@npmcli/arborist 9.5.0 → 9.7.0

package/lib/arborist/build-ideal-tree.js

@@ -28,6 +28,15 @@ const Shrinkwrap = require('../shrinkwrap.js')
 const { defaultLockfileVersion } = Shrinkwrap
 const Node = require('../node.js')
 const Link = require('../link.js')
+
+// Maps a parsed spec.type to the corresponding allow-* arborist option name.
+// Hoisted to module scope so #checkAllow doesn't re-allocate it per call.
+const ALLOW_OPTION_FOR_TYPE = {
+  git: 'allowGit',
+  remote: 'allowRemote',
+  file: 'allowFile',
+  directory: 'allowDirectory',
+}
 const addRmPkgDeps = require('../add-rm-pkg-deps.js')
 const optionalSet = require('../optional-set.js')
 const { checkEngine, checkPlatform } = require('npm-install-checks')
@@ -649,6 +658,45 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     return vuln.range
   }
 
+  // Enforces the allow-git / allow-file / allow-directory / allow-remote configs at the arborist resolution layer, before any branching into the symlink (Link) path or the manifest-fetch path.
+  // Pacote also enforces these inside FetcherBase.get() as defense-in-depth, but the symlink branch never reaches pacote, and the manifest cache here would bypass pacote on a cached hit.
+  // Throws the same { code: EALLOW${TYPE} } shape pacote uses, so callers and downstream consumers stay consistent.
+  #checkAllow (spec, edge) {
+    const optName = ALLOW_OPTION_FOR_TYPE[spec.type]
+    if (!optName) {
+      return
+    }
+    const allow = this.options[optName] ?? 'all'
+    if (allow === 'all') {
+      return
+    }
+    const isRoot = !!(edge?.from?.isProjectRoot || edge?.from?.isWorkspace)
+    if (allow !== 'none' && isRoot) {
+      return
+    }
+    throw Object.assign(
+      new Error(`Fetching${allow === 'root' ? ' non-root' : ''} packages of type "${spec.type}" have been disabled`),
+      {
+        code: `EALLOW${spec.type.toUpperCase()}`,
+        package: spec.toString(),
+      }
+    )
+  }
+
+  // Builds a Node representing a spec we failed to load (allow-* gate, network failure, ENOTARGET, etc.) and records it in #loadFailures so #pruneFailedOptional can later decide whether the failure is fatal or silently dropped for optional deps.
+  #failureNode (name, parent, error, edge) {
+    error.requiredBy = edge?.from?.location || '.'
+    const n = new Node({
+      name,
+      parent,
+      error,
+      installLinks: this.installLinks,
+      legacyPeerDeps: this.legacyPeerDeps,
+    })
+    this.#loadFailures.add(n)
+    return n
+  }
+
   #queueNamedUpdates () {
     // ignore top nodes, since they are not loaded the same way, and
     // probably have their own project associated with them.
@@ -1040,7 +1088,7 @@ This is a one-time fix-up, please be patient...
             // This can't be changed or removed till we figure out why
             // The test is named "tarball deps with transitive tarball deps"
             promises.push(() =>
-              this.#fetchManifest(npa.resolve(e.name, e.spec, fromPath(placed, e)), parent)
+              this.#fetchManifest(npa.resolve(e.name, e.spec, fromPath(placed, e)), parent, e)
                 .catch(() => null)
             )
           }
@@ -1231,12 +1279,14 @@ This is a one-time fix-up, please be patient...
     return problems
   }
 
-  async #fetchManifest (spec, parent) {
+  async #fetchManifest (spec, parent, edge) {
+    // Enforce allow-* gates before consulting the manifest cache so a cached entry from a different edge cannot bypass the policy.
+    this.#checkAllow(spec, edge)
     const options = {
       ...this.options,
       avoid: this.#avoidRange(spec.name),
       fullMetadata: true,
-      _isRoot: parent?.isProjectRoot || parent?.isWorkspace,
+      _isRoot: !!(edge?.from?.isProjectRoot || edge?.from?.isWorkspace),
     }
     // get the intended spec and stored metadata from yarn.lock file,
     // if available and valid.
@@ -1253,6 +1303,14 @@ This is a one-time fix-up, please be patient...
   }
 
   async #nodeFromSpec (name, spec, parent, edge) {
+    // Enforce allow-git / allow-file / allow-directory / allow-remote before any branching, so the symlink (Link) path is enforced as well as the manifest-fetch path.
+    // Route the failure through #loadFailures so optional-dep semantics apply (e.g. a transitive optionalDependencies entry that resolves to a disallowed git URL is silently dropped rather than failing the install).
+    try {
+      this.#checkAllow(spec, edge)
+    } catch (error) {
+      return this.#failureNode(name, parent, error, edge)
+    }
+
     // pacote will slap integrity on its options, so we have to clone the object so it doesn't get mutated.
     // Don't bother to load the manifest for link deps, because the target might be within another package that doesn't exist yet.
     const { installLinks, legacyPeerDeps } = this
@@ -1307,23 +1365,26 @@ This is a one-time fix-up, please be patient...
 
     // spec isn't a directory, and either isn't a workspace or the workspace we have
     // doesn't satisfy the edge. try to fetch a manifest and build a node from that.
-    return this.#fetchManifest(spec, parent)
-      .then(pkg => new Node({ name, pkg, parent, installLinks, legacyPeerDeps }), error => {
-        error.requiredBy = edge.from.location || '.'
-
-        // failed to load the spec, either because of enotarget or
-        // fetch failure of some other sort.  save it so we can verify
-        // later that it's optional; otherwise, the error is fatal.
-        const n = new Node({
-          name,
-          parent,
-          error,
-          installLinks,
-          legacyPeerDeps,
-        })
-        this.#loadFailures.add(n)
-        return n
-      })
+    return this.#fetchManifest(spec, parent, edge)
+      .then(
+        pkg => {
+          // When a proxy/upstream registry returns an incomplete manifest
+          // (e.g. missing version field for platform-specific packages it
+          // hasn't cached), treat it as a load failure so that optional deps
+          // are properly pruned instead of written to the lockfile without
+          // version metadata.  Only apply to registry specs — file: deps
+          // legitimately omit version.
+          if (!pkg.version && spec.registry) {
+            const error = Object.assign(
+              new Error(`incomplete manifest for ${name}, missing version`),
+              { code: 'EINCOMPLETEMANIFEST' }
+            )
+            return this.#failureNode(name, parent, error, edge)
+          }
+          return new Node({ name, pkg, parent, installLinks, legacyPeerDeps })
+        },
+        error => this.#failureNode(name, parent, error, edge)
+      )
   }
 
   // load all peer deps and meta-peer deps into the node's parent

package/lib/arborist/index.js

@@ -100,8 +100,10 @@ class Arborist extends Base {
       nodeVersion: process.version,
       ...options,
       Arborist: this.constructor,
+      allowScripts: options.allowScripts ?? null,
       binLinks: 'binLinks' in options ? !!options.binLinks : true,
       cache: options.cache || `${homedir()}/.npm/_cacache`,
+      dangerouslyAllowAllScripts: !!options.dangerouslyAllowAllScripts,
       dryRun: !!options.dryRun,
       formatPackageLock: 'formatPackageLock' in options ? !!options.formatPackageLock : true,
       force: !!options.force,

package/lib/arborist/isolated-reifier.js

@@ -97,7 +97,9 @@ module.exports = cls => class IsolatedReifier extends cls {
     }
     this.counter = 0
 
-    this.idealGraph.workspaces = await Promise.all(Array.from(idealTree.fsChildren.values(), w => this.#workspaceProxy(w)))
+    // Skip extraneous fsChildren: workspaces removed from the root manifest can linger in fsChildren via the lockfile, and re-materializing them here would re-create a directory the user just deleted.
+    const fsChildren = Array.from(idealTree.fsChildren.values()).filter(w => !w.extraneous)
+    this.idealGraph.workspaces = await Promise.all(fsChildren.map(w => this.#workspaceProxy(w)))
     const processed = new Set()
     const queue = [idealTree, ...idealTree.fsChildren]
     while (queue.length !== 0) {
@@ -333,7 +335,8 @@ module.exports = cls => class IsolatedReifier extends cls {
       root.inventory.set(workspace.location, workspace)
       root.workspaces.set(wsName, workspace.path)
 
-      // Create workspace Link. For root declared deps, link at root node_modules/. For undeclared deps, link at the workspace's own node_modules/ (self-link).
+      // Declared workspaces are symlinked at root node_modules/.
+      // Undeclared workspaces get a tree-only Link kept for diff/filter participation but not materialized on disk.
       const isDeclared = this.#rootDeclaredDeps.has(wsName)
       const wsLink = new IsolatedLink({
         location: isDeclared ? join('node_modules', wsName) : join(c.localLocation, 'node_modules', wsName),
@@ -346,7 +349,7 @@ module.exports = cls => class IsolatedReifier extends cls {
         target: workspace,
       })
       if (!isDeclared) {
-        workspace.children.set(wsName, wsLink)
+        wsLink.isUndeclaredWorkspaceLink = true
       }
       root.children.set(wsName, wsLink)
       root.inventory.set(wsLink.location, wsLink)

package/lib/arborist/rebuild.js

@@ -12,6 +12,7 @@ const { isNodeGypPackage, defaultGypInstallScript } = require('@npmcli/node-gyp'
 const { promiseRetry } = require('@gar/promise-retry')
 const { log, time } = require('proc-log')
 const { resolve } = require('node:path')
+const { isScriptAllowed } = require('../script-allowed.js')
 
 const boolEnv = b => b ? '1' : ''
 const sortNodes = (a, b) => (a.depth - b.depth) || localeCompare(a.path, b.path)
@@ -225,6 +226,18 @@ module.exports = cls => class Builder extends cls {
       return
     }
 
+    // Phase 1 allowScripts gate: a `false` verdict from the policy matcher
+    // means the user explicitly denied install scripts for this node, so skip
+    // it. `true` and `null` (unreviewed) both fall through to the existing
+    // detection logic — unreviewed nodes still run their scripts in Phase 1
+    // and are surfaced via the post-reify advisory warning. The global
+    // --ignore-scripts kill switch in #build() still takes precedence, and
+    // --dangerously-allow-all-scripts bypasses this gate entirely.
+    if (!this.options.dangerouslyAllowAllScripts &&
+        isScriptAllowed(node, this.options.allowScripts) === false) {
+      return
+    }
+
     if (this.#oldMeta === null) {
       const { root: { meta } } = node
       this.#oldMeta = meta && meta.loadedFromDisk &&

package/lib/arborist/reify.js

@@ -4,6 +4,7 @@ const hgi = require('hosted-git-info')
 const npa = require('npm-package-arg')
 const packageContents = require('@npmcli/installed-package-contents')
 const pacote = require('pacote')
+const { pickRegistry } = require('npm-registry-fetch')
 const promiseAllRejectLate = require('promise-all-reject-late')
 const runScript = require('@npmcli/run-script')
 const { callLimit: promiseCallLimit } = require('promise-call-limit')
@@ -238,7 +239,7 @@ module.exports = cls => class Reifier extends cls {
     this.actualTree = this.idealTree
     this.idealTree = null
 
-    if (!this.options.global) {
+    if (!this.options.global && !this.options.dryRun) {
       await this.actualTree.meta.save()
       const ignoreScripts = !!this.options.ignoreScripts
       // if we aren't doing a dry run or ignoring scripts and we actually made changes to the dep
@@ -741,7 +742,14 @@ module.exports = cls => class Reifier extends cls {
         ...this.options,
         resolved: node.resolved,
         integrity: node.integrity,
-        _isRoot: node.parent?.isProjectRoot || node.parent?.isWorkspace,
+        // A node counts as "root" for allow-* enforcement if it satisfies at least one valid dependency edge declared by the project root or a workspace.
+        // node.parent is unsafe here: after hoisting, transitive packages can have the project root as their tree parent.
+        _isRoot: [...node.edgesIn].some(e =>
+          e.valid && (e.from?.isProjectRoot || e.from?.isWorkspace)
+        ),
+        // pacote's npa re-parses our `name@URL` spec as type=remote, so allowRemote would mis-fire on registry tarballs.
+        // Override only when we can prove the URL is registry-mediated; see #isRegistryResolvedTarball.
+        ...(this.#isRegistryResolvedTarball(node) ? { allowRemote: 'all' } : {}),
       })
       // store nodes don't use Node class so node.package doesn't get updated
       if (node.isInStore) {
@@ -752,6 +760,12 @@ module.exports = cls => class Reifier extends cls {
     }
 
     // node.isLink
+
+    // Tree-only Link: present in the tree for diff/filter participation, never materialized on disk.
+    if (node.isUndeclaredWorkspaceLink) {
+      return
+    }
+
     await rm(node.path, { recursive: true, force: true })
 
     // symlink
@@ -865,6 +879,24 @@ module.exports = cls => class Reifier extends cls {
     return wrapper
   }
 
+  // When extracting a registry-resolved package, the spec we hand to pacote is name@URL.
+  // pacote re-parses that with npa and gets spec.type === 'remote', so without an override the allow-remote gate would fire on every registry tarball (both =none and =root mis-fire).
+  // Returns true only when we are confident this is a registry-mediated install: the node's inbound edges must all be registry-typed (no exotic spec smuggled the URL in) AND the resolved URL's host must match the registry npm-registry-fetch selected for this spec, so a tampered lockfile pointing at an attacker host still hits the gate.
+  #isRegistryResolvedTarball (node) {
+    if (!node.resolved || !node.isRegistryDependency) {
+      return false
+    }
+    try {
+      // Hostnames are case-insensitive; lowercase both sides for safety even though WHATWG URL already normalizes.
+      const resolvedHost = new URL(node.resolved).hostname.toLowerCase()
+      // pickRegistry only consults spec.scope, so a bare-name (tag) parse is sufficient and avoids a node.version dependency.
+      const registryHost = new URL(pickRegistry(npa(node.name), this.options)).hostname.toLowerCase()
+      return resolvedHost === registryHost
+    } catch {
+      return false
+    }
+  }
+
   #registryResolved (resolved) {
     // the default registry url is a magic value meaning "the currently
     // configured registry".
@@ -1355,6 +1387,10 @@ module.exports = cls => class Reifier extends cls {
       if (!child.isLink) {
         continue
       }
+      // Tree-only Links never exist on disk; skipping them lets the sweep remove any stale self-link left by an older npm version.
+      if (child.isUndeclaredWorkspaceLink) {
+        continue
+      }
       const nmIdx = loc.lastIndexOf(NM_PREFIX)
       if (nmIdx === -1 || loc.includes(STORE_MARKER)) {
         continue

package/lib/install-scripts.js

@@ -0,0 +1,88 @@
+const { isNodeGypPackage } = require('@npmcli/node-gyp')
+
+// Returns the install-relevant lifecycle scripts that would run for a
+// given arborist Node, or `{}` if there are none.
+//
+// Includes:
+//   - explicit preinstall/install/postinstall
+//   - prepare, but only for non-registry sources (git, file, link, remote)
+//   - synthetic `node-gyp rebuild`, when `binding.gyp` is present on disk
+//     and the package does not opt out via `gypfile: false` or define its
+//     own install / preinstall script
+
+// Lifecycle-script enumeration boundary.
+//
+// IMPORTANT: this helper decides whether `prepare` should be included
+// in the enumerated install scripts (true for non-registry sources only).
+// It is NOT a policy-matching predicate. The policy matcher in
+// script-allowed.js uses `isRegistryNode`, which is strictly tied to
+// versionFromTgz(node.resolved). The two helpers exist separately on
+// purpose:
+//
+//   - `hasNonRegistryShape` (here): "should we consider running prepare
+//     on this node?" — a yes/no for what to enumerate.
+//   - `isRegistryNode` (script-allowed.js): "do we trust this node's
+//     identity enough to apply a policy entry?" — a security check.
+//
+// The looser fallback here (treating unknown-resolved nodes as registry,
+// thus skipping `prepare`) is the safer default for enumeration: we'd
+// rather omit a script we should have run than synthesise one for a
+// non-registry source we couldn't confirm. The policy matcher's stricter
+// behaviour is correct for its boundary; the two helpers must not be
+// merged.
+const hasNonRegistryShape = (node) => {
+  if (typeof node.isRegistryDependency === 'boolean') {
+    return !node.isRegistryDependency
+  }
+  if (!node.resolved) {
+    return false
+  }
+  return !/^https?:\/\/[^/]+\/.+\/-\/[^/]+-\d/.test(node.resolved)
+}
+
+const getInstallScripts = async (node) => {
+  /* istanbul ignore next: arborist Nodes always carry a `package` object;
+     defensive fallbacks for non-arborist callers. */
+  const pkg = node.package || {}
+  /* istanbul ignore next */
+  const scripts = pkg.scripts || {}
+  const collected = {}
+
+  if (scripts.preinstall) {
+    collected.preinstall = scripts.preinstall
+  }
+  if (scripts.install) {
+    collected.install = scripts.install
+  }
+  if (scripts.postinstall) {
+    collected.postinstall = scripts.postinstall
+  }
+  if (scripts.prepare && hasNonRegistryShape(node)) {
+    collected.prepare = scripts.prepare
+  }
+
+  const hasExplicitGypGate = !!(collected.preinstall || collected.install)
+  if (
+    !hasExplicitGypGate &&
+    pkg.gypfile !== false &&
+    await isNodeGypPackage(node.path).catch(() => false)
+  ) {
+    collected.install = 'node-gyp rebuild'
+  }
+
+  // Lockfile-only nodes (e.g. `npm ci` before reify) carry
+  // `hasInstallScript: true` but no enumerated scripts: the lockfile
+  // records the presence flag but never the script bodies. Without this
+  // fallback the strict-allow-scripts preflight would miss them entirely
+  // and let postinstall run. We can't recover the real script body
+  // without fetching the manifest, so emit a sentinel describing that
+  // install scripts are present.
+  if (Object.keys(collected).length === 0 && node.hasInstallScript === true) {
+    collected.install = '(install scripts present)'
+  }
+
+  return collected
+}
+
+module.exports = getInstallScripts
+module.exports.getInstallScripts = getInstallScripts

package/lib/link.js

@@ -109,12 +109,24 @@ class Link extends Node {
   // so this is a no-op
   [_loadDeps] () {}
 
-  // When a Link receives overrides (via edgesIn), forward them to the target node which holds the actual edgesOut.
-  // Without this, overrides stop at the Link and never reach the target's dependency edges.
+  // When a Link receives overrides (via edgesIn), forward them to the target node which holds the actual edgesOut — but only when the OverrideSet has at least one rule that names a dep the target actually depends on.
+  // Without this scope, the link forwards a generic ancestor OverrideSet that has no real effect on the target's edges, but still flips the target to "has overrides", which changes downstream `canReplaceWith` / placement decisions and causes `npm ci` to re-resolve lockfile-pinned edges from the registry.
+  // See npm/cli#9357.
   recalculateOutEdgesOverrides () {
-    if (this.target) {
-      this.target.updateOverridesEdgeInAdded(this.overrides)
+    if (!this.target || !this.overrides) {
+      return
+    }
+    let hasMatchingRule = false
+    for (const rule of this.overrides.ruleset.values()) {
+      if (this.target.edgesOut.has(rule.name)) {
+        hasMatchingRule = true
+        break
+      }
+    }
+    if (!hasMatchingRule) {
+      return
     }
+    this.target.updateOverridesEdgeInAdded(this.overrides)
   }
 
   // links can't have children, only their targets can

package/lib/script-allowed.js

@@ -0,0 +1,340 @@
+const npa = require('npm-package-arg')
+const semver = require('semver')
+const versionFromTgz = require('./version-from-tgz.js')
+
+// Identity matcher for the allowScripts policy.
+//
+// Returns:
+//   - true: at least one allow entry matches and no deny entry matches
+//   - false: at least one deny entry matches (deny wins on conflict)
+//   - null: no entry matches (unreviewed)
+//
+// `policy` is a flat object of `spec-key -> boolean`, where spec-key is
+// anything `npm-package-arg` can parse. `node` is an arborist Node.
+//
+// Identity rules (see RFC npm/rfcs#868):
+//   - registry deps match by the name+version parsed from the lockfile's
+//     resolved URL, NOT by `node.packageName` / `node.version`. Those two
+//     getters return `node.package.name` / `node.package.version`, which
+//     come from the tarball's own package.json and are therefore
+//     attacker-controlled. A package can publish a tarball claiming any
+//     name; the only trusted name is the one baked into the registry URL.
+//   - tarball / file / link / remote: exact match on node.resolved
+//   - git: match on hosted.ssh() plus a short-SHA prefix of the
+//     resolved committish
+
+const isScriptAllowed = (node, policy) => {
+  // Bundled dependencies cannot be allowlisted in Phase 1. The RFC defers
+  // allowlisting them to a follow-up RFC because matching by name@version
+  // from the bundled tarball would reintroduce manifest confusion (a
+  // bundled tarball can claim any name and version). Returning null here
+  // marks bundled deps as unreviewed regardless of any policy entries, so
+  // their install scripts surface in the Phase 1 advisory warning and
+  // (eventually) get blocked at the install-time gate.
+  if (node.inBundle) {
+    return null
+  }
+
+  if (!policy || typeof policy !== 'object') {
+    return null
+  }
+
+  let anyAllow = false
+  let anyDeny = false
+
+  for (const [key, value] of Object.entries(policy)) {
+    if (!matches(node, key)) {
+      continue
+    }
+    if (value === false) {
+      anyDeny = true
+      continue
+    }
+    /* istanbul ignore else: policy values are strictly true/false;
+       defensive guard against unexpected coercions. */
+    if (value === true) {
+      anyAllow = true
+    }
+  }
+
+  if (anyDeny) {
+    return false
+  }
+  if (anyAllow) {
+    return true
+  }
+  return null
+}
+
+const matches = (node, key) => {
+  let parsed
+  try {
+    parsed = npa(key)
+  } catch {
+    return false
+  }
+
+  switch (parsed.type) {
+    case 'tag':
+    case 'range':
+    case 'version':
+      return matchRegistry(node, parsed)
+    case 'git':
+      return matchGit(node, parsed)
+    case 'file':
+    case 'directory':
+      return matchFileOrDir(node, parsed)
+    case 'remote':
+      return matchRemote(node, parsed)
+    case 'alias':
+      // Disallowed: aliases as policy keys do not match anything.
+      // The user has to address the real package name.
+      return false
+    /* istanbul ignore next: switch above covers every npa type we expect;
+       defensive fallback for future npa types. */
+    default:
+      return false
+  }
+}
+
+const matchRegistry = (node, parsed) => {
+  // If this node is not a registry dep, refuse the match. A registry-style
+  // key (`pkg`, `pkg@1`, `pkg@1 || 2`) must not match a tarball or git node
+  // even if their names happen to coincide.
+  if (!isRegistryNode(node)) {
+    return false
+  }
+
+  // Derive the trusted name+version from the lockfile's resolved URL.
+  // Never use `node.packageName` / `node.version` here: those read from
+  // the tarball's own package.json and can be forged by a malicious
+  // publisher to bypass an allowScripts entry.
+  const trusted = getTrustedRegistryIdentity(node)
+  if (!trusted || trusted.name !== parsed.name) {
+    return false
+  }
+
+  // `tag` covers `pkg@latest`. Rejected up front by validatePolicy in
+  // resolve-allow-scripts.js because tags look like a pin but can't be
+  // verified at install time. Defense-in-depth: if one slips through
+  // (e.g. arborist invoked directly without the resolver), don't match.
+  if (parsed.type === 'tag') {
+    /* istanbul ignore next: validatePolicy filters this; defensive */
+    return false
+  }
+
+  // `range` includes `pkg@^1`, `pkg@1 || 2`, `pkg@*`, `pkg@>=0`, and bare
+  // names like `pkg` (npa parses these as range with fetchSpec='*'). The
+  // RFC permits bare names (name-only allow) and exact versions joined by
+  // `||`; ranges like ^/~/>=/< are rejected because they would silently
+  // allow versions the user has never reviewed.
+  if (parsed.type === 'range') {
+    // Bare name or `pkg@*`: treat as name-only allow.
+    if (parsed.fetchSpec === '*' || parsed.rawSpec === '' || parsed.rawSpec === '*') {
+      return true
+    }
+    if (!trusted.version || !isExactVersionDisjunction(parsed.fetchSpec)) {
+      return false
+    }
+    return semver.satisfies(trusted.version, parsed.fetchSpec, { loose: true })
+  }
+
+  // `version` is an exact pin like `pkg@1.2.3`.
+  /* istanbul ignore else: parsed.type at this point is always 'version';
+     the istanbul-ignored fallback below handles the impossible case. */
+  if (parsed.type === 'version') {
+    return trusted.version === parsed.fetchSpec
+  }
+
+  /* istanbul ignore next: parsed.type is constrained to tag/range/version
+     by the caller; this final fallback is defensive. */
+  return false
+}
+
+// Derive a registry node's trusted name+version.
+//
+// Preferred source: the lockfile's resolved URL parsed via
+// versionFromTgz. arborist records the URL when it first adds the dep,
+// before any tarball is unpacked, so the URL cannot be forged by the
+// package's own package.json.
+//
+// Fallback for lockfiles produced with omit-lockfile-registry-resolved
+// (where the URL is absent): take the dep name from an incoming
+// dependency edge. The edge's spec was written by the consumer (or by an
+// upstream package.json), not by the installed tarball. For aliases like
+// `"trusted": "npm:naughty@1.0.0"`, the underlying registered package
+// name is parsed out of the alias `subSpec`. The install location
+// (`node_modules/trusted`) is deliberately not consulted because for
+// aliases it carries only the alias name, which would let a malicious
+// publisher bypass an allowScripts entry written for the real package.
+//
+// Version is left null in the fallback case because the only remaining
+// source for it (`node.version`) reads from the tarball.
+//
+// Returns `{ name, version }` or `null` if no trusted identity exists.
+const getTrustedRegistryIdentity = (node) => {
+  if (node.resolved && typeof node.resolved === 'string') {
+    const parsed = versionFromTgz('', node.resolved)
+    /* istanbul ignore else: versionFromTgz returns either a complete
+       { name, version } or null; partial objects are not produced. */
+    if (parsed && parsed.name && parsed.version) {
+      return parsed
+    }
+  }
+  const name = nameFromEdges(node)
+  if (name) {
+    return { name, version: null }
+  }
+  return null
+}
+
+const nameFromEdges = (node) => {
+  if (!node.edgesIn || typeof node.edgesIn[Symbol.iterator] !== 'function') {
+    return null
+  }
+  for (const edge of node.edgesIn) {
+    let parsed
+    try {
+      parsed = npa.resolve(edge.name, edge.spec)
+    } catch {
+      continue
+    }
+    // Aliases: trust the underlying registered package, not the alias.
+    if (parsed.type === 'alias' && parsed.subSpec && parsed.subSpec.registry) {
+      return parsed.subSpec.name
+    }
+    // Non-aliased registry edge: the edge name is the package name as
+    // written by the consumer / upstream, which is trusted (it is not
+    // read from the installed tarball).
+    if (parsed.registry) {
+      return parsed.name
+    }
+  }
+  return null
+}
+
+// True if `rangeSpec` is one or more exact versions joined by `||`. Anything
+// containing comparator operators (^, ~, >=, <, *) returns false.
+const isExactVersionDisjunction = (rangeSpec) => {
+  /* istanbul ignore next: caller always passes parsed.fetchSpec, which
+     npa guarantees to be a non-empty string for range specs. */
+  if (typeof rangeSpec !== 'string' || rangeSpec.trim() === '') {
+    return false
+  }
+  const parts = rangeSpec.split('||').map(p => p.trim())
+  /* istanbul ignore next: String.prototype.split always returns at least
+     one element; defensive guard only. */
+  if (parts.length === 0) {
+    return false
+  }
+  return parts.every(p => p !== '' && semver.valid(p) !== null)
+}
+
+const matchGit = (node, parsed) => {
+  if (!node.resolved || !node.resolved.startsWith('git')) {
+    return false
+  }
+
+  let nodeParsed
+  try {
+    nodeParsed = npa(node.resolved)
+  } catch {
+    /* istanbul ignore next: npa parsing a git URL we already validated
+       starts with `git` should not throw; defensive guard only. */
+    return false
+  }
+
+  // Compare the host/repo. Both sides should resolve to the same canonical
+  // ssh URL.
+  const noCommittish = { noCommittish: true }
+  const keyHost = parsed.hosted?.ssh(noCommittish)
+  const nodeHost = nodeParsed.hosted?.ssh(noCommittish)
+  if (keyHost && nodeHost) {
+    if (keyHost !== nodeHost) {
+      return false
+    }
+  } else if (parsed.fetchSpec && nodeParsed.fetchSpec) {
+    // Non-hosted git URLs: fall back to fetch spec.
+    if (parsed.fetchSpec !== nodeParsed.fetchSpec) {
+      return false
+    }
+  } else {
+    return false
+  }
+
+  // If the policy key has no committish, name-only match.
+  const keyCommittish = parsed.gitCommittish || parsed.hosted?.committish
+  if (!keyCommittish) {
+    return true
+  }
+
+  // Match the resolved full SHA against the key's committish. Users
+  // typically write short SHAs in the policy; the lockfile stores 40-char
+  // SHAs. Direction matters: the lockfile's full SHA must START WITH the
+  // key's short SHA, never the reverse. A longer key matching a shorter
+  // resolved committish would let a malformed lockfile or a divergent
+  // resolver allow scripts the user never approved.
+  const nodeCommittish = nodeParsed.gitCommittish || nodeParsed.hosted?.committish || ''
+  if (!nodeCommittish) {
+    return false
+  }
+  return nodeCommittish.startsWith(keyCommittish)
+}
+
+const matchFileOrDir = (node, parsed) => {
+  if (!node.resolved) {
+    return false
+  }
+  return node.resolved === parsed.saveSpec || node.resolved === parsed.fetchSpec
+}
+
+const matchRemote = (node, parsed) => {
+  if (!node.resolved) {
+    return false
+  }
+  return node.resolved === parsed.fetchSpec || node.resolved === parsed.saveSpec
+}
+
+const isRegistryNode = (node) => {
+  // Prefer arborist's edge-based check when available (real Node objects).
+  // It inspects the incoming edges' specs and only returns true if every
+  // edge resolves to a registry spec, which is much harder to spoof than
+  // the URL.
+  if (typeof node.isRegistryDependency === 'boolean') {
+    return node.isRegistryDependency
+  }
+  // Fall back to URL parsing for nodes without the arborist getter
+  // (e.g. test fixtures, lockfiles with omit-lockfile-registry-resolved).
+  // Treat the node as a registry dep when:
+  //   - resolved is missing entirely (omitLockfileRegistryResolved),
+  //   - resolved is an https/http URL pointing at a registry tarball, or
+  //   - resolved is undefined and the node has a version (defensive).
+  if (!node.resolved) {
+    return !!node.version
+  }
+  // Registry tarballs live at `<host>/<pkg-name>/-/<pkg-name>-<version>.tgz`.
+  // Require a path segment before `/-/` so an attacker can't lift a
+  // registry-style allow entry to a hostile URL like
+  // `https://evil.com/-/trusted-1.0.0.tgz`.
+  return /^https?:\/\/[^/]+\/.+\/-\/[^/]+-\d/.test(node.resolved)
+}
+
+// Trusted display identity for human-facing output (`npm install`
+// advisory, `npm approve-scripts --allow-scripts-pending`). Same idea as
+// getTrustedRegistryIdentity, but for DISPLAY only — version falls back
+// to node.version when the URL doesn't carry one. Must never be used
+// for policy matching.
+const trustedDisplay = (node) => {
+  const trusted = getTrustedRegistryIdentity(node)
+  /* istanbul ignore next: defensive fallbacks for nodes without name/version */
+  return {
+    name: (trusted && trusted.name) || node.name || null,
+    version: (trusted && trusted.version) || node.version || null,
+  }
+}
+
+module.exports = isScriptAllowed
+module.exports.isScriptAllowed = isScriptAllowed
+module.exports.isExactVersionDisjunction = isExactVersionDisjunction
+module.exports.getTrustedRegistryIdentity = getTrustedRegistryIdentity
+module.exports.trustedDisplay = trustedDisplay

package/lib/shrinkwrap.js

@@ -929,10 +929,24 @@ class Shrinkwrap {
           continue
         }
         const loc = relpath(this.path, node.path)
-        this.data.packages[loc] = Shrinkwrap.metaFromNode(
+        // Drop lockfile entries for extraneous nodes outside node_modules. These are stale workspace entries: the workspace was removed from package.json or its directory was deleted, so it should not be tracked in package-lock.json.
+        if (node.extraneous && !/(^|\/)node_modules\//.test(loc) && loc !== 'node_modules') {
+          continue
+        }
+        const meta = Shrinkwrap.metaFromNode(
           node,
           this.path,
           this.resolveOptions)
+        // Skip inert nodes — these are optional deps that failed to load
+        // (e.g. 404 from a proxy registry that hasn't cached the package,
+        // or incomplete manifest missing version field).
+        // #pruneFailedOptional marks them inert so they won't be reified;
+        // writing them to the lockfile produces invalid entries like
+        // {"optional": true} that cause "Invalid Version:" errors.
+        if (node.inert && !node.package.version) {
+          continue
+        }
+        this.data.packages[loc] = meta
       }
     } else if (this.#awaitingUpdate.size > 0) {
       for (const loc of this.#awaitingUpdate.keys()) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.5.0",
+  "version": "9.7.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",