@npmcli/arborist 9.7.0 → 9.8.0

package/lib/arborist/build-ideal-tree.js

@@ -24,6 +24,7 @@ const PlaceDep = require('../place-dep.js')
 const debug = require('../debug.js')
 const fromPath = require('../from-path.js')
 const calcDepFlags = require('../calc-dep-flags.js')
+const { isReleaseAgeExcluded, trustedSpecName } = require('../release-age-exclude.js')
 const Shrinkwrap = require('../shrinkwrap.js')
 const { defaultLockfileVersion } = Shrinkwrap
 const Node = require('../node.js')
@@ -533,7 +534,11 @@ module.exports = cls => class IdealTreeBuilder extends cls {
       // look up the names of file/directory/git specs
       if (!spec.name || isTag) {
         const _isRoot = tree.isProjectRoot || tree.isWorkspace
-        const mani = await pacote.manifest(spec, { ...this.options, _isRoot })
+        const mani = await pacote.manifest(spec, {
+          ...this.options,
+          _isRoot,
+          before: this.#releaseAgeBefore(spec),
+        })
         if (isTag) {
           // translate tag to a version
           spec = npa(`${mani.name}@${mani.version}`)
@@ -777,6 +782,7 @@ This is a one-time fix-up, please be patient...
             resolved: resolved,
             integrity: integrity,
             fullMetadata: false,
+            before: this.#releaseAgeBefore(spec),
           })
           node.package = { ...mani, _id: `${mani.name}@${mani.version}` }
         } catch (er) {
@@ -875,7 +881,7 @@ This is a one-time fix-up, please be patient...
 
         if (hasShrinkwrap) {
           await new Arborist({ ...this.options, path })
-            .loadVirtual({ root: node })
+            .loadVirtual({ root: node, subtreeOnly: true })
         }
 
         if (hasBundle) {
@@ -1279,6 +1285,19 @@ This is a one-time fix-up, please be patient...
     return problems
   }
 
+  // The effective `before` filter for a package, applying `min-release-age-exclude`.
+  // Returns null (no age filter) for an exempted package, otherwise the
+  // configured `before`. The exemption is keyed on the spec's trusted registry
+  // identity (alias targets are unwrapped) so an `npm:` alias key cannot disable
+  // the filter for the package it actually resolves to.
+  #releaseAgeBefore (spec) {
+    const { before, minReleaseAgeExclude } = this.options
+    if (!before) {
+      return before
+    }
+    return isReleaseAgeExcluded(trustedSpecName(spec), minReleaseAgeExclude) ? null : before
+  }
+
   async #fetchManifest (spec, parent, edge) {
     // Enforce allow-* gates before consulting the manifest cache so a cached entry from a different edge cannot bypass the policy.
     this.#checkAllow(spec, edge)
@@ -1286,6 +1305,7 @@ This is a one-time fix-up, please be patient...
       ...this.options,
       avoid: this.#avoidRange(spec.name),
       fullMetadata: true,
+      before: this.#releaseAgeBefore(spec),
       _isRoot: !!(edge?.from?.isProjectRoot || edge?.from?.isWorkspace),
     }
     // get the intended spec and stored metadata from yarn.lock file,

package/lib/arborist/isolated-reifier.js

@@ -4,6 +4,7 @@ const { join } = require('node:path')
 const { depth } = require('treeverse')
 const crypto = require('node:crypto')
 const { IsolatedNode, IsolatedLink } = require('../isolated-classes.js')
+const nameFromFolder = require('@npmcli/name-from-folder')
 
 // generate short hash key based on the dependency tree starting at this node
 const getKey = (startNode) => {
@@ -39,9 +40,12 @@ module.exports = cls => class IsolatedReifier extends cls {
   #processedEdges = new Set()
   #workspaceProxies = new Map()
 
-  #generateChild (node, location, pkg, isInStore, root) {
+  #generateChild (node, location, pkg, isInStore, root, inBundle = false) {
     const newChild = new IsolatedNode({
       isInStore,
+      inBundle,
+      isRegistryDependency: node.isRegistryDependency,
+      isRootDependency: node.isRootDependency,
       location,
       name: node.packageName || node.name,
       optional: node.optional,
@@ -151,11 +155,14 @@ module.exports = cls => class IsolatedReifier extends cls {
     this.#externalProxies.set(node, result)
     await this.#assignCommonProperties(node, result, !node.hasShrinkwrap)
     if (node.hasShrinkwrap) {
+      // strip any path traversal from package.json name fields before they hit path.join below
+      /* istanbul ignore next - packageName is always set for real packages */
+      const safeName = nameFromFolder(node.packageName || node.path)
       const dir = join(
         node.root.path,
         'node_modules',
         '.store',
-        `${node.packageName}@${node.version}`
+        `${safeName}@${node.version}`
       )
       mkdirSync(dir, { recursive: true })
       // TODO this approach feels wrong and shouldn't be necessary for shrinkwraps
@@ -189,6 +196,13 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.optional = node.optional
     result.resolved = node.resolved
     result.version = node.version
+    // Carry the source node's registry-dependency flag so the store node retains it.
+    // IsolatedNode has no edges to recompute it from, and reify's registry-tarball allow-remote exemption depends on it.
+    result.isRegistryDependency = node.isRegistryDependency
+    // Same reasoning for allow-remote=root: the store node has no edgesIn, so capture from the source node whether it satisfies a valid edge from the project root or a workspace.
+    result.isRootDependency = [...node.edgesIn].some(e =>
+      e.valid && (e.from?.isProjectRoot || e.from?.isWorkspace)
+    )
     return result
   }
 
@@ -198,7 +212,8 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.id = this.counter++
     /* istanbul ignore next - packageName is always set for real packages */
     result.name = result.isWorkspace ? (node.packageName || node.name) : node.name
-    result.packageName = node.packageName || node.name
+    // strip any path traversal from package.json name fields before they hit path.join below
+    result.packageName = nameFromFolder(node.packageName || node.path)
     result.package = { ...node.package }
     result.package.bundleDependencies = undefined
 
@@ -253,6 +268,22 @@ module.exports = cls => class IsolatedReifier extends cls {
     // local `file:` deps (non-workspace fsChildren) should be treated as local dependencies, not external, so they get symlinked directly instead of being extracted into the store.
     const isLocal = (n) => n.isWorkspace || node.fsChildren?.has(n)
     const optionalDeps = edges.filter(edge => edge.optional).map(edge => edge.to.target)
+
+    // Optional peers declared only in peerDependenciesMeta (e.g. `@types/react`) have no edge, so the materialization above misses them.
+    // Resolve each from the tree and link it; if nobody provides it, node.resolve finds nothing and it stays omitted.
+    const peerMeta = node.package.peerDependenciesMeta
+    if (peerMeta) {
+      const resolvedNames = new Set([...nonOptionalDeps, ...optionalDeps].map(n => n.name))
+      for (const peerName in peerMeta) {
+        if (!peerMeta[peerName]?.optional || resolvedNames.has(peerName)) {
+          continue
+        }
+        const resolved = node.resolve(peerName)?.target
+        if (resolved && resolved !== node && !resolved.inert && !isLocal(resolved)) {
+          optionalDeps.push(resolved)
+        }
+      }
+    }
     result.localDependencies = await Promise.all(nonOptionalDeps.filter(isLocal).map(n => this.#workspaceProxy(n)))
     result.externalDependencies = await Promise.all(nonOptionalDeps.filter(n => !isLocal(n) && !n.inert).map(n => this.#externalProxy(n)))
     result.externalOptionalDependencies = await Promise.all(optionalDeps.filter(n => !n.inert).map(n => this.#externalProxy(n)))
@@ -367,7 +398,7 @@ module.exports = cls => class IsolatedReifier extends cls {
     })
 
     bundledTree.nodes.forEach(node => {
-      this.#generateChild(node, node.location, node.pkg, false, root)
+      this.#generateChild(node, node.location, node.pkg, false, root, true)
     })
 
     bundledTree.edges.forEach(edge => {

package/lib/arborist/load-virtual.js

@@ -1,4 +1,4 @@
-const { resolve } = require('node:path')
+const { isAbsolute, resolve } = require('node:path')
 // mixin providing the loadVirtual method
 const mapWorkspaces = require('@npmcli/map-workspaces')
 const PackageJson = require('@npmcli/package-json')
@@ -17,6 +17,8 @@ const setWorkspaces = Symbol.for('setWorkspaces')
 
 module.exports = cls => class VirtualLoader extends cls {
   #rootOptionProvided
+  // when true, lockfile entries must stay inside `this.path`
+  #subtreeOnly = false
 
   // public method
   async loadVirtual (options = {}) {
@@ -28,6 +30,8 @@ module.exports = cls => class VirtualLoader extends cls {
     // XXX: deprecate separate reify() options object.
     options = { ...this.options, ...options }
 
+    this.#subtreeOnly = !!options.subtreeOnly
+
     if (options.root && options.root.meta) {
       await this.#loadFromShrinkwrap(options.root.meta, options.root)
       return treeCheck(this.virtualTree)
@@ -166,12 +170,40 @@ module.exports = cls => class VirtualLoader extends cls {
     }
   }
 
+  // throw if the resolved path is outside `base`, only in subtreeOnly mode
+  #assertContained (base, resolvedPath, location) {
+    if (!this.#subtreeOnly) {
+      return
+    }
+    if (isAbsolute(location)) {
+      throw Object.assign(
+        new Error(`invalid lockfile entry: "${location}" must be a relative location`),
+        { code: 'EINVALIDLOCATION', location, base }
+      )
+    }
+    const rel = relpath(base, resolvedPath)
+    if (
+      rel === '..' ||
+      rel.startsWith('../') ||
+      isAbsolute(rel) ||
+      // non-root key that collapses back to base (e.g. 'node_modules/..')
+      (rel === '' && location !== '')
+    ) {
+      throw Object.assign(
+        new Error(`invalid lockfile entry: "${location}" resolves outside of "${base}"`),
+        { code: 'EINVALIDLOCATION', location, base, resolvedPath }
+      )
+    }
+  }
+
   // links is the set of metadata, and nodes is the map of non-Link nodes
   // Set the targets to nodes in the set, if we have them (we might not)
   // XXX build-ideal-tree also has a #resolveLinks, is there overlap?
   async #resolveLinks (links, nodes) {
     for (const [location, meta] of links.entries()) {
       const targetPath = resolve(this.path, meta.resolved)
+      // check before nodes.get so we surface EINVALIDLOCATION instead of EMISSINGTARGET
+      this.#assertContained(this.path, targetPath, meta.resolved || location)
       const targetLoc = relpath(this.path, targetPath)
       const target = nodes.get(targetLoc)
 
@@ -230,6 +262,7 @@ To fix:
   #loadNode (location, sw, loadOverrides) {
     const p = this.virtualTree ? this.virtualTree.realpath : this.path
     const path = resolve(p, location)
+    this.#assertContained(p, path, location)
     // shrinkwrap doesn't include package name unless necessary
     if (!sw.name) {
       sw.name = nameFromFolder(path)
@@ -259,6 +292,7 @@ To fix:
 
   #loadLink (location, targetLoc, target) {
     const path = resolve(this.path, location)
+    this.#assertContained(this.path, path, location)
     const link = new Link({
       installLinks: this.installLinks,
       legacyPeerDeps: this.legacyPeerDeps,

package/lib/arborist/reify.js

@@ -642,7 +642,7 @@ module.exports = cls => class Reifier extends cls {
       .then(nodes => promiseAllRejectLate(nodes.map(node => new Arborist({
         ...this.options,
         path: node.path,
-      }).loadVirtual({ root: node }))))
+      }).loadVirtual({ root: node, subtreeOnly: true }))))
       // reload the diff and sparse tree because the ideal tree changed
       .then(() => this[_diffTrees]())
       .then(() => this[_createSparseTree]())
@@ -744,7 +744,8 @@ module.exports = cls => class Reifier extends cls {
         integrity: node.integrity,
         // A node counts as "root" for allow-* enforcement if it satisfies at least one valid dependency edge declared by the project root or a workspace.
         // node.parent is unsafe here: after hoisting, transitive packages can have the project root as their tree parent.
-        _isRoot: [...node.edgesIn].some(e =>
+        // In the linked strategy the store node has no edgesIn, so isolated-reifier precomputes isRootDependency from the source node's edges.
+        _isRoot: node.isRootDependency || [...node.edgesIn].some(e =>
           e.valid && (e.from?.isProjectRoot || e.from?.isWorkspace)
         ),
         // pacote's npa re-parses our `name@URL` spec as type=remote, so allowRemote would mis-fire on registry tarballs.
@@ -881,17 +882,18 @@ module.exports = cls => class Reifier extends cls {
 
   // When extracting a registry-resolved package, the spec we hand to pacote is name@URL.
   // pacote re-parses that with npa and gets spec.type === 'remote', so without an override the allow-remote gate would fire on every registry tarball (both =none and =root mis-fire).
-  // Returns true only when we are confident this is a registry-mediated install: the node's inbound edges must all be registry-typed (no exotic spec smuggled the URL in) AND the resolved URL's host must match the registry npm-registry-fetch selected for this spec, so a tampered lockfile pointing at an attacker host still hits the gate.
+  // Returns true only when we are confident this is a registry-mediated install.
   #isRegistryResolvedTarball (node) {
     if (!node.resolved || !node.isRegistryDependency) {
       return false
     }
     try {
-      // Hostnames are case-insensitive; lowercase both sides for safety even though WHATWG URL already normalizes.
-      const resolvedHost = new URL(node.resolved).hostname.toLowerCase()
+      const resolved = new URL(node.resolved)
       // pickRegistry only consults spec.scope, so a bare-name (tag) parse is sufficient and avoids a node.version dependency.
-      const registryHost = new URL(pickRegistry(npa(node.name), this.options)).hostname.toLowerCase()
-      return resolvedHost === registryHost
+      const registry = new URL(pickRegistry(npa(node.name), this.options))
+      const registryPath = registry.pathname.replace(/\/?$/, '/')
+      return resolved.origin === registry.origin &&
+        (registryPath === '/' || resolved.pathname.startsWith(registryPath))
     } catch {
       return false
     }
@@ -1362,9 +1364,27 @@ module.exports = cls => class Reifier extends cls {
     const nmDir = resolve(this.path, 'node_modules')
     const storeDir = resolve(nmDir, '.store')
 
+    // Enumerate on-disk store entries as full keys, descending one level into each @scope directory because scoped keys nest as .store/@scope/pkg@version-hash.
     let entries
     try {
-      entries = await readdir(storeDir)
+      const topLevel = await readdir(storeDir, { withFileTypes: true })
+      entries = []
+      for (const ent of topLevel) {
+        if (ent.name.startsWith('@')) {
+          let scoped
+          try {
+            scoped = await readdir(resolve(storeDir, ent.name))
+          } catch {
+            /* istanbul ignore next -- readdir of an entry we just listed should not fail */
+            continue
+          }
+          for (const name of scoped) {
+            entries.push(`${ent.name}/${name}`)
+          }
+        } else {
+          entries.push(ent.name)
+        }
+      }
     } catch {
       entries = null
     }
@@ -1380,7 +1400,10 @@ module.exports = cls => class Reifier extends cls {
     for (const child of this.idealTree.children.values()) {
       const loc = child.location.replace(/\\/g, '/')
       if (child.isInStore) {
-        const key = loc.split('/')[2]
+        // Store location is node_modules/.store/{key}/node_modules/{pkg}.
+        // For a scoped package the key is @scope/pkg@version-hash, which spans two path segments, so reconstruct both instead of taking only the scope.
+        const parts = loc.split('/')
+        const key = parts[2].startsWith('@') ? `${parts[2]}/${parts[3]}` : parts[2]
         validKeys.add(key)
         continue
       }
@@ -1462,6 +1485,23 @@ module.exports = cls => class Reifier extends cls {
                 er => log.warn('cleanup', `Failed to remove orphaned store entry ${e}`, er))
           )
         )
+        // Removing the last scoped orphan under a scope leaves an empty @scope directory behind, so prune any scope directory that is now empty.
+        const scopes = new Set(
+          orphaned.filter(e => e.startsWith('@')).map(e => e.split('/')[0])
+        )
+        await promiseAllRejectLate(
+          [...scopes].map(async scope => {
+            const scopeDir = resolve(storeDir, scope)
+            try {
+              const remaining = await readdir(scopeDir)
+              if (!remaining.length) {
+                await rm(scopeDir, { recursive: true, force: true })
+              }
+            } catch {
+              /* istanbul ignore next -- readdir of a scope dir we just listed should not fail */
+            }
+          })
+        )
       }
     }
 

package/lib/dep-valid.js

@@ -9,6 +9,27 @@ const npa = require('npm-package-arg')
 const { relative } = require('node:path')
 const fromPath = require('./from-path.js')
 
+// A named ref (tag or branch) resolves to a commit hash, so look up the
+// committish recorded for this edge in the lockfile to detect spec changes.
+const lockedGitCommittish = (child, requestor) => {
+  const lock = requestor.root?.meta?.data?.packages?.[requestor.location]
+  const spec = lock && (
+    lock.dependencies?.[child.name] ||
+    lock.optionalDependencies?.[child.name] ||
+    lock.devDependencies?.[child.name] ||
+    lock.peerDependencies?.[child.name]
+  )
+  if (!spec) {
+    return null
+  }
+  try {
+    const parsed = npa.resolve(child.name, spec, requestor.realpath)
+    return parsed.type === 'git' ? parsed.gitCommittish || '' : null
+  } catch {
+    return null
+  }
+}
+
 const depValid = (child, requested, requestor) => {
   // NB: we don't do much to verify 'tag' type requests.
   // Just verify that we got a remote resolution.  Presumably, it
@@ -94,6 +115,14 @@ const depValid = (child, requested, requestor) => {
         }
       }
       if (!requested.gitRange) {
+        // a named ref can't be verified against the resolved commit offline,
+        // so re-resolve if it differs from the committish in the lockfile
+        if (!reqCommit) {
+          const locked = lockedGitCommittish(child, requestor)
+          if (locked !== null && locked !== (requested.gitCommittish || '')) {
+            return false
+          }
+        }
         return true
       }
       return semver.satisfies(child.package.version, requested.gitRange, {

package/lib/install-scripts.js

@@ -1,4 +1,5 @@
 const { isNodeGypPackage } = require('@npmcli/node-gyp')
+const PackageJson = require('@npmcli/package-json')
 
 // Returns the install-relevant lifecycle scripts that would run for a
 // given arborist Node, or `{}` if there are none.
@@ -70,15 +71,40 @@ const getInstallScripts = async (node) => {
     collected.install = 'node-gyp rebuild'
   }
 
-  // Lockfile-only nodes (e.g. `npm ci` before reify) carry
-  // `hasInstallScript: true` but no enumerated scripts: the lockfile
-  // records the presence flag but never the script bodies. Without this
-  // fallback the strict-allow-scripts preflight would miss them entirely
-  // and let postinstall run. We can't recover the real script body
-  // without fetching the manifest, so emit a sentinel describing that
-  // install scripts are present.
+  // Lockfile-only nodes carry `hasInstallScript: true` but no enumerated
+  // scripts: the lockfile records the presence flag, not the script bodies,
+  // so `node.package.scripts` is empty on a lockfile-driven install (`npm ci`,
+  // a repeat `npm install`). Before giving up, read the installed
+  // package.json from disk to recover the real script bodies. Builder#addToBuildSet
+  // does the same disk read to decide what to run, but unlike that path this
+  // one is read-only: we never mutate `node.package`.
   if (Object.keys(collected).length === 0 && node.hasInstallScript === true) {
-    collected.install = '(install scripts present)'
+    const { content } = await PackageJson.normalize(node.path)
+      .catch(() => ({ content: {} }))
+    /* istanbul ignore next: normalize resolves to an object with a scripts
+       object, or our catch fallback returns {}; defensive guard only. */
+    const diskScripts = content?.scripts || {}
+
+    if (diskScripts.preinstall) {
+      collected.preinstall = diskScripts.preinstall
+    }
+    if (diskScripts.install) {
+      collected.install = diskScripts.install
+    }
+    if (diskScripts.postinstall) {
+      collected.postinstall = diskScripts.postinstall
+    }
+    if (diskScripts.prepare && hasNonRegistryShape(node)) {
+      collected.prepare = diskScripts.prepare
+    }
+
+    // Still nothing. The package isn't on disk yet (e.g. `npm ci` before
+    // reify) or its package.json is unreadable. Emit a sentinel so the
+    // advisory and the strict-allow-scripts preflight still surface that
+    // install scripts are present.
+    if (Object.keys(collected).length === 0) {
+      collected.install = '(install scripts present)'
+    }
   }
 
   return collected

package/lib/isolated-classes.js

@@ -20,6 +20,9 @@ class IsolatedNode {
   integrity = null
   inventory = new IsolatedInventory()
   isInStore = false
+  inBundle = false
+  isRegistryDependency = false
+  isRootDependency = false
   linksIn = new Set()
   meta = { loadedFromDisk: false }
   optional = false
@@ -47,6 +50,15 @@ class IsolatedNode {
     if (options.isInStore) {
       this.isInStore = true
     }
+    if (options.inBundle) {
+      this.inBundle = true
+    }
+    if (options.isRegistryDependency) {
+      this.isRegistryDependency = true
+    }
+    if (options.isRootDependency) {
+      this.isRootDependency = true
+    }
     if (options.optional) {
       this.optional = true
     }
@@ -104,6 +116,11 @@ class IsolatedNode {
     return !!(hasInstallScript || install || preinstall || postinstall)
   }
 
+  /* istanbul ignore next -- emulate lib/node.js */
+  get packageName () {
+    return this.package.name || null
+  }
+
   get version () {
     return this.package.version
   }

package/lib/query-selector-all.js

@@ -9,6 +9,7 @@ const npa = require('npm-package-arg')
 const pacote = require('pacote')
 const semver = require('semver')
 const npmFetch = require('npm-registry-fetch')
+const { isReleaseAgeExcluded } = require('./release-age-exclude.js')
 
 // handle results for parsed query asts, results are stored in a map that has a
 // key that points to each ast selector node and stores the resulting array of
@@ -889,8 +890,9 @@ const getPackageVersions = async (name, opts) => {
   let candidates = Object.keys(packument.versions).sort(semver.compare)
 
   // if the packument has a time property, and the user passed a before flag, then
-  // we filter this list down to only those versions that existed before the specified date
-  if (packument.time && opts.before) {
+  // we filter this list down to only those versions that existed before the specified date.
+  // packages matching `min-release-age-exclude` are exempt from this filter.
+  if (packument.time && opts.before && !isReleaseAgeExcluded(name, opts.minReleaseAgeExclude)) {
     candidates = candidates.filter((version) => {
       // this version isn't found in the times at all, drop it
       if (!packument.time[version]) {

package/lib/release-age-exclude.js

@@ -0,0 +1,45 @@
+// Determine whether a package name is exempt from the `min-release-age` /
+// `before` release-age filter, based on the `min-release-age-exclude` config.
+//
+// Patterns are exact package names or `minimatch` globs (e.g. `@myorg/*`), and
+// match against the package name only. This is a "named-only" exemption: a
+// matched package's own dependencies still follow the filter unless they match
+// a pattern too.
+//
+// Callers must match against the resolved registry identity of a package, not
+// the self-reported alias or dependency-edge name. For `npm:` aliases the
+// fetched package is the alias target, so run specs through `trustedSpecName`
+// first; otherwise an alias key could match an exclude pattern and turn the
+// filter off for the unrelated package it resolves to.
+const { minimatch } = require('minimatch')
+
+// This list only ever widens the exemption (turns the security filter off for a
+// package), so disable pattern features that could silently turn it into a
+// match-all: `nonegate` keeps a leading `!` literal (so a stray `!foo` exempts
+// nothing instead of everything-but-foo), `nocomment` keeps a leading `#`
+// literal, and `noext` disables extglobs.
+const minimatchOptions = { nonegate: true, nocomment: true, noext: true }
+
+const isReleaseAgeExcluded = (name, patterns) => {
+  if (!name || !Array.isArray(patterns) || patterns.length === 0) {
+    return false
+  }
+  return patterns.some(pattern =>
+    name === pattern || minimatch(name, pattern, minimatchOptions))
+}
+
+// Resolve the trusted registry name for an npa spec. For `npm:` aliases (e.g.
+// `"x": "npm:other@1"`) the installed/fetched package is the alias target
+// (`subSpec`), not the alias key, so the exemption must be keyed on the
+// underlying package name. Mirrors `nameFromEdges` in script-allowed.js.
+const trustedSpecName = (spec) => {
+  if (!spec) {
+    return undefined
+  }
+  if (spec.type === 'alias' && spec.subSpec && spec.subSpec.registry) {
+    return spec.subSpec.name
+  }
+  return spec.name
+}
+
+module.exports = { isReleaseAgeExcluded, trustedSpecName }

package/lib/script-allowed.js

@@ -24,13 +24,13 @@ const versionFromTgz = require('./version-from-tgz.js')
 //     resolved committish
 
 const isScriptAllowed = (node, policy) => {
-  // Bundled dependencies cannot be allowlisted in Phase 1. The RFC defers
-  // allowlisting them to a follow-up RFC because matching by name@version
-  // from the bundled tarball would reintroduce manifest confusion (a
-  // bundled tarball can claim any name and version). Returning null here
-  // marks bundled deps as unreviewed regardless of any policy entries, so
-  // their install scripts surface in the Phase 1 advisory warning and
-  // (eventually) get blocked at the install-time gate.
+  // Bundled dependencies never run their install scripts and cannot be
+  // allowlisted. Matching by name@version from the bundled tarball would
+  // reintroduce manifest confusion (a bundled tarball can claim any name
+  // and version). Returning null marks them as not-allowed regardless of
+  // any policy entry, so their install scripts are blocked by the
+  // install-time gate. A package that needs a bundled dep's script must
+  // forward it as one of its own lifecycle scripts.
   if (node.inBundle) {
     return null
   }
@@ -97,6 +97,41 @@ const matches = (node, key) => {
   }
 }
 
+const resolvedSourceSpecs = (node) => {
+  const specs = []
+  const seen = new Set()
+  const add = (spec) => {
+    if (typeof spec !== 'string' || spec === '' || seen.has(spec)) {
+      return
+    }
+    seen.add(spec)
+    specs.push(spec)
+  }
+
+  add(node?.resolved)
+
+  if (!node?.resolved && node?.linksIn && typeof node.linksIn[Symbol.iterator] === 'function') {
+    let hasIncomingLink = false
+    for (const link of node.linksIn) {
+      hasIncomingLink = true
+      add(link.resolved)
+    }
+
+    if (hasIncomingLink) {
+      // Link targets for local directory deps are separate inventory nodes
+      // whose own `resolved` is null. The incoming Link carries the saved spec
+      // (for example `file:../pkg`, relative to node_modules), while policy
+      // entries written by hand often use the dependency spec from package.json
+      // (for example `file:pkg`, resolved by npa to this target path). Include
+      // the real target paths so both forms can match the same local dep.
+      add(node.realpath)
+      add(node.path)
+    }
+  }
+
+  return specs
+}
+
 const matchRegistry = (node, parsed) => {
   // If this node is not a registry dep, refuse the match. A registry-style
   // key (`pkg`, `pkg@1`, `pkg@1 || 2`) must not match a tarball or git node
@@ -282,17 +317,13 @@ const matchGit = (node, parsed) => {
 }
 
 const matchFileOrDir = (node, parsed) => {
-  if (!node.resolved) {
-    return false
-  }
-  return node.resolved === parsed.saveSpec || node.resolved === parsed.fetchSpec
+  return resolvedSourceSpecs(node)
+    .some(resolved => resolved === parsed.saveSpec || resolved === parsed.fetchSpec)
 }
 
 const matchRemote = (node, parsed) => {
-  if (!node.resolved) {
-    return false
-  }
-  return node.resolved === parsed.fetchSpec || node.resolved === parsed.saveSpec
+  return resolvedSourceSpecs(node)
+    .some(resolved => resolved === parsed.fetchSpec || resolved === parsed.saveSpec)
 }
 
 const isRegistryNode = (node) => {
@@ -319,11 +350,11 @@ const isRegistryNode = (node) => {
   return /^https?:\/\/[^/]+\/.+\/-\/[^/]+-\d/.test(node.resolved)
 }
 
-// Trusted display identity for human-facing output (`npm install`
-// advisory, `npm approve-scripts --allow-scripts-pending`). Same idea as
-// getTrustedRegistryIdentity, but for DISPLAY only — version falls back
-// to node.version when the URL doesn't carry one. Must never be used
-// for policy matching.
+// Trusted display identity for human-facing output (the `npm install`
+// blocked-scripts summary and `npm approve-scripts --allow-scripts-pending`).
+// Same as getTrustedRegistryIdentity, but for display only: version
+// falls back to node.version when the URL doesn't carry one. Do not
+// use for policy matching.
 const trustedDisplay = (node) => {
   const trusted = getTrustedRegistryIdentity(node)
   /* istanbul ignore next: defensive fallbacks for nodes without name/version */
@@ -337,4 +368,5 @@ module.exports = isScriptAllowed
 module.exports.isScriptAllowed = isScriptAllowed
 module.exports.isExactVersionDisjunction = isExactVersionDisjunction
 module.exports.getTrustedRegistryIdentity = getTrustedRegistryIdentity
+module.exports.resolvedSourceSpecs = resolvedSourceSpecs
 module.exports.trustedDisplay = trustedDisplay

package/lib/shrinkwrap.js

@@ -929,8 +929,14 @@ class Shrinkwrap {
           continue
         }
         const loc = relpath(this.path, node.path)
-        // Drop lockfile entries for extraneous nodes outside node_modules. These are stale workspace entries: the workspace was removed from package.json or its directory was deleted, so it should not be tracked in package-lock.json.
-        if (node.extraneous && !/(^|\/)node_modules\//.test(loc) && loc !== 'node_modules') {
+        // Drop lockfile entries for extraneous nodes outside node_modules that
+        // are direct fsChildren of the root (or detached link targets). These
+        // are stale top-level entries: a workspace or file: dep removed from
+        // the root manifest, or whose directory was deleted. Extraneous
+        // fsChildren nested under another package (e.g. a file: dep of another
+        // file: dep) are kept so `npm ci` can resolve the parent's dependency.
+        if (node.extraneous && !/(^|\/)node_modules\//.test(loc) && loc !== 'node_modules' &&
+          (!node.fsParent || node.fsParent.isRoot)) {
           continue
         }
         const meta = Shrinkwrap.metaFromNode(

package/lib/unreviewed-scripts.js

@@ -0,0 +1,94 @@
+const isScriptAllowed = require('./script-allowed.js')
+const getInstallScripts = require('./install-scripts.js')
+
+// Shared allowScripts walk used by both the npm CLI
+// (lib/utils/check-allow-scripts.js, lib/utils/strict-allow-scripts-preflight.js)
+// and libnpmexec (npm exec / npx). It lives in arborist because that is the
+// only package both callers can import.
+//
+// Walks a tree's inventory and returns the dep nodes that have
+// install-relevant lifecycle scripts and are not yet covered (or explicitly
+// denied) by the allowScripts policy.
+//
+// Returns an array of `{ node, scripts }` entries. `scripts` is an object
+// describing the relevant lifecycle scripts that would run.
+const collectUnreviewedScripts = async ({
+  tree,
+  policy,
+  ignoreScripts = false,
+  dangerouslyAllowAllScripts = false,
+  includeWhenIgnored = false,
+} = {}) => {
+  // With ignore-scripts set, no scripts run, so execution callers bail out
+  // here. approve/deny pass includeWhenIgnored so they keep listing
+  // unreviewed packages, which is what you need to move from a blanket
+  // ignore-scripts to an allowlist. Listing never runs anything.
+  if ((ignoreScripts && !includeWhenIgnored) || dangerouslyAllowAllScripts) {
+    return []
+  }
+
+  if (!tree?.inventory) {
+    return []
+  }
+
+  const resolvedPolicy = policy || null
+
+  const unreviewed = []
+  for (const node of tree.inventory.values()) {
+    if (node.isProjectRoot || node.isWorkspace) {
+      continue
+    }
+    if (node.isLink) {
+      // Linked workspace dependencies are managed by the workspace owner.
+      continue
+    }
+    if (node.inBundle) {
+      // Bundled dependencies never run their install scripts and cannot be
+      // allowlisted, so they are never "pending". Skipping them keeps them
+      // out of the advisory warning and out of strict-allow-scripts. A
+      // package that needs a bundled dep's script must forward it as one of
+      // its own lifecycle scripts.
+      continue
+    }
+
+    const verdict = isScriptAllowed(node, resolvedPolicy)
+    if (verdict === true || verdict === false) {
+      continue
+    }
+
+    const scripts = await getInstallScripts(node)
+    if (Object.keys(scripts).length === 0) {
+      continue
+    }
+
+    unreviewed.push({ node, scripts })
+  }
+
+  return unreviewed
+}
+
+// Builds the `ESTRICTALLOWSCRIPTS` error thrown by the strict-mode preflight
+// from a list of `{ node, scripts }` entries. `remediation` is the
+// caller-specific guidance appended after the package list (npm install vs
+// npm exec have different remediation commands).
+const strictAllowScriptsError = (unreviewed, { remediation } = {}) => {
+  const lines = unreviewed.map(({ node, scripts }) => {
+    const events = Object.entries(scripts)
+      .map(([event, body]) => `${event}: ${body}`)
+      .join('; ')
+    const name = node.package?.name || node.name
+    const version = node.package?.version || ''
+    const label = version ? `${name}@${version}` : name
+    return `  ${label} (${events})`
+  }).join('\n')
+
+  return Object.assign(
+    new Error(
+      `--strict-allow-scripts: ${unreviewed.length} package(s) have install ` +
+      `scripts not covered by allowScripts:\n${lines}\n${remediation}`
+    ),
+    { code: 'ESTRICTALLOWSCRIPTS' }
+  )
+}
+
+module.exports = { collectUnreviewedScripts, strictAllowScriptsError }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "9.7.0",
+  "version": "9.8.0",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@gar/promise-retry": "^1.0.0",