@npmcli/arborist 9.6.0 → 10.0.0-pre.0.0

package/README.md

@@ -60,7 +60,7 @@ arb.loadActual().then(tree => {
   // tree is also stored at arb.virtualTree
 })
 
-// read just what the package-lock.json/npm-shrinkwrap says
+// read just what the package-lock.json says
 // This *also* loads the yarn.lock file, but that's only relevant
 // when building the ideal tree.
 arb.loadVirtual().then(tree => {
@@ -301,7 +301,7 @@ pruning nodes from the tree.
   that the dep is brought in by a peer dep at some point, rather than a
   normal non-peer dependency.
 
-Note: `devOptional` is only set in the shrinkwrap/package-lock file if
+Note: `devOptional` is only set in the package-lock file if
 _neither_ `dev` nor `optional` are set, as it would be redundant.
 
 ## BIN

package/bin/index.js

@@ -20,8 +20,7 @@ ${message && '\n' + message + '\n'}
   * prune: prune the ideal tree and reify (like npm prune)
   * ideal: generate and print the ideal tree
   * actual: read and print the actual tree in node_modules
-  * virtual: read and print the virtual tree in the local shrinkwrap file
-  * shrinkwrap: load a local shrinkwrap and print its data
+  * virtual: read and print the virtual tree in the local package-lock.json
   * audit: perform a security audit on project dependencies
   * funding: query funding information in the local package tree.  A second
     positional argument after the path name can limit to a package name.

package/lib/arborist/build-ideal-tree.js

@@ -711,7 +711,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     for (const node of this.idealTree.inventory.values()) {
       // XXX add any invalid edgesOut to the queue
       if (this[_updateNames].includes(node.name) &&
-        !node.isTop && !node.inDepBundle && !node.inShrinkwrap) {
+        !node.isTop && !node.inDepBundle) {
         for (const edge of node.edgesIn) {
           this.addTracker('idealTree', edge.from.name, edge.from.location)
           this.#depsQueue.push(edge.from)
@@ -834,15 +834,11 @@ This is a one-time fix-up, please be patient...
     const node = this.#depsQueue.pop()
     const bd = node.package.bundleDependencies
     const hasBundle = bd && Array.isArray(bd) && bd.length
-    const { hasShrinkwrap } = node
 
     // if the node was already visited, or has since been removed from the
-    // tree, skip over it and process the rest of the queue.  If a node has
-    // a shrinkwrap, also skip it, because it's going to get its deps
-    // satisfied by whatever's in that file anyway.
+    // tree, skip over it and process the rest of the queue.
     if (this.#depsSeen.has(node) ||
-        node.root !== this.idealTree ||
-        hasShrinkwrap && !this.#complete) {
+        node.root !== this.idealTree) {
       return this.#buildDepStep()
     }
 
@@ -852,15 +848,15 @@ This is a one-time fix-up, please be patient...
 
     // if we're loading a _complete_ ideal tree, for a --package-lock-only
     // installation for example, we have to crack open the tarball and
-    // look inside if it has bundle deps or shrinkwraps.  note that this is
+    // look inside if it has bundle deps.  note that this is
     // not necessary during a reification, because we just update the
-    // ideal tree by reading bundles/shrinkwraps in place.
+    // ideal tree by reading bundles in place.
     // Don't bother if the node is from the actual tree and hasn't
     // been resolved, because we can't fetch it anyway, could be anything!
     const crackOpen = this.#complete &&
       node !== this.idealTree &&
       node.resolved &&
-      (hasBundle || hasShrinkwrap) &&
+      hasBundle &&
       !node.inert
     if (crackOpen) {
       const Arborist = this.constructor
@@ -873,15 +869,8 @@ This is a one-time fix-up, please be patient...
           integrity: node.integrity,
         })
 
-        if (hasShrinkwrap) {
-          await new Arborist({ ...this.options, path })
-            .loadVirtual({ root: node })
-        }
-
-        if (hasBundle) {
-          await new Arborist({ ...this.options, path })
-            .loadActual({ root: node, ignoreMissing: true })
-        }
+        await new Arborist({ ...this.options, path })
+          .loadActual({ root: node, ignoreMissing: true })
       })
     }
 
@@ -1228,11 +1217,6 @@ This is a one-time fix-up, please be patient...
         continue
       }
 
-      // If it's shrinkwrapped, we use what the shrinkwap wants.
-      if (edge.to && edge.to.inShrinkwrap) {
-        continue
-      }
-
       // If the edge has no destination, that's a problem, unless
       // if it's peerOptional and not explicitly requested.
       if (!edge.to) {

package/lib/arborist/isolated-reifier.js

@@ -1,5 +1,3 @@
-const { mkdirSync } = require('node:fs')
-const pacote = require('pacote')
 const { join } = require('node:path')
 const { depth } = require('treeverse')
 const crypto = require('node:crypto')
@@ -149,50 +147,14 @@ module.exports = cls => class IsolatedReifier extends cls {
     const result = {}
     // XXX this goes recursive if we don't set here because assignCommonProperties also calls this.#externalProxy
     this.#externalProxies.set(node, result)
-    await this.#assignCommonProperties(node, result, !node.hasShrinkwrap)
-    if (node.hasShrinkwrap) {
-      const dir = join(
-        node.root.path,
-        'node_modules',
-        '.store',
-        `${node.packageName}@${node.version}`
-      )
-      mkdirSync(dir, { recursive: true })
-      // TODO this approach feels wrong and shouldn't be necessary for shrinkwraps
-      await pacote.extract(node.resolved, dir, {
-        ...this.options,
-        resolved: node.resolved,
-        integrity: node.integrity,
-        // TODO _isRoot
-      })
-      const Arborist = this.constructor
-      const arb = new Arborist({ ...this.options, path: dir })
-      // Make sure that the ideal tree is build as the rest of the algorithm depends on it.
-      await arb.buildIdealTree({
-        complete: false,
-        dev: false,
-      })
-      await arb.makeIdealGraph()
-      this.idealGraph.external.push(...arb.idealGraph.external)
-      for (const edge of arb.idealGraph.external) {
-        edge.root = this.idealGraph
-        edge.id = `${node.id}=>${edge.id}`
-      }
-      result.localDependencies = []
-      result.externalDependencies = arb.idealGraph.externalDependencies
-      result.externalOptionalDependencies = arb.idealGraph.externalOptionalDependencies
-      result.dependencies = [
-        ...result.externalDependencies,
-        ...result.externalOptionalDependencies,
-      ]
-    }
+    await this.#assignCommonProperties(node, result)
     result.optional = node.optional
     result.resolved = node.resolved
     result.version = node.version
     return result
   }
 
-  async #assignCommonProperties (node, result, populateDeps = true) {
+  async #assignCommonProperties (node, result) {
     result.root = this.idealGraph
     // XXX does anything need this?
     result.id = this.counter++
@@ -202,10 +164,6 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.package = { ...node.package }
     result.package.bundleDependencies = undefined
 
-    if (!populateDeps) {
-      return
-    }
-
     let edges = [...node.edgesOut.values()].filter(edge =>
       edge.to?.target &&
       !(node.package.bundledDependencies || node.package.bundleDependencies)?.includes(edge.to.name)

package/lib/arborist/load-virtual.js

@@ -39,7 +39,7 @@ module.exports = cls => class VirtualLoader extends cls {
       resolveOptions: this.options,
     })
     if (!s.loadedFromDisk && !options.root) {
-      const er = new Error('loadVirtual requires existing shrinkwrap file')
+      const er = new Error('loadVirtual requires existing package-lock.json file')
       throw Object.assign(er, { code: 'ENOLOCK' })
     }
 
@@ -244,7 +244,6 @@ To fix:
       integrity: sw.integrity,
       resolved: consistentResolve(sw.resolved, this.path, path),
       pkg: sw,
-      hasShrinkwrap: sw.hasShrinkwrap,
       loadOverrides,
       // cast to boolean because they're undefined in the lock file when false
       extraneous: !!sw.extraneous,

package/lib/arborist/reify.js

@@ -48,7 +48,6 @@ const _checkBins = Symbol.for('checkBins')
 // TODO tests should not be this deep into internals
 const _diffTrees = Symbol.for('diffTrees')
 const _createSparseTree = Symbol.for('createSparseTree')
-const _loadShrinkwrapsAndUpdateTrees = Symbol.for('loadShrinkwrapsAndUpdateTrees')
 const _reifyNode = Symbol.for('reifyNode')
 const _updateAll = Symbol.for('updateAll')
 const _updateNames = Symbol.for('updateNames')
@@ -73,7 +72,6 @@ module.exports = cls => class Reifier extends cls {
   #omit
   #retiredPaths = {}
   #retiredUnchanged = {}
-  #shrinkwrapInflated = new Set()
   #sparseTreeDirs = new Set()
   #sparseTreeRoots = new Set()
   #linkedActualForDiff = null
@@ -306,7 +304,6 @@ module.exports = cls => class Reifier extends cls {
       ]],
       [_rollbackCreateSparseTree, [
         _createSparseTree,
-        _loadShrinkwrapsAndUpdateTrees,
         _loadBundlesAndUpdateTrees,
         _submitQuickAudit,
         _unpackNewModules,
@@ -466,7 +463,6 @@ module.exports = cls => class Reifier extends cls {
     // and ideal trees.
     this.diff = Diff.calculate({
       omit: this.#omit,
-      shrinkwrapInflated: this.#shrinkwrapInflated,
       filterNodes,
       actual: this.#linkedActualForDiff || this.actualTree,
       ideal: this.idealTree,
@@ -617,39 +613,6 @@ module.exports = cls => class Reifier extends cls {
       .then(() => this[_rollbackRetireShallowNodes](er))
   }
 
-  // shrinkwrap nodes define their dependency branches with a file, so
-  // we need to unpack them, read that shrinkwrap file, and then update
-  // the tree by calling loadVirtual with the node as the root.
-  [_loadShrinkwrapsAndUpdateTrees] () {
-    const seen = this.#shrinkwrapInflated
-    const shrinkwraps = this.diff.leaves
-      .filter(d => (d.action === 'CHANGE' || d.action === 'ADD' || !d.action) &&
-        d.ideal.hasShrinkwrap && !seen.has(d.ideal) &&
-        !this[_trashList].has(d.ideal.path))
-
-    if (!shrinkwraps.length) {
-      return
-    }
-
-    const timeEnd = time.start('reify:loadShrinkwraps')
-
-    const Arborist = this.constructor
-    return promiseAllRejectLate(shrinkwraps.map(diff => {
-      const node = diff.ideal
-      seen.add(node)
-      return diff.action ? this[_reifyNode](node) : node
-    }))
-      .then(nodes => promiseAllRejectLate(nodes.map(node => new Arborist({
-        ...this.options,
-        path: node.path,
-      }).loadVirtual({ root: node }))))
-      // reload the diff and sparse tree because the ideal tree changed
-      .then(() => this[_diffTrees]())
-      .then(() => this[_createSparseTree]())
-      .then(() => this[_loadShrinkwrapsAndUpdateTrees]())
-      .then(timeEnd)
-  }
-
   // create a symlink for Links, extract for Nodes
   // return the node object, since we usually want that
   // handle optional dep failures here
@@ -1176,7 +1139,6 @@ module.exports = cls => class Reifier extends cls {
 
         const node = diff.ideal
         const bd = this.#bundleUnpacked.has(node)
-        const sw = this.#shrinkwrapInflated.has(node)
         const bundleMissing = this.#bundleMissing.has(node)
 
         // check whether we still need to unpack this one.
@@ -1186,8 +1148,6 @@ module.exports = cls => class Reifier extends cls {
           !node.isRoot &&
           // already unpacked to read bundle
           !bd &&
-          // already unpacked to read sw
-          !sw &&
           // already unpacked by another dep's bundle
           (bundleMissing || !node.inDepBundle)
 

package/lib/diff.js

@@ -11,10 +11,9 @@ const { existsSync } = require('node:fs')
 const ssri = require('ssri')
 
 class Diff {
-  constructor ({ actual, ideal, filterSet, shrinkwrapInflated, omit }) {
+  constructor ({ actual, ideal, filterSet, omit }) {
     this.omit = omit
     this.filterSet = filterSet
-    this.shrinkwrapInflated = shrinkwrapInflated
     this.children = []
     this.actual = actual
     this.ideal = ideal
@@ -36,7 +35,6 @@ class Diff {
     actual,
     ideal,
     filterNodes = [],
-    shrinkwrapInflated = new Set(),
     omit = new Set(),
   }) {
     // if there's a filterNode, then:
@@ -102,7 +100,7 @@ class Diff {
     }
 
     return depth({
-      tree: new Diff({ actual, ideal, filterSet, shrinkwrapInflated, omit }),
+      tree: new Diff({ actual, ideal, filterSet, omit }),
       getChildren,
       leave,
     })
@@ -191,26 +189,16 @@ const getChildren = diff => {
     unchanged,
     removed,
     filterSet,
-    shrinkwrapInflated,
     omit,
   } = diff
 
   // Note: we DON'T diff fsChildren themselves, because they are either
-  // included in the package contents, or part of some other project, and
-  // will never appear in legacy shrinkwraps anyway.  but we _do_ include the
-  // child nodes of fsChildren, because those are nodes that we are typically
-  // responsible for installing.
+  // included in the package contents, or part of some other project.
+  // But we _do_ include the child nodes of fsChildren, because those are
+  // nodes that we are typically responsible for installing.
   const actualKids = allChildren(actual)
   const idealKids = allChildren(ideal)
 
-  if (ideal && ideal.hasShrinkwrap && !shrinkwrapInflated.has(ideal)) {
-    // Guaranteed to get a diff.leaves here, because we always
-    // be called with a proper Diff object when ideal has a shrinkwrap
-    // that has not been inflated.
-    diff.leaves.push(diff)
-    return children
-  }
-
   const paths = new Set([...actualKids.keys(), ...idealKids.keys()])
   for (const path of paths) {
     const actual = actualKids.get(path)
@@ -222,7 +210,6 @@ const getChildren = diff => {
       unchanged,
       removed,
       filterSet,
-      shrinkwrapInflated,
       omit,
     })
   }
@@ -241,7 +228,6 @@ const diffNode = ({
   unchanged,
   removed,
   filterSet,
-  shrinkwrapInflated,
   omit,
 }) => {
   if (filterSet.size && !(filterSet.has(ideal) || filterSet.has(actual))) {
@@ -264,11 +250,11 @@ const diffNode = ({
 
   // if it's a match, then get its children
   // otherwise, this is the child diff node
-  if (action || (!shrinkwrapInflated.has(ideal) && ideal.hasShrinkwrap)) {
+  if (action) {
     if (action === 'REMOVE') {
       removed.push(actual)
     }
-    children.push(new Diff({ actual, ideal, filterSet, shrinkwrapInflated, omit }))
+    children.push(new Diff({ actual, ideal, filterSet, omit }))
   } else {
     unchanged.push(ideal)
     // !*! Weird dirty hack warning !*!
@@ -307,7 +293,6 @@ const diffNode = ({
       unchanged,
       removed,
       filterSet,
-      shrinkwrapInflated,
       omit,
     }))
   }

package/lib/edge.js

@@ -109,8 +109,8 @@ class Edge {
     }
 
     // NOTE: this condition means we explicitly do not support overriding
-    // bundled or shrinkwrapped dependencies
-    if (node.hasShrinkwrap || node.inShrinkwrap || node.inBundle) {
+    // bundled dependencies
+    if (node.inDepBundle) {
       return depValid(node, this.rawSpec, this.#accept, this.#from)
     }
 

package/lib/isolated-classes.js

@@ -16,7 +16,6 @@ class IsolatedNode {
   edgesIn = new Set()
   edgesOut = new CaseInsensitiveMap()
   fsChildren = new Set()
-  hasShrinkwrap = false
   integrity = null
   inventory = new IsolatedInventory()
   isInStore = false

package/lib/node.js

@@ -82,7 +82,6 @@ class Node {
       fsChildren,
       fsParent,
       global = false,
-      hasShrinkwrap,
       inert = false,
       installLinks = false,
       integrity,
@@ -170,7 +169,6 @@ class Node {
       }
     }
     this.integrity = integrity || this.package._integrity || null
-    this.hasShrinkwrap = hasShrinkwrap || this.package._hasShrinkwrap || false
     this.installLinks = installLinks
     this.legacyPeerDeps = legacyPeerDeps
 
@@ -1101,8 +1099,8 @@ class Node {
   // is depending on it would be fine with the thing that they would resolve
   // to if it was removed, or nothing is depending on it in the first place.
   canDedupe (preferDedupe = false, explicitRequest = false) {
-    // not allowed to mess with shrinkwraps or bundles
-    if (this.inDepBundle || this.inShrinkwrap) {
+    // not allowed to mess with bundles
+    if (this.inDepBundle) {
       return false
     }
 
@@ -1249,11 +1247,6 @@ class Node {
     treeCheck(this)
   }
 
-  get inShrinkwrap () {
-    return this.parent &&
-      (this.parent.hasShrinkwrap || this.parent.inShrinkwrap)
-  }
-
   get parent () {
     // setter prevents _parent from being this
     return this[_parent]

package/lib/printable.js

@@ -52,11 +52,6 @@ class ArboristNode {
     if (bd && bd.length) {
       this.bundleDependencies = bd
     }
-    if (tree.inShrinkwrap) {
-      this.inShrinkwrap = true
-    } else if (tree.hasShrinkwrap) {
-      this.hasShrinkwrap = true
-    }
     if (tree.error) {
       this.error = treeError(tree.error)
     }

package/lib/shrinkwrap.js

@@ -1,5 +1,4 @@
-// a module that manages a shrinkwrap file (npm-shrinkwrap.json or
-// package-lock.json).
+// a module that manages a lockfile (package-lock.json).
 
 // Increment whenever the lockfile version updates
 // v1 - npm <=6
@@ -98,7 +97,6 @@ const pkgMetaKeys = [
   'libc',
   '_integrity',
   'license',
-  '_hasShrinkwrap',
   'hasInstallScript',
   'bin',
   'deprecated',
@@ -108,7 +106,6 @@ const pkgMetaKeys = [
 const nodeMetaKeys = [
   'integrity',
   'inBundle',
-  'hasShrinkwrap',
   'hasInstallScript',
 ]
 
@@ -199,17 +196,14 @@ class Shrinkwrap {
     const s = new Shrinkwrap(options)
     s.reset()
 
-    const [sw, lock] = await s.resetFiles
+    const [lock] = await s.resetFiles
 
-    // XXX this is duplicated in this.load(), but using loadFiles instead of resetFiles
     if (s.hiddenLockfile) {
       s.filename = resolve(s.path, 'node_modules/.package-lock.json')
-    } else if (s.shrinkwrapOnly || sw) {
-      s.filename = resolve(s.path, 'npm-shrinkwrap.json')
     } else {
       s.filename = resolve(s.path, 'package-lock.json')
     }
-    s.loadedFromDisk = !!(sw || lock)
+    s.loadedFromDisk = !!lock
     // TODO what uses this?
     s.type = basename(s.filename)
 
@@ -286,7 +280,6 @@ class Shrinkwrap {
       path,
       indent = 2,
       newline = '\n',
-      shrinkwrapOnly = false,
       hiddenLockfile = false,
       lockfileVersion,
       resolveOptions = {},
@@ -312,8 +305,6 @@ class Shrinkwrap {
     this.hiddenLockfile = hiddenLockfile
     this.loadingError = null
     this.resolveOptions = resolveOptions
-    // only load npm-shrinkwrap.json in dep trees, not package-lock
-    this.shrinkwrapOnly = shrinkwrapOnly
   }
 
   // check to see if a spec is present in the yarn.lock file, and if so,
@@ -369,14 +360,10 @@ class Shrinkwrap {
 
   // files to potentially read from and write to, in order of priority
   get #filenameSet () {
-    if (this.shrinkwrapOnly) {
-      return [`${this.path}/npm-shrinkwrap.json`]
-    }
     if (this.hiddenLockfile) {
       return [`${this.path}/node_modules/.package-lock.json`]
     }
     return [
-      `${this.path}/npm-shrinkwrap.json`,
       `${this.path}/package-lock.json`,
       `${this.path}/yarn.lock`,
     ]
@@ -396,9 +383,9 @@ class Shrinkwrap {
   }
 
   get resetFiles () {
-    // slice out yarn, we only care about lock or shrinkwrap when checking
+    // slice out yarn, we only care about the package-lock when checking
     // this way, since we're not actually loading the full lock metadata
-    return Promise.all(this.#filenameSet.slice(0, 2)
+    return Promise.all(this.#filenameSet.slice(0, 1)
       .map(file => file && stat(file).then(st => st.isFile(), er => {
         /* istanbul ignore else - can't test without breaking module itself */
         if (er.code === 'ENOENT') {
@@ -425,25 +412,18 @@ class Shrinkwrap {
   }
 
   async load () {
-    // we don't need to load package-lock.json except for top of tree nodes,
-    // only npm-shrinkwrap.json.
     let data
     try {
-      const [sw, lock, yarn] = await this.loadFiles
-      data = sw || lock || '{}'
+      const [lock, yarn] = await this.loadFiles
+      data = lock || '{}'
 
-      // use shrinkwrap only for deps; otherwise, prefer package-lock
-      // and ignore npm-shrinkwrap if both are present.
-      // TODO: emit a warning here or something if both are present.
       if (this.hiddenLockfile) {
         this.filename = resolve(this.path, 'node_modules/.package-lock.json')
-      } else if (this.shrinkwrapOnly || sw) {
-        this.filename = resolve(this.path, 'npm-shrinkwrap.json')
       } else {
         this.filename = resolve(this.path, 'package-lock.json')
       }
       this.type = basename(this.filename)
-      this.loadedFromDisk = Boolean(sw || lock)
+      this.loadedFromDisk = Boolean(lock)
 
       if (yarn) {
         this.yarnLock = new YarnLock()
@@ -809,7 +789,6 @@ class Shrinkwrap {
       const {
         resolved,
         integrity,
-        hasShrinkwrap,
         version,
       } = this.get(node.path)
 
@@ -836,17 +815,14 @@ class Shrinkwrap {
       if (allOk) {
         node.resolved = node.resolved || pathFixed || null
         node.integrity = node.integrity || integrity || null
-        node.hasShrinkwrap = node.hasShrinkwrap || hasShrinkwrap || false
       } else {
         // try to read off the package or node itself
         const {
           resolved,
           integrity,
-          hasShrinkwrap,
         } = Shrinkwrap.metaFromNode(node, this.path, this.resolveOptions)
         node.resolved = node.resolved || resolved || null
         node.integrity = node.integrity || integrity || null
-        node.hasShrinkwrap = node.hasShrinkwrap || hasShrinkwrap || false
       }
     }
     this.#awaitingUpdate.set(loc, node)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.6.0",
+  "version": "10.0.0-pre.0.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",

package/bin/shrinkwrap.js

@@ -1,7 +0,0 @@
-const Shrinkwrap = require('../lib/shrinkwrap.js')
-
-module.exports = (options, time) => Shrinkwrap
-  .load(options)
-  .then((s) => s.commit())
-  .then(time)
-  .then(({ result: s }) => JSON.stringify(s, 0, 2))