatedNode {
   edgesIn = new Set()
   edgesOut = new CaseInsensitiveMap()
   fsChildren = new Set()
-  hasShrinkwrap = false
   integrity = null
   inventory = new IsolatedInventory()
   isInStore = false

package/lib/link.js

@@ -109,12 +109,24 @@ class Link extends Node {
   // so this is a no-op
   [_loadDeps] () {}
 
-  // When a Link receives overrides (via edgesIn), forward them to the target node which holds the actual edgesOut.
-  // Without this, overrides stop at the Link and never reach the target's dependency edges.
+  // When a Link receives overrides (via edgesIn), forward them to the target node which holds the actual edgesOut — but only when the OverrideSet has at least one rule that names a dep the target actually depends on.
+  // Without this scope, the link forwards a generic ancestor OverrideSet that has no real effect on the target's edges, but still flips the target to "has overrides", which changes downstream `canReplaceWith` / placement decisions and causes `npm ci` to re-resolve lockfile-pinned edges from the registry.
+  // See npm/cli#9357.
   recalculateOutEdgesOverrides () {
-    if (this.target) {
-      this.target.updateOverridesEdgeInAdded(this.overrides)
+    if (!this.target || !this.overrides) {
+      return
+    }
+    let hasMatchingRule = false
+    for (const rule of this.overrides.ruleset.values()) {
+      if (this.target.edgesOut.has(rule.name)) {
+        hasMatchingRule = true
+        break
+      }
+    }
+    if (!hasMatchingRule) {
+      return
     }
+    this.target.updateOverridesEdgeInAdded(this.overrides)
   }
 
   // links can't have children, only their targets can

package/lib/node.js

@@ -82,7 +82,6 @@ class Node {
       fsChildren,
       fsParent,
       global = false,
-      hasShrinkwrap,
       inert = false,
       installLinks = false,
       integrity,
@@ -170,7 +169,6 @@ class Node {
       }
     }
     this.integrity = integrity || this.package._integrity || null
-    this.hasShrinkwrap = hasShrinkwrap || this.package._hasShrinkwrap || false
     this.installLinks = installLinks
     this.legacyPeerDeps = legacyPeerDeps
 
@@ -1101,8 +1099,8 @@ class Node {
   // is depending on it would be fine with the thing that they would resolve
   // to if it was removed, or nothing is depending on it in the first place.
   canDedupe (preferDedupe = false, explicitRequest = false) {
-    // not allowed to mess with shrinkwraps or bundles
-    if (this.inDepBundle || this.inShrinkwrap) {
+    // not allowed to mess with bundles
+    if (this.inDepBundle) {
       return false
     }
 
@@ -1249,11 +1247,6 @@ class Node {
     treeCheck(this)
   }
 
-  get inShrinkwrap () {
-    return this.parent &&
-      (this.parent.hasShrinkwrap || this.parent.inShrinkwrap)
-  }
-
   get parent () {
     // setter prevents _parent from being this
     return this[_parent]

package/lib/printable.js

@@ -52,11 +52,6 @@ class ArboristNode {
     if (bd && bd.length) {
       this.bundleDependencies = bd
     }
-    if (tree.inShrinkwrap) {
-      this.inShrinkwrap = true
-    } else if (tree.hasShrinkwrap) {
-      this.hasShrinkwrap = true
-    }
     if (tree.error) {
       this.error = treeError(tree.error)
     }

package/lib/shrinkwrap.js

@@ -1,5 +1,4 @@
-// a module that manages a shrinkwrap file (npm-shrinkwrap.json or
-// package-lock.json).
+// a module that manages a lockfile (package-lock.json).
 
 // Increment whenever the lockfile version updates
 // v1 - npm <=6
@@ -98,7 +97,6 @@ const pkgMetaKeys = [
   'libc',
   '_integrity',
   'license',
-  '_hasShrinkwrap',
   'hasInstallScript',
   'bin',
   'deprecated',
@@ -108,7 +106,6 @@ const pkgMetaKeys = [
 const nodeMetaKeys = [
   'integrity',
   'inBundle',
-  'hasShrinkwrap',
   'hasInstallScript',
 ]
 
@@ -199,17 +196,14 @@ class Shrinkwrap {
     const s = new Shrinkwrap(options)
     s.reset()
 
-    const [sw, lock] = await s.resetFiles
+    const [lock] = await s.resetFiles
 
-    // XXX this is duplicated in this.load(), but using loadFiles instead of resetFiles
     if (s.hiddenLockfile) {
       s.filename = resolve(s.path, 'node_modules/.package-lock.json')
-    } else if (s.shrinkwrapOnly || sw) {
-      s.filename = resolve(s.path, 'npm-shrinkwrap.json')
     } else {
       s.filename = resolve(s.path, 'package-lock.json')
     }
-    s.loadedFromDisk = !!(sw || lock)
+    s.loadedFromDisk = !!lock
     // TODO what uses this?
     s.type = basename(s.filename)
 
@@ -286,7 +280,6 @@ class Shrinkwrap {
       path,
       indent = 2,
       newline = '\n',
-      shrinkwrapOnly = false,
       hiddenLockfile = false,
       lockfileVersion,
       resolveOptions = {},
@@ -312,8 +305,6 @@ class Shrinkwrap {
     this.hiddenLockfile = hiddenLockfile
     this.loadingError = null
     this.resolveOptions = resolveOptions
-    // only load npm-shrinkwrap.json in dep trees, not package-lock
-    this.shrinkwrapOnly = shrinkwrapOnly
   }
 
   // check to see if a spec is present in the yarn.lock file, and if so,
@@ -369,14 +360,10 @@ class Shrinkwrap {
 
   // files to potentially read from and write to, in order of priority
   get #filenameSet () {
-    if (this.shrinkwrapOnly) {
-      return [`${this.path}/npm-shrinkwrap.json`]
-    }
     if (this.hiddenLockfile) {
       return [`${this.path}/node_modules/.package-lock.json`]
     }
     return [
-      `${this.path}/npm-shrinkwrap.json`,
       `${this.path}/package-lock.json`,
       `${this.path}/yarn.lock`,
     ]
@@ -396,9 +383,9 @@ class Shrinkwrap {
   }
 
   get resetFiles () {
-    // slice out yarn, we only care about lock or shrinkwrap when checking
+    // slice out yarn, we only care about the package-lock when checking
     // this way, since we're not actually loading the full lock metadata
-    return Promise.all(this.#filenameSet.slice(0, 2)
+    return Promise.all(this.#filenameSet.slice(0, 1)
       .map(file => file && stat(file).then(st => st.isFile(), er => {
         /* istanbul ignore else - can't test without breaking module itself */
         if (er.code === 'ENOENT') {
@@ -425,25 +412,18 @@ class Shrinkwrap {
   }
 
   async load () {
-    // we don't need to load package-lock.json except for top of tree nodes,
-    // only npm-shrinkwrap.json.
     let data
     try {
-      const [sw, lock, yarn] = await this.loadFiles
-      data = sw || lock || '{}'
+      const [lock, yarn] = await this.loadFiles
+      data = lock || '{}'
 
-      // use shrinkwrap only for deps; otherwise, prefer package-lock
-      // and ignore npm-shrinkwrap if both are present.
-      // TODO: emit a warning here or something if both are present.
       if (this.hiddenLockfile) {
         this.filename = resolve(this.path, 'node_modules/.package-lock.json')
-      } else if (this.shrinkwrapOnly || sw) {
-        this.filename = resolve(this.path, 'npm-shrinkwrap.json')
       } else {
         this.filename = resolve(this.path, 'package-lock.json')
       }
       this.type = basename(this.filename)
-      this.loadedFromDisk = Boolean(sw || lock)
+      this.loadedFromDisk = Boolean(lock)
 
       if (yarn) {
         this.yarnLock = new YarnLock()
@@ -809,7 +789,6 @@ class Shrinkwrap {
       const {
         resolved,
         integrity,
-        hasShrinkwrap,
         version,
       } = this.get(node.path)
 
@@ -836,17 +815,14 @@ class Shrinkwrap {
       if (allOk) {
         node.resolved = node.resolved || pathFixed || null
         node.integrity = node.integrity || integrity || null
-        node.hasShrinkwrap = node.hasShrinkwrap || hasShrinkwrap || false
       } else {
         // try to read off the package or node itself
         const {
           resolved,
           integrity,
-          hasShrinkwrap,
         } = Shrinkwrap.metaFromNode(node, this.path, this.resolveOptions)
         node.resolved = node.resolved || resolved || null
         node.integrity = node.integrity || integrity || null
-        node.hasShrinkwrap = node.hasShrinkwrap || hasShrinkwrap || false
       }
     }
     this.#awaitingUpdate.set(loc, node)
@@ -929,10 +905,24 @@ class Shrinkwrap {
           continue
         }
         const loc = relpath(this.path, node.path)
-        this.data.packages[loc] = Shrinkwrap.metaFromNode(
+        // Drop lockfile entries for extraneous nodes outside node_modules. These are stale workspace entries: the workspace was removed from package.json or its directory was deleted, so it should not be tracked in package-lock.json.
+        if (node.extraneous && !/(^|\/)node_modules\//.test(loc) && loc !== 'node_modules') {
+          continue
+        }
+        const meta = Shrinkwrap.metaFromNode(
           node,
           this.path,
           this.resolveOptions)
+        // Skip inert nodes — these are optional deps that failed to load
+        // (e.g. 404 from a proxy registry that hasn't cached the package,
+        // or incomplete manifest missing version field).
+        // #pruneFailedOptional marks them inert so they won't be reified;
+        // writing them to the lockfile produces invalid entries like
+        // {"optional": true} that cause "Invalid Version:" errors.
+        if (node.inert && !node.package.version) {
+          continue
+        }
+        this.data.packages[loc] = meta
       }
     } else if (this.#awaitingUpdate.size > 0) {
       for (const loc of this.#awaitingUpdate.keys()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.5.0",
+  "version": "10.0.0-pre.0.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",

package/bin/shrinkwrap.js

@@ -1,7 +0,0 @@
-const Shrinkwrap = require('../lib/shrinkwrap.js')
-
-module.exports = (options, time) => Shrinkwrap
-  .load(options)
-  .then((s) => s.commit())
-  .then(time)
-  .then(({ result: s }) => JSON.stringify(s, 0, 2))