@pnpm/installing.deps-resolver 1100.2.5 → 1100.2.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -8,6 +8,7 @@ import { nameVerFromPkgSnapshot, pkgSnapshotToResolution, } from '@pnpm/lockfile
8
8
  import { logger } from '@pnpm/logger';
9
9
  import { getPatchInfo } from '@pnpm/patching.config';
10
10
  import { convertEnginesRuntimeToDependencies } from '@pnpm/pkg-manifest.utils';
11
+ import { parseBareSpecifier } from '@pnpm/resolving.npm-resolver';
11
12
  import { DIRECT_DEP_SELECTOR_WEIGHT, } from '@pnpm/resolving.resolver-base';
12
13
  import { lexCompare } from '@pnpm/util.lex-comparator';
13
14
  import normalizePath from 'normalize-path';
@@ -39,7 +40,8 @@ export async function resolveRootDependencies(ctx, importers) {
39
40
  ctx.allPreferredVersions = getPreferredVersionsFromLockfileAndManifests(ctx.wantedLockfile.packages, []);
40
41
  }
41
42
  else if (ctx.hoistPeers) {
42
- ctx.allPreferredVersions = {};
43
+ // Null-prototype: keyed by package names from resolved manifests.
44
+ ctx.allPreferredVersions = Object.create(null);
43
45
  }
44
46
  const { pkgAddressesByImportersWithoutPeers, publishedBy, time } = await resolveDependenciesOfImporters(ctx, importers);
45
47
  if (!ctx.hoistPeers) {
@@ -434,8 +436,14 @@ async function resolveDependenciesOfDependency(ctx, preferredVersions, options,
434
436
  const updateShouldContinue = options.currentDepth <= updateDepth;
435
437
  const updateRequested = updateShouldContinue &&
436
438
  ((options.updateMatching == null) ||
437
- (extendedWantedDep.infoFromLockfile?.name != null &&
438
- options.updateMatching(extendedWantedDep.infoFromLockfile.name, extendedWantedDep.infoFromLockfile.version)));
439
+ (extendedWantedDep.infoFromLockfile?.name != null
440
+ ? options.updateMatching(extendedWantedDep.infoFromLockfile.name, extendedWantedDep.infoFromLockfile.version)
441
+ // A changed specifier forgets the edge's lockfile reference before
442
+ // resolution (e.g. `pnpm audit --fix` widening a vulnerable pin), so
443
+ // the target would otherwise lose its updateRequested status — and
444
+ // keep its seeded lockfile pins — at the very moment it is being
445
+ // updated. Fall back to matching by the wanted dependency itself.
446
+ : wantedDependencyMatchesUpdateTarget(ctx, options.updateMatching, extendedWantedDep.wantedDependency)));
439
447
  const update = updateRequested ||
440
448
  ((extendedWantedDep.infoFromLockfile?.dependencyLockfile) == null) || Boolean((ctx.workspacePackages != null) &&
441
449
  ctx.linkWorkspacePackagesDepth !== -1 &&
@@ -557,6 +565,21 @@ async function resolveDependenciesOfDependency(ctx, preferredVersions, options,
557
565
  },
558
566
  };
559
567
  }
568
+ /**
569
+ * Whether a wanted dependency without a lockfile reference matches the
570
+ * update target by package name. The name is parsed from the bare
571
+ * specifier, so an `npm:` alias matches by the real package name it
572
+ * installs — `foo@npm:bar@^4` matches an update target of `bar`, not
573
+ * `foo`. Exotic specifiers the npm parser rejects fall back to the alias.
574
+ */
575
+ function wantedDependencyMatchesUpdateTarget(ctx, updateMatching, wantedDependency) {
576
+ const { alias, bareSpecifier } = wantedDependency;
577
+ const spec = alias && bareSpecifier
578
+ ? parseBareSpecifier(bareSpecifier, alias, ctx.defaultTag ?? 'latest', ctx.registries.default)
579
+ : null;
580
+ const name = spec?.name ?? alias;
581
+ return name != null && updateMatching(name, undefined);
582
+ }
560
583
  export function createNodeIdForLinkedLocalPkg(lockfileDir, pkgDir) {
561
584
  return `link:${normalizePath(path.relative(lockfileDir, pkgDir))}`;
562
585
  }
@@ -1102,6 +1125,7 @@ async function resolveDependency(wantedDependency, ctx, options) {
1102
1125
  trustPolicyExclude: ctx.trustPolicyExclude,
1103
1126
  trustPolicyIgnoreAfter: ctx.trustPolicyIgnoreAfter,
1104
1127
  update: options.update,
1128
+ updateRequested: options.updateRequested,
1105
1129
  updateChecksums: options.updateChecksums,
1106
1130
  workspacePackages: ctx.workspacePackages,
1107
1131
  supportedArchitectures: options.supportedArchitectures,
@@ -1163,7 +1187,8 @@ async function resolveDependency(wantedDependency, ctx, options) {
1163
1187
  }
1164
1188
  if (ctx.allPreferredVersions && pkgResponse.body.manifest?.version) {
1165
1189
  if (!ctx.allPreferredVersions[pkgResponse.body.manifest.name]) {
1166
- ctx.allPreferredVersions[pkgResponse.body.manifest.name] = {};
1190
+ // Null-prototype: keyed by versions from the resolved manifest.
1191
+ ctx.allPreferredVersions[pkgResponse.body.manifest.name] = Object.create(null);
1167
1192
  }
1168
1193
  ctx.allPreferredVersions[pkgResponse.body.manifest.name][pkgResponse.body.manifest.version] = 'version';
1169
1194
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pnpm/installing.deps-resolver",
3
- "version": "1100.2.5",
3
+ "version": "1100.2.6",
4
4
  "description": "Resolves dependency graph of a package",
5
5
  "keywords": [
6
6
  "pnpm",
@@ -44,28 +44,28 @@
44
44
  "validate-npm-package-name": "7.0.2",
45
45
  "version-selector-type": "^3.0.0",
46
46
  "@pnpm/catalogs.resolver": "1100.0.0",
47
- "@pnpm/catalogs.types": "1100.0.0",
48
47
  "@pnpm/config.version-policy": "1100.1.6",
48
+ "@pnpm/catalogs.types": "1100.0.0",
49
49
  "@pnpm/constants": "1100.0.0",
50
50
  "@pnpm/core-loggers": "1100.2.1",
51
- "@pnpm/deps.path": "1100.0.8",
52
- "@pnpm/deps.graph-hasher": "1100.2.6",
51
+ "@pnpm/deps.graph-hasher": "1100.2.7",
53
52
  "@pnpm/deps.peer-range": "1100.0.2",
53
+ "@pnpm/deps.path": "1100.0.8",
54
54
  "@pnpm/error": "1100.0.1",
55
- "@pnpm/fetching.pick-fetcher": "1100.0.13",
56
- "@pnpm/hooks.types": "1100.1.0",
57
- "@pnpm/lockfile.preferred-versions": "1100.0.17",
58
- "@pnpm/lockfile.pruner": "1100.0.12",
59
- "@pnpm/lockfile.types": "1100.0.12",
60
- "@pnpm/lockfile.utils": "1100.1.0",
55
+ "@pnpm/hooks.types": "1100.1.1",
56
+ "@pnpm/fetching.pick-fetcher": "1100.0.14",
57
+ "@pnpm/lockfile.preferred-versions": "1100.0.18",
58
+ "@pnpm/lockfile.pruner": "1100.0.13",
59
+ "@pnpm/lockfile.types": "1100.0.13",
60
+ "@pnpm/lockfile.utils": "1100.1.1",
61
61
  "@pnpm/patching.config": "1100.0.9",
62
62
  "@pnpm/patching.types": "1100.0.0",
63
+ "@pnpm/resolving.npm-resolver": "1102.1.1",
63
64
  "@pnpm/pkg-manifest.reader": "1100.0.9",
65
+ "@pnpm/resolving.resolver-base": "1100.5.1",
64
66
  "@pnpm/pkg-manifest.utils": "1100.2.6",
65
- "@pnpm/resolving.resolver-base": "1100.5.0",
66
- "@pnpm/store.controller-types": "1100.1.6",
67
- "@pnpm/resolving.npm-resolver": "1102.1.0",
68
67
  "@pnpm/types": "1101.3.2",
68
+ "@pnpm/store.controller-types": "1100.1.7",
69
69
  "@pnpm/workspace.spec-parser": "1100.0.0"
70
70
  },
71
71
  "peerDependencies": {
@@ -77,8 +77,8 @@
77
77
  "@types/ramda": "0.31.1",
78
78
  "@types/semver": "7.7.1",
79
79
  "@types/validate-npm-package-name": "^4.0.2",
80
- "@pnpm/installing.deps-resolver": "1100.2.5",
81
- "@pnpm/logger": "1100.0.0"
80
+ "@pnpm/logger": "1100.0.0",
81
+ "@pnpm/installing.deps-resolver": "1100.2.6"
82
82
  },
83
83
  "engines": {
84
84
  "node": ">=22.13"