isolate-package 1.30.0 → 1.32.0

package/dist/{isolate-CJy3YyKG.mjs → isolate-BRD2AgVJ.mjs}

@@ -4,6 +4,7 @@ import assert from "node:assert";
 import path, { join } from "node:path";
 import { isEmpty, omit, pick, unique } from "remeda";
 import { exec, execFileSync, execSync } from "node:child_process";
+import { detectMonorepo } from "detect-monorepo";
 import { pathToFileURL } from "node:url";
 import { createConsola } from "consola";
 import { fileURLToPath } from "url";
@@ -74,10 +75,12 @@ function getPackageName(packageSpec) {
 //#endregion
 //#region src/lib/utils/filter-patched-dependencies.ts
 /**
-* Filters patched dependencies to only include patches for packages that are
-* present in the target package's dependencies based on dependency type.
+* Filters patched dependencies to only include patches for packages that will
+* be present in the isolated output, either as a direct dependency of the
+* target or as a transitive dependency reachable through internal workspace
+* packages.
 */
-function filterPatchedDependencies({ patchedDependencies, targetPackageManifest, includeDevDependencies }) {
+function filterPatchedDependencies({ patchedDependencies, targetPackageManifest, includeDevDependencies, reachableDependencyNames }) {
 	const log = useLogger();
 	if (!patchedDependencies || typeof patchedDependencies !== "object") return;
 	const filteredPatches = {};
@@ -85,27 +88,35 @@ function filterPatchedDependencies({ patchedDependencies, targetPackageManifest,
 	let excludedCount = 0;
 	for (const [packageSpec, patchInfo] of Object.entries(patchedDependencies)) {
 		const packageName = getPackageName(packageSpec);
-		/** Check if it's a production dependency */
+		/** Direct production dependency */
 		if (targetPackageManifest.dependencies?.[packageName]) {
 			filteredPatches[packageSpec] = patchInfo;
 			includedCount++;
 			log.debug(`Including production dependency patch: ${packageSpec}`);
 			continue;
 		}
-		/** Check if it's a dev dependency and we should include dev dependencies */
-		if (targetPackageManifest.devDependencies?.[packageName]) {
-			if (includeDevDependencies) {
-				filteredPatches[packageSpec] = patchInfo;
-				includedCount++;
-				log.debug(`Including dev dependency patch: ${packageSpec}`);
-			} else {
-				excludedCount++;
-				log.debug(`Excluding dev dependency patch: ${packageSpec}`);
-			}
+		/** Direct dev dependency (respects the dev-deps flag) */
+		if (includeDevDependencies && targetPackageManifest.devDependencies?.[packageName]) {
+			filteredPatches[packageSpec] = patchInfo;
+			includedCount++;
+			log.debug(`Including dev dependency patch: ${packageSpec}`);
+			continue;
+		}
+		/**
+		* Reachable via an internal workspace package. This fires even when the
+		* package is also listed in the target's devDependencies with
+		* `includeDevDependencies=false`, because the package is still installed
+		* in the isolate as a prod transitive.
+		*/
+		if (reachableDependencyNames?.has(packageName)) {
+			filteredPatches[packageSpec] = patchInfo;
+			includedCount++;
+			log.debug(`Including transitive dependency patch: ${packageSpec}`);
 			continue;
 		}
-		/** Package not found in dependencies or devDependencies */
-		log.debug(`Excluding patch: ${packageSpec} (package "${packageName}" not in target dependencies)`);
+		/** Package won't be installed in the isolate */
+		if (targetPackageManifest.devDependencies?.[packageName]) log.debug(`Excluding dev dependency patch: ${packageSpec}`);
+		else log.debug(`Excluding patch: ${packageSpec} (package "${packageName}" not reachable from target)`);
 		excludedCount++;
 	}
 	log.debug(`Filtered patches: ${includedCount} included, ${excludedCount} excluded`);
@@ -150,6 +161,12 @@ function inspectValue(value) {
 /**
 * Detect if this is a Rush monorepo. They use a very different structure so
 * there are multiple places where we need to make exceptions based on this.
+*
+* This intentionally only checks the passed-in directory. Using the upward
+* walk of `detectMonorepo` here would break callers that pass a subdirectory
+* of the actual Rush root, because downstream code builds paths (like
+* `common/config/rush`) and lockfile importer ids relative to the same
+* directory it gets.
 */
 function isRushWorkspace(workspaceRootDir) {
 	return fs$1.existsSync(path.join(workspaceRootDir, "rush.json"));
@@ -350,7 +367,7 @@ const configDefaults = {
 	targetPackagePath: void 0,
 	tsconfigPath: "./tsconfig.json",
 	workspacePackages: void 0,
-	workspaceRoot: "../..",
+	workspaceRoot: void 0,
 	forceNpm: false,
 	pickFromScripts: void 0,
 	omitFromScripts: void 0,
@@ -432,12 +449,25 @@ function validateConfig(config) {
 * Resolve the target package directory and workspace root directory from the
 * configuration. When targetPackagePath is set, the config is assumed to live
 * at the workspace root. Otherwise it lives in the target package directory.
+*
+* When `workspaceRoot` is not explicitly set, auto-detect the monorepo root by
+* walking upward from the target package directory.
 */
 function resolveWorkspacePaths(config) {
 	const targetPackageDir = config.targetPackagePath ? path.join(process.cwd(), config.targetPackagePath) : process.cwd();
+	if (config.targetPackagePath) return {
+		targetPackageDir,
+		workspaceRootDir: process.cwd()
+	};
+	if (config.workspaceRoot !== void 0) return {
+		targetPackageDir,
+		workspaceRootDir: path.join(targetPackageDir, config.workspaceRoot)
+	};
+	const detected = detectMonorepo(targetPackageDir);
+	if (!detected) throw new Error(`Failed to auto-detect monorepo workspace root from ${targetPackageDir}. Set the 'workspaceRoot' config option explicitly.`);
 	return {
 		targetPackageDir,
-		workspaceRootDir: config.targetPackagePath ? process.cwd() : path.join(targetPackageDir, config.workspaceRoot)
+		workspaceRootDir: detected.rootDir
 	};
 }
 function resolveConfig(initialConfig) {
@@ -650,29 +680,227 @@ async function loadNpmConfig({ npmPath }) {
 //#endregion
 //#region src/lib/lockfile/helpers/generate-npm-lockfile.ts
 /**
-* Generate an isolated / pruned lockfile, based on the contents of installed
-* node_modules from the monorepo root plus the adapted package manifest in the
-* isolate directory.
+* Generate an isolated NPM lockfile for the target package.
+*
+* When a root `package-lock.json` exists we preserve original resolved
+* versions and integrity by copying entries verbatim from the source
+* lockfile. When it doesn't (forceNpm from pnpm/bun/yarn or modern-Yarn
+* fallback), we fall back to Arborist's `buildIdealTree` against the
+* isolate directory, which matches the prior behaviour.
 */
-async function generateNpmLockfile({ workspaceRootDir, isolateDir }) {
+async function generateNpmLockfile({ workspaceRootDir, isolateDir, targetPackageName, targetPackageManifest, packagesRegistry, internalDepPackageNames }) {
 	const log = useLogger();
-	log.debug("Generating NPM lockfile...");
-	const nodeModulesPath = path.join(workspaceRootDir, "node_modules");
 	try {
-		if (!fs.existsSync(nodeModulesPath)) throw new Error(`Failed to find node_modules at ${nodeModulesPath}`);
-		const { meta } = await new Arborist({
-			path: isolateDir,
-			...(await loadNpmConfig({ npmPath: workspaceRootDir })).flat
-		}).buildIdealTree();
-		meta?.commit();
-		const lockfilePath = path.join(isolateDir, "package-lock.json");
-		await fs.writeFile(lockfilePath, String(meta));
-		log.debug("Created lockfile at", lockfilePath);
+		const rootLockfilePath = path.join(workspaceRootDir, "package-lock.json");
+		if (fs.existsSync(rootLockfilePath)) {
+			log.debug("Generating NPM lockfile from root package-lock.json...");
+			await generateFromRootLockfile({
+				workspaceRootDir,
+				isolateDir,
+				targetPackageName,
+				targetPackageManifest,
+				packagesRegistry,
+				internalDepPackageNames
+			});
+		} else {
+			log.debug("No root package-lock.json found; falling back to buildIdealTree generation");
+			await generateViaBuildIdealTree({
+				workspaceRootDir,
+				isolateDir
+			});
+		}
+		log.debug("Created lockfile at", path.join(isolateDir, "package-lock.json"));
 	} catch (err) {
 		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
 		throw err;
 	}
 }
+async function generateFromRootLockfile({ workspaceRootDir, isolateDir, targetPackageName, targetPackageManifest, packagesRegistry, internalDepPackageNames }) {
+	const log = useLogger();
+	const arborist = new Arborist({
+		path: workspaceRootDir,
+		...(await loadNpmConfig({ npmPath: workspaceRootDir })).flat
+	});
+	/**
+	* `loadVirtual` hydrates every Node with `resolved` and `integrity` taken
+	* directly from the lockfile entries. It performs no registry calls.
+	*/
+	const rootTree = await arborist.loadVirtual();
+	const targetImporterNode = arborist.workspaceNodes(rootTree, [targetPackageName])[0];
+	if (!targetImporterNode) throw new Error(`Target workspace "${targetPackageName}" not found in root package-lock.json`);
+	if (typeof targetImporterNode.location !== "string") throw new Error(`Target workspace "${targetPackageName}" resolved to a node without a location`);
+	/**
+	* `workspaceDependencySet` walks `edgesOut` from each seed node. It does
+	* not add the seed node itself to the result, so ensure the target
+	* importer is included.
+	*/
+	const reachableNodes = arborist.workspaceDependencySet(rootTree, [targetPackageName], false);
+	reachableNodes.add(targetImporterNode);
+	const srcData = rootTree.meta?.data;
+	if (!srcData || !srcData.packages || Object.keys(srcData.packages).length === 0) {
+		/**
+		* Arborist normalises v1 lockfiles to v3 in `loadVirtual`, but fall
+		* back defensively if the virtual tree still has no `packages` map
+		* (e.g. an unusual lockfile shape). The fallback generator reads
+		* node_modules and won't preserve original versions, but it will
+		* produce a valid lockfile rather than failing.
+		*/
+		useLogger().debug("Source lockfile has no `packages` map; falling back to buildIdealTree");
+		await generateViaBuildIdealTree({
+			workspaceRootDir,
+			isolateDir
+		});
+		return;
+	}
+	const reachable = [...reachableNodes].map((node) => ({
+		location: node.location,
+		isLink: node.isLink,
+		target: node.target ? { location: node.target.location } : void 0
+	}));
+	const internalDepLocs = /* @__PURE__ */ new Map();
+	for (const depName of internalDepPackageNames) {
+		const pkg = packagesRegistry[depName];
+		if (!pkg) throw new Error(`Package ${depName} not found in packages registry`);
+		internalDepLocs.set(depName, toPosix(pkg.rootRelativeDir));
+	}
+	const out = buildIsolatedLockfileJson({
+		srcData,
+		reachable,
+		targetImporterLoc: targetImporterNode.location,
+		targetLinkLoc: `node_modules/${targetPackageName}`,
+		targetPackageManifest
+	});
+	/**
+	* Overlay each internal dep's adapted manifest onto its lockfile entry
+	* so cross-internal-dep references use `file:` instead of `workspace:*`.
+	*/
+	for (const [, depLoc] of internalDepLocs) {
+		if (!out.packages[depLoc]) continue;
+		const adaptedManifestPath = path.join(isolateDir, depLoc, "package.json");
+		if (!fs.existsSync(adaptedManifestPath)) {
+			log.debug(`Adapted internal dep manifest missing at ${adaptedManifestPath}; leaving lockfile entry unchanged`);
+			continue;
+		}
+		const adapted = await fs.readJson(adaptedManifestPath);
+		overlayManifestDeps(out.packages[depLoc], adapted);
+	}
+	const outPath = path.join(isolateDir, "package-lock.json");
+	await fs.writeFile(outPath, JSON.stringify(out, null, 2) + "\n");
+}
+/**
+* Pure JSON rewrite of the source lockfile into an isolated lockfile.
+* Extracted so it can be unit tested without mocking Arborist.
+*/
+function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targetLinkLoc, targetPackageManifest }) {
+	const outPackages = {};
+	const srcPackages = srcData.packages;
+	if (!srcPackages[targetImporterLoc]) throw new Error(`Source lockfile has no entry for target importer "${targetImporterLoc}"`);
+	const targetNestedNodeModulesPrefix = `${targetImporterLoc}/node_modules/`;
+	/** Track the source location each output entry came from, so we can
+	* produce a clear error if two source paths remap to the same target.
+	*/
+	const origLocByNewLoc = /* @__PURE__ */ new Map();
+	for (const node of reachable) {
+		const origLoc = node.location;
+		/** The target's self-link has no place in the isolate (root IS the target). */
+		if (origLoc === targetLinkLoc) continue;
+		/**
+		* The target workspace becomes the isolate root, so:
+		*   "packages/app"                         -> ""
+		*   "packages/app/node_modules/<name>"     -> "node_modules/<name>"
+		*   "packages/app/node_modules/a/node_modules/b" -> "node_modules/a/node_modules/b"
+		*
+		* Only `node_modules` subpaths under the target are remapped — other
+		* paths (e.g. a nested workspace importer like
+		* `packages/app/lib/core`) are preserved verbatim because their disk
+		* location in the isolate is unchanged.
+		*/
+		let newLoc;
+		if (origLoc === targetImporterLoc) newLoc = "";
+		else if (origLoc.startsWith(targetNestedNodeModulesPrefix)) newLoc = origLoc.slice(targetImporterLoc.length + 1);
+		else newLoc = origLoc;
+		const srcEntry = srcPackages[origLoc];
+		if (!srcEntry) throw new Error(`Reachable node "${origLoc}" has no entry in source lockfile packages`);
+		const existing = outPackages[newLoc];
+		if (existing && !entriesAreEquivalent(existing, srcEntry)) {
+			const previousOrigLoc = origLocByNewLoc.get(newLoc) ?? "<unknown>";
+			throw new Error(`Path collision at "${newLoc}": source locations "${previousOrigLoc}" and "${origLoc}" both map there with conflicting entries. This happens when the target pins a nested version override that collides with a hoisted version still needed by another reachable dependency. Please report a reproduction at https://github.com/0x80/isolate-package/issues.`);
+		}
+		outPackages[newLoc] = { ...srcEntry };
+		origLocByNewLoc.set(newLoc, origLoc);
+	}
+	/**
+	* If the target importer didn't make it into the reachable set for any
+	* reason (upstream Arborist bug, programmer error), bail loudly rather
+	* than emit a synthesised root entry with no source metadata.
+	*/
+	if (!outPackages[""]) throw new Error(`Target importer "${targetImporterLoc}" was not present in the reachable node set; cannot construct isolate root entry`);
+	/** Overlay the isolate root with the adapted target manifest. */
+	const rootEntry = { ...outPackages[""] };
+	rootEntry.name = targetPackageManifest.name;
+	if (targetPackageManifest.version) rootEntry.version = targetPackageManifest.version;
+	overlayManifestDeps(rootEntry, targetPackageManifest);
+	/** The isolate is no longer a workspace root. */
+	delete rootEntry.workspaces;
+	outPackages[""] = rootEntry;
+	/**
+	* Spread unknown top-level fields from the source lockfile so future
+	* npm-introduced metadata survives isolation. Then override identity
+	* fields and the recomputed `packages`, and drop the legacy
+	* `dependencies` tree which would be stale now that `packages` has
+	* been subsetted.
+	*/
+	const out = {
+		...srcData,
+		name: targetPackageManifest.name,
+		version: targetPackageManifest.version,
+		lockfileVersion: srcData.lockfileVersion ?? 3,
+		packages: outPackages
+	};
+	/**
+	* `requires` is propagated via the `...srcData` spread when the source
+	* has it. Don't invent one when the source omitted it — that would be
+	* an unnecessary diff from the original lockfile shape.
+	*/
+	if (srcData.requires === void 0) delete out.requires;
+	delete out.dependencies;
+	return out;
+}
+/**
+* Two source entries that map to the same output location are only
+* "equivalent" if they install identical content. We compare the fields
+* that actually determine what npm fetches and stores — version, resolved
+* URL, integrity, and the link flag for workspace links.
+*/
+function entriesAreEquivalent(a, b) {
+	return a.version === b.version && a.resolved === b.resolved && a.integrity === b.integrity && !!a.link === !!b.link;
+}
+function overlayManifestDeps(entry, manifest) {
+	for (const field of [
+		"dependencies",
+		"devDependencies",
+		"optionalDependencies",
+		"peerDependencies"
+	]) {
+		const value = manifest[field];
+		if (value) entry[field] = value;
+		else delete entry[field];
+	}
+}
+function toPosix(p) {
+	return p.split(path.sep).join(path.posix.sep);
+}
+async function generateViaBuildIdealTree({ workspaceRootDir, isolateDir }) {
+	const nodeModulesPath = path.join(workspaceRootDir, "node_modules");
+	if (!fs.existsSync(nodeModulesPath)) throw new Error(`Failed to find node_modules at ${nodeModulesPath}`);
+	const { meta } = await new Arborist({
+		path: isolateDir,
+		...(await loadNpmConfig({ npmPath: workspaceRootDir })).flat
+	}).buildIdealTree();
+	meta?.commit();
+	const lockfilePath = path.join(isolateDir, "package-lock.json");
+	await fs.writeFile(lockfilePath, String(meta));
+}
 //#endregion
 //#region src/lib/lockfile/helpers/pnpm-map-importer.ts
 /** Convert dependency links */
@@ -810,24 +1038,26 @@ async function generateYarnLockfile({ workspaceRootDir, isolateDir }) {
 * be done is to remove the root dependencies and devDependencies, and rename
 * the path to the target package to act as the new root.
 */
-async function processLockfile({ workspaceRootDir, packagesRegistry, isolateDir, internalDepPackageNames, targetPackageDir, targetPackageManifest, patchedDependencies, config }) {
+async function processLockfile({ workspaceRootDir, packagesRegistry, isolateDir, internalDepPackageNames, targetPackageDir, targetPackageName, targetPackageManifest, patchedDependencies, config }) {
 	const log = useLogger();
+	const npmGeneratorParams = {
+		workspaceRootDir,
+		isolateDir,
+		targetPackageName,
+		targetPackageManifest,
+		packagesRegistry,
+		internalDepPackageNames
+	};
 	if (config.forceNpm) {
 		log.debug("Forcing to use NPM for isolate output");
-		await generateNpmLockfile({
-			workspaceRootDir,
-			isolateDir
-		});
+		await generateNpmLockfile(npmGeneratorParams);
 		return true;
 	}
 	const { name, majorVersion } = usePackageManager();
 	let usedFallbackToNpm = false;
 	switch (name) {
 		case "npm":
-			await generateNpmLockfile({
-				workspaceRootDir,
-				isolateDir
-			});
+			await generateNpmLockfile(npmGeneratorParams);
 			break;
 		case "yarn":
 			if (majorVersion === 1) await generateYarnLockfile({
@@ -836,10 +1066,7 @@ async function processLockfile({ workspaceRootDir, packagesRegistry, isolateDir,
 			});
 			else {
 				log.warn("Detected modern version of Yarn. Using NPM lockfile fallback.");
-				await generateNpmLockfile({
-					workspaceRootDir,
-					isolateDir
-				});
+				await generateNpmLockfile(npmGeneratorParams);
 				usedFallbackToNpm = true;
 			}
 			break;
@@ -868,10 +1095,7 @@ async function processLockfile({ workspaceRootDir, packagesRegistry, isolateDir,
 			break;
 		default:
 			log.warn(`Unexpected package manager ${name}. Using NPM for output`);
-			await generateNpmLockfile({
-				workspaceRootDir,
-				isolateDir
-			});
+			await generateNpmLockfile(npmGeneratorParams);
 			usedFallbackToNpm = true;
 	}
 	return usedFallbackToNpm;
@@ -1168,82 +1392,48 @@ async function unpackDependencies(packedFilesByName, packagesRegistry, tmpDir, i
 	}));
 }
 //#endregion
-//#region src/lib/patches/copy-patches.ts
-async function copyPatches({ workspaceRootDir, targetPackageManifest, isolateDir, includeDevDependencies }) {
-	const log = useLogger();
-	const { name: packageManagerName } = usePackageManager();
-	let patchedDependencies;
-	/**
-	* Only try reading pnpm-workspace.yaml for pnpm workspaces. Bun workspaces
-	* don't have this file and the warning would be noisy.
-	*/
-	if (packageManagerName === "pnpm") try {
-		patchedDependencies = readTypedYamlSync(path.join(workspaceRootDir, "pnpm-workspace.yaml"))?.patchedDependencies;
-	} catch (error) {
-		log.warn(`Could not read pnpm-workspace.yaml: ${error instanceof Error ? error.message : String(error)}`);
-	}
-	if (!patchedDependencies || Object.keys(patchedDependencies).length === 0) {
-		if (packageManagerName === "pnpm") log.debug("No patched dependencies found in pnpm-workspace.yaml; Falling back to workspace root package.json");
-		else log.debug("Reading patched dependencies from workspace root package.json");
-		try {
-			const workspaceRootManifest = await readTypedJson(path.join(workspaceRootDir, "package.json"));
-			/** PNPM stores patches under pnpm.patchedDependencies, Bun at the top level */
-			patchedDependencies = workspaceRootManifest?.pnpm?.patchedDependencies ?? workspaceRootManifest?.patchedDependencies;
-		} catch (error) {
-			log.warn(`Could not read workspace root package.json: ${error instanceof Error ? error.message : String(error)}`);
-		}
-	}
-	if (!patchedDependencies || Object.keys(patchedDependencies).length === 0) {
-		log.debug("No patched dependencies found in workspace root package.json");
-		return {};
-	}
-	log.debug(`Found ${Object.keys(patchedDependencies).length} patched dependencies in workspace`);
-	const filteredPatches = filterPatchedDependencies({
-		patchedDependencies,
-		targetPackageManifest,
-		includeDevDependencies
-	});
-	if (!filteredPatches) return {};
-	/**
-	* Read the pnpm lockfile to get patch hashes. Bun doesn't store hashes in
-	* its lockfile so we skip this for Bun.
-	*/
-	const lockfilePatchedDependencies = packageManagerName === "pnpm" ? await readLockfilePatchedDependencies(workspaceRootDir) : void 0;
-	const copiedPatches = {};
-	for (const [packageSpec, patchPath] of Object.entries(filteredPatches)) {
-		const sourcePatchPath = path.resolve(workspaceRootDir, patchPath);
-		if (!fs.existsSync(sourcePatchPath)) {
-			log.warn(`Patch file not found: ${getRootRelativeLogPath(sourcePatchPath, workspaceRootDir)}`);
-			continue;
-		}
-		/** Preserve original folder structure */
-		const targetPatchPath = path.join(isolateDir, patchPath);
-		await fs.ensureDir(path.dirname(targetPatchPath));
-		await fs.copy(sourcePatchPath, targetPatchPath);
-		log.debug(`Copied patch for ${packageSpec}: ${patchPath}`);
-		const hash = (lockfilePatchedDependencies?.[packageSpec])?.hash ?? "";
-		if (packageManagerName === "pnpm" && !hash) log.warn(`No hash found for patch ${packageSpec} in lockfile`);
-		copiedPatches[packageSpec] = {
-			path: patchPath,
-			hash
-		};
-	}
-	if (Object.keys(copiedPatches).length > 0) log.debug(`Copied ${Object.keys(copiedPatches).length} patch files`);
-	return copiedPatches;
-}
+//#region src/lib/registry/collect-reachable-package-names.ts
 /**
-* Read the patchedDependencies from the original lockfile to get the hashes.
-* Since the file content is the same after copying, the hash remains valid.
+* Walk the target manifest and the manifests of any internal (workspace)
+* packages reachable from it, collecting every dependency name encountered
+* (both internal and external).
+*
+* The resulting set is a superset of the target's direct dependencies: it also
+* includes dependencies of internal workspace packages that will end up in the
+* isolated output. This is used to filter workspace-level
+* `patchedDependencies` so that patches for deps introduced via internal
+* packages aren't dropped.
+*
+* `dependencies`, `optionalDependencies`, and `peerDependencies` are all
+* walked — any of them can lead to a package being installed in the isolate
+* (pnpm installs peers by default via `autoInstallPeers`). devDependencies of
+* internal packages are never followed, and devDependencies of the *target*
+* are followed only when `includeDevDependencies` is true.
+*
+* Note: only recurses through internal packages — manifests of external deps
+* aren't available here. Deep external→external transitives therefore won't
+* appear in the set.
 */
-async function readLockfilePatchedDependencies(workspaceRootDir) {
-	try {
-		const { majorVersion } = usePackageManager();
-		const useVersion9 = majorVersion >= 9;
-		const lockfileDir = isRushWorkspace(workspaceRootDir) ? path.join(workspaceRootDir, "common/config/rush") : workspaceRootDir;
-		return (useVersion9 ? await readWantedLockfile$1(lockfileDir, { ignoreIncompatible: false }) : await readWantedLockfile(lockfileDir, { ignoreIncompatible: false }))?.patchedDependencies;
-	} catch {
-		/** Package manager not detected or lockfile not readable */
-		return;
+function collectReachablePackageNames({ targetPackageManifest, packagesRegistry, includeDevDependencies }) {
+	const names = /* @__PURE__ */ new Set();
+	const visitedInternal = /* @__PURE__ */ new Set();
+	walk(targetPackageManifest, true);
+	return names;
+	function walk(manifest, isTarget) {
+		const depNames = [
+			...Object.keys(manifest.dependencies ?? {}),
+			...Object.keys(manifest.optionalDependencies ?? {}),
+			...Object.keys(manifest.peerDependencies ?? {}),
+			...isTarget && includeDevDependencies ? Object.keys(manifest.devDependencies ?? {}) : []
+		];
+		for (const name of depNames) {
+			names.add(name);
+			const internalPkg = packagesRegistry[name];
+			if (internalPkg && !visitedInternal.has(name)) {
+				visitedInternal.add(name);
+				walk(internalPkg.manifest, false);
+			}
+		}
 	}
 }
 //#endregion
@@ -1363,6 +1553,97 @@ function listInternalPackages(manifest, packagesRegistry, { includeDevDependenci
 	return [...new Set(result)];
 }
 //#endregion
+//#region src/lib/patches/copy-patches.ts
+async function copyPatches({ workspaceRootDir, targetPackageManifest, packagesRegistry, isolateDir, includeDevDependencies }) {
+	const log = useLogger();
+	const { name: packageManagerName } = usePackageManager();
+	let patchedDependencies;
+	/**
+	* Only try reading pnpm-workspace.yaml for pnpm workspaces. Bun workspaces
+	* don't have this file and the warning would be noisy.
+	*/
+	if (packageManagerName === "pnpm") try {
+		patchedDependencies = readTypedYamlSync(path.join(workspaceRootDir, "pnpm-workspace.yaml"))?.patchedDependencies;
+	} catch (error) {
+		log.warn(`Could not read pnpm-workspace.yaml: ${error instanceof Error ? error.message : String(error)}`);
+	}
+	if (!patchedDependencies || Object.keys(patchedDependencies).length === 0) {
+		if (packageManagerName === "pnpm") log.debug("No patched dependencies found in pnpm-workspace.yaml; Falling back to workspace root package.json");
+		else log.debug("Reading patched dependencies from workspace root package.json");
+		try {
+			const workspaceRootManifest = await readTypedJson(path.join(workspaceRootDir, "package.json"));
+			/** PNPM stores patches under pnpm.patchedDependencies, Bun at the top level */
+			patchedDependencies = workspaceRootManifest?.pnpm?.patchedDependencies ?? workspaceRootManifest?.patchedDependencies;
+		} catch (error) {
+			log.warn(`Could not read workspace root package.json: ${error instanceof Error ? error.message : String(error)}`);
+		}
+	}
+	if (!patchedDependencies || Object.keys(patchedDependencies).length === 0) {
+		log.debug("No patched dependencies found in workspace root package.json");
+		return {};
+	}
+	log.debug(`Found ${Object.keys(patchedDependencies).length} patched dependencies in workspace`);
+	/**
+	* Collect the set of dependency names reachable from the target (direct deps
+	* plus deps introduced by internal workspace packages). Patches for names in
+	* this set are preserved even when the target doesn't list them directly —
+	* see issue #167.
+	*/
+	const reachableDependencyNames = collectReachablePackageNames({
+		targetPackageManifest,
+		packagesRegistry,
+		includeDevDependencies
+	});
+	const filteredPatches = filterPatchedDependencies({
+		patchedDependencies,
+		targetPackageManifest,
+		includeDevDependencies,
+		reachableDependencyNames
+	});
+	if (!filteredPatches) return {};
+	/**
+	* Read the pnpm lockfile to get patch hashes. Bun doesn't store hashes in
+	* its lockfile so we skip this for Bun.
+	*/
+	const lockfilePatchedDependencies = packageManagerName === "pnpm" ? await readLockfilePatchedDependencies(workspaceRootDir) : void 0;
+	const copiedPatches = {};
+	for (const [packageSpec, patchPath] of Object.entries(filteredPatches)) {
+		const sourcePatchPath = path.resolve(workspaceRootDir, patchPath);
+		if (!fs.existsSync(sourcePatchPath)) {
+			log.warn(`Patch file not found: ${getRootRelativeLogPath(sourcePatchPath, workspaceRootDir)}`);
+			continue;
+		}
+		/** Preserve original folder structure */
+		const targetPatchPath = path.join(isolateDir, patchPath);
+		await fs.ensureDir(path.dirname(targetPatchPath));
+		await fs.copy(sourcePatchPath, targetPatchPath);
+		log.debug(`Copied patch for ${packageSpec}: ${patchPath}`);
+		const hash = (lockfilePatchedDependencies?.[packageSpec])?.hash ?? "";
+		if (packageManagerName === "pnpm" && !hash) log.warn(`No hash found for patch ${packageSpec} in lockfile`);
+		copiedPatches[packageSpec] = {
+			path: patchPath,
+			hash
+		};
+	}
+	if (Object.keys(copiedPatches).length > 0) log.debug(`Copied ${Object.keys(copiedPatches).length} patch files`);
+	return copiedPatches;
+}
+/**
+* Read the patchedDependencies from the original lockfile to get the hashes.
+* Since the file content is the same after copying, the hash remains valid.
+*/
+async function readLockfilePatchedDependencies(workspaceRootDir) {
+	try {
+		const { majorVersion } = usePackageManager();
+		const useVersion9 = majorVersion >= 9;
+		const lockfileDir = isRushWorkspace(workspaceRootDir) ? path.join(workspaceRootDir, "common/config/rush") : workspaceRootDir;
+		return (useVersion9 ? await readWantedLockfile$1(lockfileDir, { ignoreIncompatible: false }) : await readWantedLockfile(lockfileDir, { ignoreIncompatible: false }))?.patchedDependencies;
+	} catch {
+		/** Package manager not detected or lockfile not readable */
+		return;
+	}
+}
+//#endregion
 //#region src/isolate.ts
 const __dirname = getDirname(import.meta.url);
 function createIsolator(config) {
@@ -1414,6 +1695,21 @@ function createIsolator(config) {
 			const isProductionDependency = productionInternalPackageNames.includes(packageName);
 			validateManifestMandatoryFields(packageDef.manifest, getRootRelativeLogPath(packageDef.absoluteDir, workspaceRootDir), isProductionDependency);
 		}
+		/**
+		* Validate that workspace dev dependencies of all packages being packed
+		* have a version field. Even when dev dependencies are not included in the
+		* isolation output, pnpm pack resolves workspace:* specifiers and requires
+		* the version field to be present.
+		*/
+		const validatedPackageNames = new Set(internalPackageNames);
+		const manifestsToPack = [targetPackageManifest, ...internalPackageNames.map((name) => got(packagesRegistry, name).manifest)];
+		for (const manifest of manifestsToPack) for (const depName of Object.keys(manifest.devDependencies ?? {})) {
+			if (validatedPackageNames.has(depName)) continue;
+			const packageDef = packagesRegistry[depName];
+			if (!packageDef) continue;
+			validateManifestMandatoryFields(packageDef.manifest, getRootRelativeLogPath(packageDef.absoluteDir, workspaceRootDir), false);
+			validatedPackageNames.add(depName);
+		}
 		await unpackDependencies(await packDependencies({
 			internalPackageNames,
 			packagesRegistry,
@@ -1447,6 +1743,7 @@ function createIsolator(config) {
 		const copiedPatches = (packageManager.name === "pnpm" || packageManager.name === "bun") && !config.forceNpm ? await copyPatches({
 			workspaceRootDir,
 			targetPackageManifest: outputManifest,
+			packagesRegistry,
 			isolateDir,
 			includeDevDependencies: config.includeDevDependencies
 		}) : {};
@@ -1540,4 +1837,4 @@ async function isolate(config) {
 //#endregion
 export { loadConfigFromFile as a, detectPackageManager as c, defineConfig as i, readTypedJson as l, listInternalPackages as n, resolveConfig as o, createPackagesRegistry as r, resolveWorkspacePaths as s, isolate as t, filterObjectUndefined as u };
 
-//# sourceMappingURL=isolate-CJy3YyKG.mjs.map
+//# sourceMappingURL=isolate-BRD2AgVJ.mjs.map