npm - isolate-package - Versions diffs - 1.33.0-0 → 1.34.0 - Mend

isolate-package 1.33.0-0 → 1.34.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (67) hide show

package/dist/index.mjs +1 -1
package/dist/index.mjs.map +1 -1
package/dist/{isolate-DTwgcMAN.mjs → isolate-DI3eUTci.mjs} +576 -242
package/dist/isolate-DI3eUTci.mjs.map +1 -0
package/dist/isolate-bin.mjs +5 -6
package/dist/isolate-bin.mjs.map +1 -1
package/package.json +23 -19
package/src/get-internal-package-names.test.ts +1 -1
package/src/get-internal-package-names.ts +2 -2
package/src/isolate-bin.ts +5 -5
package/src/isolate.ts +20 -17
package/src/lib/config.test.ts +1 -1
package/src/lib/config.ts +3 -3
package/src/lib/lockfile/helpers/bun-lockfile.ts +21 -11
package/src/lib/lockfile/helpers/generate-bun-lockfile.test.ts +3 -3
package/src/lib/lockfile/helpers/generate-bun-lockfile.ts +7 -7
package/src/lib/lockfile/helpers/generate-npm-lockfile.integration.test.ts +1 -5
package/src/lib/lockfile/helpers/generate-npm-lockfile.test.ts +311 -16
package/src/lib/lockfile/helpers/generate-npm-lockfile.ts +193 -22
package/src/lib/lockfile/helpers/generate-pnpm-lockfile.test.ts +2 -2
package/src/lib/lockfile/helpers/generate-pnpm-lockfile.ts +6 -6
package/src/lib/lockfile/helpers/generate-yarn-lockfile.ts +5 -5
package/src/lib/lockfile/process-lockfile.test.ts +2 -2
package/src/lib/manifest/helpers/adapt-internal-package-manifests.test.ts +3 -3
package/src/lib/manifest/helpers/adapt-internal-package-manifests.ts +2 -2
package/src/lib/manifest/helpers/adapt-manifest-internal-deps.ts +1 -1
package/src/lib/manifest/helpers/adopt-pnpm-fields-from-root.test.ts +4 -4
package/src/lib/manifest/helpers/adopt-pnpm-fields-from-root.ts +7 -7
package/src/lib/manifest/helpers/resolve-catalog-dependencies.test.ts +410 -0
package/src/lib/manifest/helpers/resolve-catalog-dependencies.ts +115 -27
package/src/lib/manifest/io.ts +6 -2
package/src/lib/manifest/validate-manifest.ts +2 -2
package/src/lib/output/get-build-output-dir.ts +1 -1
package/src/lib/output/pack-dependencies.ts +1 -1
package/src/lib/output/process-build-output-files.ts +6 -17
package/src/lib/package-manager/helpers/infer-from-files.ts +5 -5
package/src/lib/package-manager/helpers/infer-from-manifest.ts +7 -8
package/src/lib/package-manager/index.ts +1 -1
package/src/lib/package-manager/names.ts +8 -10
package/src/lib/patches/collect-installed-names-bun.test.ts +2 -2
package/src/lib/patches/collect-installed-names-bun.ts +8 -8
package/src/lib/patches/collect-installed-names-pnpm.test.ts +1 -1
package/src/lib/patches/collect-installed-names-pnpm.ts +13 -12
package/src/lib/patches/copy-patches.test.ts +5 -13
package/src/lib/patches/copy-patches.ts +9 -9
package/src/lib/patches/write-isolate-pnpm-workspace.test.ts +83 -3
package/src/lib/patches/write-isolate-pnpm-workspace.ts +4 -4
package/src/lib/registry/collect-reachable-package-names.test.ts +1 -1
package/src/lib/registry/create-packages-registry.ts +34 -31
package/src/lib/registry/helpers/find-packages-globs.ts +23 -19
package/src/lib/registry/list-internal-packages.test.ts +2 -2
package/src/lib/types.ts +2 -2
package/src/lib/utils/filter-patched-dependencies.test.ts +1 -1
package/src/lib/utils/filter-patched-dependencies.ts +2 -2
package/src/lib/utils/get-dirname.ts +1 -1
package/src/lib/utils/index.ts +1 -1
package/src/lib/utils/json.ts +12 -14
package/src/lib/utils/pack.ts +32 -22
package/src/lib/utils/reset-isolate-dir.test.ts +165 -0
package/src/lib/utils/reset-isolate-dir.ts +147 -0
package/src/lib/utils/unpack.test.ts +76 -0
package/src/lib/utils/unpack.ts +16 -10
package/src/lib/utils/wait-for-complete-file.test.ts +105 -0
package/src/lib/utils/wait-for-complete-file.ts +44 -0
package/src/lib/utils/yaml.ts +8 -9
package/src/testing/setup.ts +1 -1
package/dist/isolate-DTwgcMAN.mjs.map +0 -1

package/dist/{isolate-DTwgcMAN.mjs → isolate-DI3eUTci.mjs} RENAMED Viewed

@@ -5,14 +5,15 @@ import path, { join } from "node:path";
 import { isEmpty, omit, pick, unique } from "remeda";
 import { exec, execFileSync, execSync } from "node:child_process";
 import { detectMonorepo } from "detect-monorepo";
-import { pathToFileURL } from "node:url";
+import { fileURLToPath, pathToFileURL } from "node:url";
 import { createConsola } from "consola";
-import { fileURLToPath } from "url";
 import { inspect } from "node:util";
-import fs$1 from "node:fs";
+import fs$1, { createReadStream } from "node:fs";
 import stripJsonComments from "strip-json-comments";
-import tar from "tar-fs";
-import { createGunzip } from "zlib";
+import { randomBytes } from "node:crypto";
+import { pipeline } from "node:stream/promises";
+import { createGunzip } from "node:zlib";
+import { extract } from "tar-fs";
 import yaml from "yaml";
 import Arborist from "@npmcli/arborist";
 import Config from "@npmcli/config";
@@ -21,7 +22,6 @@ import { getLockfileImporterId, readWantedLockfile, writeWantedLockfile } from "
 import { getLockfileImporterId as getLockfileImporterId$1, readWantedLockfile as readWantedLockfile$1, writeWantedLockfile as writeWantedLockfile$1 } from "pnpm_lockfile_file_v9";
 import { pruneLockfile } from "pnpm_prune_lockfile_v8";
 import { pruneLockfile as pruneLockfile$1 } from "pnpm_prune_lockfile_v9";
-import path$1 from "path";
 import { getTsconfig } from "get-tsconfig";
 import outdent$1 from "outdent";
 import { globSync } from "glob";
@@ -178,16 +178,16 @@ function readTypedJsonSync(filePath) {
 	try {
 		const rawContent = fs.readFileSync(filePath, "utf-8");
 		return JSON.parse(stripJsonComments(rawContent, { trailingCommas: true }));
-	} catch (err) {
-		throw new Error(`Failed to read JSON from ${filePath}: ${getErrorMessage(err)}`, { cause: err });
+	} catch (error) {
+		throw new Error(`Failed to read JSON from ${filePath}: ${getErrorMessage(error)}`, { cause: error });
 	}
 }
 async function readTypedJson(filePath) {
 	try {
 		const rawContent = await fs.readFile(filePath, "utf-8");
 		return JSON.parse(stripJsonComments(rawContent, { trailingCommas: true }));
-	} catch (err) {
-		throw new Error(`Failed to read JSON from ${filePath}: ${getErrorMessage(err)}`, { cause: err });
+	} catch (error) {
+		throw new Error(`Failed to read JSON from ${filePath}: ${getErrorMessage(error)}`, { cause: error });
 	}
 }
 //#endregion
@@ -199,162 +199,128 @@ function getIsolateRelativeLogPath(path, isolatePath) {
 	return join("(isolate)", path.replace(isolatePath, ""));
 }
 //#endregion
-//#region src/lib/utils/get-major-version.ts
-function getMajorVersion(version) {
-	return parseInt(version.split(".").at(0) ?? "0", 10);
-}
-//#endregion
-//#region src/lib/package-manager/names.ts
-const supportedPackageManagerNames = [
-	"pnpm",
-	"yarn",
-	"npm",
-	"bun"
-];
-function getLockfileFileName(name) {
-	switch (name) {
-		case "bun": return "bun.lock";
-		case "pnpm": return "pnpm-lock.yaml";
-		case "yarn": return "yarn.lock";
-		case "npm": return "package-lock.json";
-	}
-}
-//#endregion
-//#region src/lib/package-manager/helpers/infer-from-files.ts
-function inferFromFiles(workspaceRoot) {
-	for (const name of supportedPackageManagerNames) {
-		const lockfileName = getLockfileFileName(name);
-		if (fs.existsSync(path.join(workspaceRoot, lockfileName))) try {
-			const version = getVersion(name);
-			return {
-				name,
-				version,
-				majorVersion: getMajorVersion(version)
-			};
-		} catch (err) {
-			throw new Error(`Failed to find package manager version for ${name}: ${getErrorMessage(err)}`, { cause: err });
-		}
-	}
-	/** If no lockfile was found, it could be that there is an npm shrinkwrap file. */
-	if (fs.existsSync(path.join(workspaceRoot, "npm-shrinkwrap.json"))) {
-		const version = getVersion("npm");
-		return {
-			name: "npm",
-			version,
-			majorVersion: getMajorVersion(version)
-		};
-	}
-	throw new Error(`Failed to detect package manager`);
-}
-function getVersion(packageManagerName) {
-	return execSync(`${packageManagerName} --version`).toString().trim();
-}
-//#endregion
-//#region src/lib/package-manager/helpers/infer-from-manifest.ts
-function inferFromManifest(workspaceRoot) {
+//#region src/lib/utils/reset-isolate-dir.ts
+/**
+* Prefix used for trash directories created when resetting the isolate output
+* directory. The leading dot keeps it hidden in file explorers and `ls`
+* without `-a`, so users don't see a flash of two folders while the old
+* contents are being reaped in the background.
+*/
+const TRASH_PREFIX = ".";
+const TRASH_INFIX = ".trash-";
+/**
+* Reset the isolate output directory to a fresh empty directory, avoiding the
+* `ENOTEMPTY` race that occurs when another process (e.g. the Firebase
+* functions emulator, a file watcher) writes into the directory while it is
+* being recursively deleted.
+*
+* Strategy:
+*
+* 1. Sweep any leftover trash directories from previous runs that may have
+*    been killed mid-cleanup. Best-effort: ignore errors.
+* 2. If the isolate directory exists, atomically `rename` it to a hidden
+*    sibling on the same filesystem. The rename is atomic, so the moment it
+*    returns the original path is free for a fresh empty directory and
+*    nothing a concurrent writer does inside the old tree can affect the
+*    new one.
+* 3. Kick off the recursive delete of the trash directory in the background.
+*    We don't await it: it is the slowest part of an isolate run, and any
+*    failure (e.g. another process still holding files open) is harmless
+*    because the logical state is already correct. Stale trash dirs are
+*    reaped by the next run's sweep in step 1.
+* 4. Ensure the (now-vacant) isolate directory exists.
+*/
+async function resetIsolateDir(isolateDir, options = {}) {
 	const log = useLogger();
-	const { packageManager: packageManagerString } = readTypedJsonSync(path.join(workspaceRoot, "package.json"));
-	if (!packageManagerString) {
-		log.debug("No packageManager field found in root manifest");
-		return;
+	const trashParentDir = options.trashParentDir ?? path.dirname(isolateDir);
+	const trashGlobPrefix = `${TRASH_PREFIX}${buildTrashStem(trashParentDir, isolateDir)}${TRASH_INFIX}`;
+	/** Best-effort sweep of leftover trash from previously killed runs. */
+	await sweepStaleTrash(trashParentDir, trashGlobPrefix);
+	if (fs.existsSync(isolateDir)) {
+		const trashDir = path.join(trashParentDir, `${trashGlobPrefix}${process.pid}-${randomBytes(4).toString("hex")}`);
+		try {
+			await fs.ensureDir(trashParentDir);
+			await fs.rename(isolateDir, trashDir);
+			log.debug("Moved existing isolate output directory to trash for cleanup");
+			/**
+			* Fire-and-forget. A concurrent writer can cause `ENOTEMPTY` or
+			* `EBUSY` here, but the logical state is already correct: the real
+			* `isolateDir` is gone. Any debris left behind will be swept on the
+			* next run.
+			*/
+			fs.remove(trashDir).catch((error) => {
+				log.debug("Background cleanup of trashed isolate directory did not complete:", error instanceof Error ? error.message : String(error));
+			});
+		} catch (error) {
+			/**
+			* `rename` can fail with `EXDEV` if `trashParentDir` ends up on a
+			* different filesystem from `isolateDir`, or with `EPERM` on platforms
+			* that disallow renaming busy directories. Fall back to the original
+			* behaviour: a straight recursive delete. This preserves correctness
+			* at the cost of the race the rename was meant to avoid.
+			*/
+			log.debug("Could not rename existing isolate output directory, falling back to recursive delete:", error instanceof Error ? error.message : String(error));
+			await fs.remove(isolateDir);
+		}
 	}
-	const [name, version = "*"] = packageManagerString.split("@");
-	assert(supportedPackageManagerNames.includes(name), `Package manager "${name}" is not currently supported`);
-	const lockfileName = getLockfileFileName(name);
-	assert(fs.existsSync(path.join(workspaceRoot, lockfileName)), `Manifest declares ${name} to be the packageManager, but failed to find ${lockfileName} in workspace root`);
-	return {
-		name,
-		version,
-		majorVersion: getMajorVersion(version),
-		packageManagerString
-	};
-}
-//#endregion
-//#region src/lib/package-manager/index.ts
-let packageManager;
-function usePackageManager() {
-	if (!packageManager) throw Error("No package manager detected. Make sure to call detectPackageManager() before usePackageManager()");
-	return packageManager;
+	await fs.ensureDir(isolateDir);
 }
 /**
-* First we check if the package manager is declared in the manifest. If it is,
-* we get the name and version from there. Otherwise we'll search for the
-* different lockfiles and ask the OS to report the installed version.
+* Build a stable name stem for the trash directory. When `trashParentDir` is
+* the direct parent of `isolateDir` (the default), this is just the isolate
+* dir's basename. When it isn't (e.g. callers placing trash outside the
+* packed dir), include the relative path so multiple isolate dirs sharing
+* the same trash parent don't collide in the sweep filter.
 */
-function detectPackageManager(workspaceRootDir) {
-	if (isRushWorkspace(workspaceRootDir)) packageManager = inferFromFiles(path.join(workspaceRootDir, "common/config/rush"));
-	else
- /**
-	* Disable infer from manifest for now. I doubt it is useful after all but
-	* I'll keep the code as a reminder.
-	*/
-	packageManager = inferFromManifest(workspaceRootDir) ?? inferFromFiles(workspaceRootDir);
-	return packageManager;
-}
-function shouldUsePnpmPack() {
-	const { name, majorVersion } = usePackageManager();
-	return name === "pnpm" && majorVersion >= 8;
+function buildTrashStem(trashParentDir, isolateDir) {
+	const relative = path.relative(trashParentDir, isolateDir);
+	if (!relative || relative.startsWith("..") || path.isAbsolute(relative)) return path.basename(isolateDir);
+	return relative.split(path.sep).filter(Boolean).join("-");
 }
-//#endregion
-//#region src/lib/utils/pack.ts
-async function pack(srcDir, dstDir) {
-	const log = useLogger();
-	const execOptions = { maxBuffer: 10 * 1024 * 1024 };
-	const previousCwd = process.cwd();
-	process.chdir(srcDir);
-	/**
-	* PNPM pack seems to be a lot faster than NPM pack, so when PNPM is detected
-	* we use that instead.
-	*/
-	const stdout = shouldUsePnpmPack() ? await new Promise((resolve, reject) => {
-		exec(`pnpm pack --pack-destination "${dstDir}"`, execOptions, (err, stdout) => {
-			if (err) {
-				log.error(getErrorMessage(err));
-				return reject(err);
-			}
-			resolve(stdout);
-		});
-	}) : await new Promise((resolve, reject) => {
-		exec(`npm pack --pack-destination "${dstDir}"`, execOptions, (err, stdout) => {
-			if (err) return reject(err);
-			resolve(stdout);
+/**
+* Best-effort sweep of leftover trash directories matching this isolate dir's
+* stem. Failures are swallowed: stale trash is debris, not state, and a
+* subsequent run will get another chance to reap it.
+*/
+async function sweepStaleTrash(parentDir, trashGlobPrefix) {
+	let entries;
+	try {
+		entries = await fs.readdir(parentDir);
+	} catch {
+		/** Parent doesn't exist yet; nothing to sweep. */
+		return;
+	}
+	await Promise.all(entries.filter((entry) => entry.startsWith(trashGlobPrefix)).map(async (entry) => {
+		await fs.remove(path.join(parentDir, entry)).catch(() => {
+			/** Best-effort. */
 		});
-	});
-	const lastLine = stdout.trim().split("\n").at(-1);
-	assert(lastLine, `Failed to parse last line from stdout: ${stdout.trim()}`);
-	const fileName = path.basename(lastLine);
-	assert(fileName, `Failed to parse file name from: ${lastLine}`);
-	const filePath = path.join(dstDir, fileName);
-	if (!fs$1.existsSync(filePath)) log.error(`The response from pack could not be resolved to an existing file: ${filePath}`);
-	else log.debug(`Packed (temp)/${fileName}`);
-	process.chdir(previousCwd);
-	/**
-	* Return the path anyway even if it doesn't validate. A later stage will wait
-	* for the file to occur still. Not sure if this makes sense. Maybe we should
-	* stop at the validation error...
-	*/
-	return filePath;
+	}));
 }
 //#endregion
 //#region src/lib/utils/unpack.ts
+/**
+* Extract a gzipped tar archive into the given directory.
+*
+* Uses `stream/promises.pipeline` so that errors at any stage (file read,
+* gunzip, tar extract) propagate as a rejected promise rather than crashing
+* the process as unhandled stream errors.
+*/
 async function unpack(filePath, unpackDir) {
-	await new Promise((resolve, reject) => {
-		fs.createReadStream(filePath).pipe(createGunzip()).pipe(tar.extract(unpackDir)).on("finish", () => resolve()).on("error", (err) => reject(err));
-	});
+	await pipeline(createReadStream(filePath), createGunzip(), extract(unpackDir));
 }
 //#endregion
 //#region src/lib/utils/yaml.ts
+/** @todo Add some zod validation maybe */
 function readTypedYamlSync(filePath) {
 	try {
 		const rawContent = fs.readFileSync(filePath, "utf-8");
-		/** @todo Add some zod validation maybe */
 		return yaml.parse(rawContent);
-	} catch (err) {
-		throw new Error(`Failed to read YAML from ${filePath}: ${getErrorMessage(err)}`, { cause: err });
+	} catch (error) {
+		throw new Error(`Failed to read YAML from ${filePath}: ${getErrorMessage(error)}`, { cause: error });
 	}
 }
+/** @todo Add some zod validation maybe */
 function writeTypedYamlSync(filePath, content) {
-	/** @todo Add some zod validation maybe */
 	fs.writeFileSync(filePath, yaml.stringify(content), "utf-8");
 }
 //#endregion
@@ -486,6 +452,104 @@ function resolveConfig(initialConfig) {
 	return config;
 }
 //#endregion
+//#region src/lib/utils/get-major-version.ts
+function getMajorVersion(version) {
+	return parseInt(version.split(".").at(0) ?? "0", 10);
+}
+//#endregion
+//#region src/lib/package-manager/names.ts
+const supportedPackageManagerNames = [
+	"pnpm",
+	"yarn",
+	"npm",
+	"bun"
+];
+const lockfileFileNamesByPackageManager = {
+	bun: "bun.lock",
+	pnpm: "pnpm-lock.yaml",
+	yarn: "yarn.lock",
+	npm: "package-lock.json"
+};
+function getLockfileFileName(name) {
+	return lockfileFileNamesByPackageManager[name];
+}
+//#endregion
+//#region src/lib/package-manager/helpers/infer-from-files.ts
+function inferFromFiles(workspaceRoot) {
+	for (const name of supportedPackageManagerNames) {
+		const lockfileName = getLockfileFileName(name);
+		if (fs.existsSync(path.join(workspaceRoot, lockfileName))) try {
+			const version = getVersion(name);
+			return {
+				name,
+				version,
+				majorVersion: getMajorVersion(version)
+			};
+		} catch (error) {
+			throw new Error(`Failed to find package manager version for ${name}: ${getErrorMessage(error)}`, { cause: error });
+		}
+	}
+	/** If no lockfile was found, it could be that there is an npm shrinkwrap file. */
+	if (fs.existsSync(path.join(workspaceRoot, "npm-shrinkwrap.json"))) {
+		const version = getVersion("npm");
+		return {
+			name: "npm",
+			version,
+			majorVersion: getMajorVersion(version)
+		};
+	}
+	throw new Error(`Failed to detect package manager`);
+}
+function getVersion(packageManagerName) {
+	return execSync(`${packageManagerName} --version`).toString().trim();
+}
+//#endregion
+//#region src/lib/package-manager/helpers/infer-from-manifest.ts
+function inferFromManifest(workspaceRoot) {
+	const log = useLogger();
+	const { packageManager: packageManagerString } = readTypedJsonSync(path.join(workspaceRoot, "package.json"));
+	if (!packageManagerString) {
+		log.debug("No packageManager field found in root manifest");
+		return null;
+	}
+	const [name, version = "*"] = packageManagerString.split("@");
+	assert(supportedPackageManagerNames.includes(name), `Package manager "${name}" is not currently supported`);
+	const lockfileName = getLockfileFileName(name);
+	assert(fs.existsSync(path.join(workspaceRoot, lockfileName)), `Manifest declares ${name} to be the packageManager, but failed to find ${lockfileName} in workspace root`);
+	return {
+		name,
+		version,
+		majorVersion: getMajorVersion(version),
+		packageManagerString
+	};
+}
+//#endregion
+//#region src/lib/package-manager/index.ts
+let packageManager;
+function usePackageManager() {
+	if (!packageManager) throw new Error("No package manager detected. Make sure to call detectPackageManager() before usePackageManager()");
+	return packageManager;
+}
+/**
+* First we check if the package manager is declared in the manifest. If it is,
+* we get the name and version from there. Otherwise we'll search for the
+* different lockfiles and ask the OS to report the installed version.
+*/
+function detectPackageManager(workspaceRootDir) {
+	if (isRushWorkspace(workspaceRootDir)) packageManager = inferFromFiles(path.join(workspaceRootDir, "common/config/rush"));
+	else
+ /**
+	* Disable infer from manifest for now. I doubt it is useful after all but
+	* I'll keep the code as a reminder.
+	*/
+	packageManager = inferFromManifest(workspaceRootDir) ?? inferFromFiles(workspaceRootDir);
+	return packageManager;
+}
+function shouldUsePnpmPack() {
+	const { name, majorVersion } = usePackageManager();
+	return name === "pnpm" && majorVersion >= 8;
+}
+//#endregion
 //#region src/lib/lockfile/helpers/bun-lockfile.ts
 /** Extract dependency names from a workspace entry. */
 function collectDependencyNames(entry, includeDevDependencies) {
@@ -533,8 +597,8 @@ function getPackageInfoObject(entry) {
 function collectRequiredPackages(directDependencyNames, packages) {
 	const required = /* @__PURE__ */ new Set();
 	const queue = [...directDependencyNames];
-	while (queue.length > 0) {
-		const name = queue.pop();
+	let name;
+	while ((name = queue.pop()) !== void 0) {
 		if (required.has(name)) continue;
 		const entry = packages[name];
 		if (!entry) continue;
@@ -546,15 +610,19 @@ function collectRequiredPackages(directDependencyNames, packages) {
 			"dependencies",
 			"optionalDependencies",
 			"peerDependencies"
-		]) {
-			const deps = info[depField];
-			if (deps && typeof deps === "object") {
-				for (const depName of Object.keys(deps)) if (!required.has(depName)) queue.push(depName);
-			}
-		}
+		]) enqueueDeps(info[depField], required, queue);
 	}
 	return required;
 }
+/**
+* Push any names from a dependency map onto the BFS queue, skipping anything
+* already marked required so we don't revisit it. `deps` is typed as `unknown`
+* because it comes from a freshly-parsed lockfile entry with no schema.
+*/
+function enqueueDeps(deps, required, queue) {
+	if (!deps || typeof deps !== "object") return;
+	for (const depName of Object.keys(deps)) if (!required.has(depName)) queue.push(depName);
+}
 //#endregion
 //#region src/lib/lockfile/helpers/generate-bun-lockfile.ts
 /**
@@ -659,9 +727,9 @@ async function generateBunLockfile({ workspaceRootDir, targetPackageDir, isolate
 		/** Append trailing newline to match Bun's native output format */
 		await fs.writeFile(outputPath, serializeWithTrailingCommas(outputLockfile) + "\n");
 		log.debug("Created lockfile at", outputPath);
-	} catch (err) {
-		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
-		throw err;
+	} catch (error) {
+		log.error(`Failed to generate lockfile: ${getErrorMessage(error)}`);
+		throw error;
 	}
 }
 //#endregion
@@ -709,9 +777,9 @@ async function generateNpmLockfile({ workspaceRootDir, isolateDir, targetPackage
 			});
 		}
 		log.debug("Created lockfile at", path.join(isolateDir, "package-lock.json"));
-	} catch (err) {
-		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
-		throw err;
+	} catch (error) {
+		log.error(`Failed to generate lockfile: ${getErrorMessage(error)}`);
+		throw error;
 	}
 }
 async function generateFromRootLockfile({ workspaceRootDir, isolateDir, targetPackageName, targetPackageManifest, packagesRegistry, internalDepPackageNames }) {
@@ -727,7 +795,7 @@ async function generateFromRootLockfile({ workspaceRootDir, isolateDir, targetPa
 	const rootTree = await arborist.loadVirtual();
 	const targetImporterNode = arborist.workspaceNodes(rootTree, [targetPackageName])[0];
 	if (!targetImporterNode) throw new Error(`Target workspace "${targetPackageName}" not found in root package-lock.json`);
-	if (typeof targetImporterNode.location !== "string") throw new Error(`Target workspace "${targetPackageName}" resolved to a node without a location`);
+	if (typeof targetImporterNode.location !== "string") throw new TypeError(`Target workspace "${targetPackageName}" resolved to a node without a location`);
 	/**
 	* `workspaceDependencySet` walks `edgesOut` from each seed node. It does
 	* not add the seed node itself to the result, so ensure the target
@@ -766,6 +834,12 @@ async function generateFromRootLockfile({ workspaceRootDir, isolateDir, targetPa
 		srcData,
 		reachable,
 		targetImporterLoc: targetImporterNode.location,
+		/**
+		* npm's lockfile exposes each workspace as a Link at
+		* `node_modules/<name>`. This link is pointless in the isolate (the
+		* target becomes the root), so filter it out if it shows up in the
+		* reachable set.
+		*/
 		targetLinkLoc: `node_modules/${targetPackageName}`,
 		targetPackageManifest
 	});
@@ -795,10 +869,16 @@ function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targ
 	const srcPackages = srcData.packages;
 	if (!srcPackages[targetImporterLoc]) throw new Error(`Source lockfile has no entry for target importer "${targetImporterLoc}"`);
 	const targetNestedNodeModulesPrefix = `${targetImporterLoc}/node_modules/`;
-	/** Track the source location each output entry came from, so we can
-	* produce a clear error if two source paths remap to the same target.
-	*/
+	const remapToOutputLoc = (origLoc) => {
+		if (origLoc === targetImporterLoc) return "";
+		if (origLoc.startsWith(targetNestedNodeModulesPrefix)) return origLoc.slice(targetImporterLoc.length + 1);
+		return origLoc;
+	};
+	const isTargetNested = (origLoc) => origLoc === targetImporterLoc || origLoc.startsWith(targetNestedNodeModulesPrefix);
+	/** Track the source location each output entry came from, used to identify
+	* the displaced entry when a collision occurs. */
 	const origLocByNewLoc = /* @__PURE__ */ new Map();
+	const collisions = [];
 	for (const node of reachable) {
 		const origLoc = node.location;
 		/** The target's self-link has no place in the isolate (root IS the target). */
@@ -814,20 +894,79 @@ function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targ
 		* `packages/app/lib/core`) are preserved verbatim because their disk
 		* location in the isolate is unchanged.
 		*/
-		let newLoc;
-		if (origLoc === targetImporterLoc) newLoc = "";
-		else if (origLoc.startsWith(targetNestedNodeModulesPrefix)) newLoc = origLoc.slice(targetImporterLoc.length + 1);
-		else newLoc = origLoc;
+		const newLoc = remapToOutputLoc(origLoc);
 		const srcEntry = srcPackages[origLoc];
 		if (!srcEntry) throw new Error(`Reachable node "${origLoc}" has no entry in source lockfile packages`);
 		const existing = outPackages[newLoc];
 		if (existing && !entriesAreEquivalent(existing, srcEntry)) {
 			const previousOrigLoc = origLocByNewLoc.get(newLoc) ?? "<unknown>";
-			throw new Error(`Path collision at "${newLoc}": source locations "${previousOrigLoc}" and "${origLoc}" both map there with conflicting entries. This happens when the target pins a nested version override that collides with a hoisted version still needed by another reachable dependency. Please report a reproduction at https://github.com/0x80/isolate-package/issues.`);
+			const incomingIsTargetNested = isTargetNested(origLoc);
+			const previousIsTargetNested = isTargetNested(previousOrigLoc);
+			if (incomingIsTargetNested && !previousIsTargetNested) {
+				/** The target-nested entry wins. The previously-stored hoisted entry
+				* is displaced and must be re-nested under its consumers. */
+				collisions.push({
+					loserOrigLoc: previousOrigLoc,
+					loserEntry: existing
+				});
+				outPackages[newLoc] = { ...srcEntry };
+				origLocByNewLoc.set(newLoc, origLoc);
+				continue;
+			}
+			if (!incomingIsTargetNested && previousIsTargetNested) {
+				/** The previously-stored target-nested entry wins; the incoming
+				* hoisted entry is the loser. */
+				collisions.push({
+					loserOrigLoc: origLoc,
+					loserEntry: { ...srcEntry }
+				});
+				continue;
+			}
+			/** Neither side is the target's nested version, or both are — we have
+			* no rule to pick a winner. Bail loudly. */
+			throw new Error(`Path collision at "${newLoc}": source locations "${previousOrigLoc}" and "${origLoc}" both map there with conflicting entries and no rule applies to pick a winner (neither is a target-nested override, or both are). Please report a reproduction at https://github.com/0x80/isolate-package/issues.`);
 		}
 		outPackages[newLoc] = { ...srcEntry };
 		origLocByNewLoc.set(newLoc, origLoc);
 	}
+	/** Re-nest each displaced entry under the reachable consumers that
+	* originally resolved to it via node_modules walk-up. */
+	for (const collision of collisions) {
+		const loserName = extractPackageNameFromLockfileLoc(collision.loserOrigLoc);
+		if (!loserName) continue;
+		for (const consumer of reachable) {
+			const consumerSrcLoc = consumer.location;
+			if (consumerSrcLoc === collision.loserOrigLoc) continue;
+			if (consumerSrcLoc === targetLinkLoc) continue;
+			const consumerEntry = srcPackages[consumerSrcLoc];
+			if (!consumerEntry) continue;
+			/** Workspace links carry dependency metadata on the importer entry,
+			* not the link entry itself. Skip the link side. */
+			if (consumerEntry.link) continue;
+			if (!entryDependsOn(consumerEntry, loserName)) continue;
+			if (resolveDepInSrcLockfile(consumerSrcLoc, loserName, srcPackages) !== collision.loserOrigLoc) continue;
+			const consumerNewLoc = remapToOutputLoc(consumerSrcLoc);
+			/** Consumer maps to the isolate root (the target itself). The root
+			* slot is already taken by the winning version. The target's own
+			* dependencies use that version — we cannot serve a different one
+			* here without nesting under the target, which would be its own
+			* collision. Accept the resolution shift. */
+			if (consumerNewLoc === "") continue;
+			/** If the consumer was itself displaced by another collision (its
+			* src-side entry doesn't match the entry we actually placed at its
+			* new location), the consumer isn't really present in the isolate.
+			* Its original dep needs are irrelevant here. */
+			const consumerOutEntry = outPackages[consumerNewLoc];
+			if (!consumerOutEntry || !entriesAreEquivalent(consumerOutEntry, consumerEntry)) continue;
+			const nestedLoc = `${consumerNewLoc}/node_modules/${loserName}`;
+			const existingNested = outPackages[nestedLoc];
+			if (existingNested) {
+				if (entriesAreEquivalent(existingNested, collision.loserEntry)) continue;
+				throw new Error(`Cannot re-nest displaced "${loserName}" under "${consumerNewLoc}": the slot "${nestedLoc}" already contains a different entry. Please report a reproduction at https://github.com/0x80/isolate-package/issues.`);
+			}
+			outPackages[nestedLoc] = { ...collision.loserEntry };
+		}
+	}
 	/**
 	* If the target importer didn't make it into the reachable set for any
 	* reason (upstream Arborist bug, programmer error), bail loudly rather
@@ -835,8 +974,10 @@ function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targ
 	*/
 	if (!outPackages[""]) throw new Error(`Target importer "${targetImporterLoc}" was not present in the reachable node set; cannot construct isolate root entry`);
 	/** Overlay the isolate root with the adapted target manifest. */
-	const rootEntry = { ...outPackages[""] };
-	rootEntry.name = targetPackageManifest.name;
+	const rootEntry = {
+		...outPackages[""],
+		name: targetPackageManifest.name
+	};
 	if (targetPackageManifest.version) rootEntry.version = targetPackageManifest.version;
 	overlayManifestDeps(rootEntry, targetPackageManifest);
 	/** The isolate is no longer a workspace root. */
@@ -874,6 +1015,55 @@ function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targ
 function entriesAreEquivalent(a, b) {
 	return a.version === b.version && a.resolved === b.resolved && a.integrity === b.integrity && !!a.link === !!b.link;
 }
+/**
+* Extracts the package name from a lockfile install location. Handles scoped
+* packages, where the name is two segments after the last `node_modules/`.
+*
+*   "node_modules/foo"                          -> "foo"
+*   "node_modules/@scope/foo"                   -> "@scope/foo"
+*   "node_modules/a/node_modules/b"             -> "b"
+*   "node_modules/a/node_modules/@scope/b"      -> "@scope/b"
+*
+* Returns null for locations that don't contain `node_modules/`.
+*/
+function extractPackageNameFromLockfileLoc(loc) {
+	const lastIdx = loc.lastIndexOf("node_modules/");
+	if (lastIdx < 0) return null;
+	const tail = loc.slice(lastIdx + 13);
+	if (tail.startsWith("@")) {
+		const slashIdx = tail.indexOf("/");
+		if (slashIdx < 0) return tail;
+		/** Stop at the second `/` so we don't include any further nesting. */
+		const secondSlash = tail.indexOf("/", slashIdx + 1);
+		return secondSlash < 0 ? tail : tail.slice(0, secondSlash);
+	}
+	const slashIdx = tail.indexOf("/");
+	return slashIdx < 0 ? tail : tail.slice(0, slashIdx);
+}
+/**
+* Returns true if the lockfile entry lists `depName` in any of its dependency
+* fields. Includes peer/optional/dev because any of them may have been the
+* reason for the dep being installed at runtime.
+*/
+function entryDependsOn(entry, depName) {
+	return entry.dependencies?.[depName] !== void 0 || entry.devDependencies?.[depName] !== void 0 || entry.peerDependencies?.[depName] !== void 0 || entry.optionalDependencies?.[depName] !== void 0;
+}
+/**
+* Resolves `depName` against `srcPackages` from the perspective of a consumer
+* at `consumerLoc`, mirroring Node.js `node_modules` walk-up. Returns the
+* lockfile key of the entry the consumer would load at runtime, or null when
+* no candidate exists.
+*/
+function resolveDepInSrcLockfile(consumerLoc, depName, srcPackages) {
+	let scope = consumerLoc;
+	while (true) {
+		const candidate = scope === "" ? `node_modules/${depName}` : `${scope}/node_modules/${depName}`;
+		if (srcPackages[candidate]) return candidate;
+		if (scope === "") return null;
+		const idx = scope.lastIndexOf("/node_modules/");
+		scope = idx < 0 ? "" : scope.slice(0, idx);
+	}
+}
 function overlayManifestDeps(entry, manifest) {
 	for (const field of [
 		"dependencies",
@@ -995,9 +1185,9 @@ async function generatePnpmLockfile({ workspaceRootDir, targetPackageDir, isolat
 			patchedDependencies
 		});
 		log.debug("Created lockfile at", path.join(isolateDir, "pnpm-lock.yaml"));
-	} catch (err) {
-		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
-		throw err;
+	} catch (error) {
+		log.error(`Failed to generate lockfile: ${getErrorMessage(error)}`);
+		throw error;
 	}
 }
 //#endregion
@@ -1023,9 +1213,9 @@ async function generateYarnLockfile({ workspaceRootDir, isolateDir }) {
 		log.debug(`Running local install`);
 		execSync(`yarn install --cwd ${isolateDir}`);
 		log.debug("Generated lockfile at", newLockfilePath);
-	} catch (err) {
-		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
-		throw err;
+	} catch (error) {
+		log.error(`Failed to generate lockfile: ${getErrorMessage(error)}`);
+		throw error;
 	}
 }
 //#endregion
@@ -1102,7 +1292,7 @@ async function processLockfile({ workspaceRootDir, packagesRegistry, isolateDir,
 //#endregion
 //#region src/lib/manifest/io.ts
 async function readManifest(packageDir) {
-	return readTypedJson(path.join(packageDir, "package.json"));
+	return await readTypedJson(path.join(packageDir, "package.json"));
 }
 async function writeManifest(outputDir, manifest) {
 	await fs.writeFile(path.join(outputDir, "package.json"), JSON.stringify(manifest, null, 2));
@@ -1138,30 +1328,83 @@ function adaptManifestInternalDeps({ manifest, packagesRegistry, parentRootRelat
 }
 //#endregion
 //#region src/lib/manifest/helpers/resolve-catalog-dependencies.ts
+const catalogSourceCache = /* @__PURE__ */ new Map();
+/**
+* Loads catalog definitions by checking pnpm-workspace.yaml first (pnpm
+* format), then falling back to the root package.json (Bun format).
+*
+* Pnpm defines catalogs in pnpm-workspace.yaml:
+*
+* ```yaml
+* catalog:
+*   react: ^18.3.1
+* catalogs:
+*   react18:
+*     react: ^18.3.1
+* ```
+*
+* Bun defines catalogs in package.json (at root level or under workspaces).
+*/
+async function loadCatalogSource(workspaceRootDir) {
+	const cached = catalogSourceCache.get(workspaceRootDir);
+	if (cached) return cached;
+	/**
+	* Drop the cache entry if loading fails so a subsequent call can retry
+	* instead of immediately rethrowing the same rejection.
+	*/
+	const cachedLoadPromise = (async () => {
+		const log = useLogger();
+		/** Try pnpm-workspace.yaml first. */
+		const workspaceYamlPath = path.join(workspaceRootDir, "pnpm-workspace.yaml");
+		if (await fs.pathExists(workspaceYamlPath)) try {
+			const rawContent = await fs.readFile(workspaceYamlPath, "utf-8");
+			const yamlConfig = yaml.parse(rawContent);
+			if (yamlConfig?.catalog || yamlConfig?.catalogs) return {
+				catalog: yamlConfig.catalog,
+				catalogs: yamlConfig.catalogs
+			};
+		} catch (error) {
+			log.warn(`Failed to parse ${workspaceYamlPath}: ${error instanceof Error ? error.message : String(error)}. Falling back to package.json for catalog definitions.`);
+		}
+		const rootManifest = await readTypedJson(path.join(workspaceRootDir, "package.json"));
+		return {
+			catalog: rootManifest.catalog ?? rootManifest.workspaces?.catalog,
+			catalogs: rootManifest.catalogs ?? rootManifest.workspaces?.catalogs
+		};
+	})().catch((error) => {
+		catalogSourceCache.delete(workspaceRootDir);
+		throw error;
+	});
+	catalogSourceCache.set(workspaceRootDir, cachedLoadPromise);
+	return cachedLoadPromise;
+}
 /**
 * Resolves catalog dependencies by replacing "catalog:" specifiers with their
-* actual versions from the root package.json catalog field.
+* actual versions.
 *
 * Supports both pnpm and Bun catalog formats:
 *
-* - Pnpm: catalog at root level
-* - Bun: catalog or catalogs at root level, or workspaces.catalog
+* - Pnpm: catalog/catalogs defined in pnpm-workspace.yaml
+* - Bun: catalog or catalogs at root level, or workspaces.catalog in
+*   package.json
 */
 async function resolveCatalogDependencies(dependencies, workspaceRootDir) {
 	if (!dependencies) return;
 	const log = useLogger();
-	const rootManifest = await readTypedJson(path.join(workspaceRootDir, "package.json"));
-	const flatCatalog = rootManifest.catalog || rootManifest.workspaces?.catalog;
-	const nestedCatalogs = rootManifest.catalogs || rootManifest.workspaces?.catalogs;
+	const { catalog: flatCatalog, catalogs: nestedCatalogs } = await loadCatalogSource(workspaceRootDir);
 	if (!flatCatalog && !nestedCatalogs) return dependencies;
 	const resolved = { ...dependencies };
 	for (const [packageName, specifier] of Object.entries(dependencies)) if (specifier === "catalog:" || specifier.startsWith("catalog:")) {
 		let catalogVersion;
-		if (specifier === "catalog:") catalogVersion = flatCatalog?.[packageName];
-		else {
-			const groupName = specifier.slice(8);
-			catalogVersion = nestedCatalogs?.[groupName]?.[packageName];
-		}
+		const groupName = specifier === "catalog:" ? "default" : specifier.slice(8);
+		if (groupName === "default")
+ /**
+		* Per pnpm semantics, `catalog:` and `catalog:default` are
+		* equivalent: the default catalog can live under the top-level
+		* `catalog` field or under `catalogs.default`, so check both.
+		*/
+		catalogVersion = flatCatalog?.[packageName] ?? nestedCatalogs?.default?.[packageName];
+		else catalogVersion = nestedCatalogs?.[groupName]?.[packageName];
 		if (catalogVersion) {
 			log.debug(`Resolving catalog dependency ${packageName}: "${specifier}" -> "${catalogVersion}"`);
 			resolved[packageName] = catalogVersion;
@@ -1212,7 +1455,7 @@ async function adaptInternalPackageManifests({ internalPackageNames, packagesReg
 */
 async function adoptPnpmFieldsFromRoot(targetPackageManifest, workspaceRootDir) {
 	if (isRushWorkspace(workspaceRootDir)) return targetPackageManifest;
-	const rootPackageManifest = await readTypedJson(path$1.join(workspaceRootDir, "package.json"));
+	const rootPackageManifest = await readTypedJson(path.join(workspaceRootDir, "package.json"));
 	if (usePackageManager().name === "bun") return adoptBunFieldsFromRoot(targetPackageManifest, rootPackageManifest);
 	return adoptPnpmFieldsOnly(targetPackageManifest, rootPackageManifest);
 }
@@ -1232,7 +1475,7 @@ function adoptBunFieldsFromRoot(targetPackageManifest, rootPackageManifest) {
 }
 /** Adopt pnpm-specific fields from the root manifest */
 function adoptPnpmFieldsOnly(targetPackageManifest, rootPackageManifest) {
-	const { overrides, onlyBuiltDependencies, ignoredBuiltDependencies } = rootPackageManifest.pnpm || {};
+	const { overrides, onlyBuiltDependencies, ignoredBuiltDependencies } = rootPackageManifest.pnpm ?? {};
 	/** If no pnpm fields are present, return the original manifest */
 	if (!overrides && !onlyBuiltDependencies && !ignoredBuiltDependencies) return targetPackageManifest;
 	const pnpmConfig = {};
@@ -1268,7 +1511,16 @@ async function adaptTargetPackageManifest({ manifest, packagesRegistry, workspac
 			manifest: manifestWithResolvedCatalogs,
 			packagesRegistry
 		}),
+		/**
+		* Adopt the package manager definition from the root manifest if available.
+		* The option to omit is there because some platforms might not handle it
+		* properly (Cloud Run, April 24th 2024, does not handle pnpm v9)
+		*/
 		packageManager: omitPackageManager ? void 0 : packageManager.packageManagerString,
+		/**
+		* Scripts are removed by default if not explicitly picked or omitted via
+		* config.
+		*/
 		scripts: pickFromScripts ? pick(manifest.scripts ?? {}, pickFromScripts) : omitFromScripts ? omit(manifest.scripts ?? {}, omitFromScripts) : {}
 	};
 }
@@ -1299,8 +1551,8 @@ function validateManifestMandatoryFields(manifest, packagePath, requireFilesFiel
 	* packed
 	*/
 	if (requireFilesField && (!manifest.files || !Array.isArray(manifest.files) || manifest.files.length === 0)) missingFields.push("files");
-	if (missingFields.length > 0) {
-		const field = missingFields[0];
+	const [field] = missingFields;
+	if (field) {
 		const errorMessage = missingFields.length === 1 ? `Package at ${packagePath} is missing the "${field}" field in its package.json. See ${fieldDocUrls[field] ?? "https://isolate-package.codecompose.dev/getting-started#prerequisites"}` : `Package at ${packagePath} is missing mandatory fields in its package.json: ${missingFields.join(", ")}. See https://isolate-package.codecompose.dev/getting-started#prerequisites`;
 		log.error(errorMessage);
 		throw new Error(errorMessage);
@@ -1309,7 +1561,7 @@ function validateManifestMandatoryFields(manifest, packagePath, requireFilesFiel
 }
 //#endregion
 //#region src/lib/output/get-build-output-dir.ts
-async function getBuildOutputDir({ targetPackageDir, buildDirName, tsconfigPath }) {
+function getBuildOutputDir({ targetPackageDir, buildDirName, tsconfigPath }) {
 	const log = useLogger();
 	if (buildDirName) {
 		log.debug("Using buildDirName from config:", buildDirName);
@@ -1332,6 +1584,91 @@ async function getBuildOutputDir({ targetPackageDir, buildDirName, tsconfigPath
 	}
 }
 //#endregion
+//#region src/lib/utils/wait-for-complete-file.ts
+/**
+* Wait until the given file exists and its size has stopped changing across
+* two consecutive polls. Resolves once the file is considered fully written,
+* rejects with a timeout error otherwise.
+*
+* This is a cheap proxy for "the writer has finished flushing" without
+* inspecting file contents or relying on platform-specific signals. It is
+* intended for cases where an external process (e.g. `pnpm pack`) may report
+* completion before its output is fully visible on disk.
+*/
+async function waitForCompleteFile(filePath, { timeoutMs, pollMs }) {
+	const deadline = Date.now() + timeoutMs;
+	let lastSize = -1;
+	while (Date.now() < deadline) {
+		try {
+			const { size } = await fs$1.promises.stat(filePath);
+			if (size > 0 && size === lastSize) return;
+			lastSize = size;
+		} catch (error) {
+			if (error.code !== "ENOENT") throw error;
+		}
+		await new Promise((resolve) => {
+			setTimeout(resolve, pollMs);
+		});
+	}
+	throw new Error(`Timed out after ${timeoutMs}ms waiting for file to be written: ${filePath}`);
+}
+//#endregion
+//#region src/lib/utils/pack.ts
+/**
+* How long to wait for the packed tarball to appear and stop growing on disk
+* after `pnpm pack` / `npm pack` has exited.
+*/
+const PACK_FILE_READY_TIMEOUT_MS = 5e3;
+const PACK_FILE_READY_POLL_MS = 50;
+async function pack(srcDir, dstDir) {
+	const log = useLogger();
+	const execOptions = {
+		cwd: srcDir,
+		maxBuffer: 10 * 1024 * 1024
+	};
+	/**
+	* PNPM pack seems to be a lot faster than NPM pack, so when PNPM is detected
+	* we use that instead.
+	*/
+	const packStdout = shouldUsePnpmPack() ? await new Promise((resolve, reject) => {
+		exec(`pnpm pack --pack-destination "${dstDir}"`, execOptions, (err, stdout) => {
+			if (err) {
+				log.error(getErrorMessage(err));
+				reject(err);
+				return;
+			}
+			resolve(stdout);
+		});
+	}) : await new Promise((resolve, reject) => {
+		exec(`npm pack --pack-destination "${dstDir}"`, execOptions, (err, stdout) => {
+			if (err) {
+				reject(err);
+				return;
+			}
+			resolve(stdout);
+		});
+	});
+	const lastLine = packStdout.trim().split("\n").at(-1);
+	assert(lastLine, `Failed to parse last line from stdout: ${packStdout.trim()}`);
+	const fileName = path.basename(lastLine);
+	assert(fileName, `Failed to parse file name from: ${lastLine}`);
+	const filePath = path.join(dstDir, fileName);
+	/**
+	* `pnpm pack` (and occasionally `npm pack`) can return before the tarball is
+	* fully visible/flushed to disk. A naive `existsSync` check is not enough:
+	* the directory entry can appear before the file's data has been written,
+	* which causes downstream consumers (gunzip + tar) to fail with
+	* "unexpected end of file". Wait until the file exists and its size has
+	* stopped changing across two consecutive polls before returning.
+	*/
+	await waitForCompleteFile(filePath, {
+		timeoutMs: PACK_FILE_READY_TIMEOUT_MS,
+		pollMs: PACK_FILE_READY_POLL_MS
+	});
+	log.debug(`Packed (temp)/${fileName}`);
+	return filePath;
+}
+//#endregion
 //#region src/lib/output/pack-dependencies.ts
 /**
 * Pack dependencies so that we extract only the files that are supposed to be
@@ -1360,18 +1697,13 @@ async function packDependencies({ packagesRegistry, internalPackageNames, packDe
 }
 //#endregion
 //#region src/lib/output/process-build-output-files.ts
-const TIMEOUT_MS = 5e3;
 async function processBuildOutputFiles({ targetPackageDir, tmpDir, isolateDir }) {
-	const log = useLogger();
 	const packedFilePath = await pack(targetPackageDir, tmpDir);
 	const unpackDir = path.join(tmpDir, "target");
-	const now = Date.now();
-	let isWaitingYet = false;
-	while (!fs.existsSync(packedFilePath) && Date.now() - now < TIMEOUT_MS) {
-		if (!isWaitingYet) log.debug(`Waiting for ${packedFilePath} to become available...`);
-		isWaitingYet = true;
-		await new Promise((resolve) => setTimeout(resolve, 100));
-	}
+	/**
+	* `pack` already waits for the tarball to be fully written before returning,
+	* so it is safe to unpack immediately.
+	*/
 	await unpack(packedFilePath, unpackDir);
 	await fs.copy(path.join(unpackDir, "package"), isolateDir);
 }
@@ -1444,7 +1776,8 @@ function collectReachablePackageNames({ targetPackageManifest, packagesRegistry,
 */
 function findPackagesGlobs(workspaceRootDir) {
 	const log = useLogger();
-	switch (usePackageManager().name) {
+	const packageManager = usePackageManager();
+	switch (packageManager.name) {
 		case "pnpm": {
 			const workspaceConfig = readTypedYamlSync(path.join(workspaceRootDir, "pnpm-workspace.yaml"));
 			if (!workspaceConfig) throw new Error("pnpm-workspace.yaml file is empty. Please specify packages configuration.");
@@ -1460,17 +1793,16 @@ function findPackagesGlobs(workspaceRootDir) {
 			const { workspaces } = readTypedJsonSync(workspaceRootManifestPath);
 			if (!workspaces) throw new Error(`No workspaces field found in ${workspaceRootManifestPath}`);
 			if (Array.isArray(workspaces)) return workspaces;
-			else {
-				/**
-				* For Yarn, workspaces could be defined as an object with { packages:
-				* [], nohoist: [] }. See
-				* https://classic.yarnpkg.com/blog/2018/02/15/nohoist/
-				*/
-				const workspacesObject = workspaces;
-				assert(workspacesObject.packages, "workspaces.packages must be an array");
-				return workspacesObject.packages;
-			}
+			/**
+			* For Yarn, workspaces could be defined as an object with { packages: [],
+			* nohoist: [] }. See
+			* https://classic.yarnpkg.com/blog/2018/02/15/nohoist/
+			*/
+			const workspacesObject = workspaces;
+			assert(Array.isArray(workspacesObject.packages), "workspaces.packages must be an array");
+			return workspacesObject.packages;
 		}
+		default: throw new Error(`Unsupported package manager: ${packageManager.name}`);
 	}
 }
 //#endregion
@@ -1489,15 +1821,14 @@ async function createPackagesRegistry(workspaceRootDir, workspacePackagesOverrid
 		const manifestPath = path.join(absoluteDir, "package.json");
 		if (!fs.existsSync(manifestPath)) {
 			log.warn(`Ignoring directory ${rootRelativeDir} because it does not contain a package.json file`);
-			return;
-		} else {
-			log.debug(`Registering package ${rootRelativeDir}`);
-			return {
-				manifest: await readTypedJson(path.join(absoluteDir, "package.json")),
-				rootRelativeDir,
-				absoluteDir
-			};
+			return null;
 		}
+		log.debug(`Registering package ${rootRelativeDir}`);
+		return {
+			manifest: await readTypedJson(path.join(absoluteDir, "package.json")),
+			rootRelativeDir,
+			absoluteDir
+		};
 	}))).reduce((acc, info) => {
 		if (info) acc[info.manifest.name] = info;
 		return acc;
@@ -1577,7 +1908,7 @@ function collectInstalledNamesFromBunLockfile({ workspaceRootDir, targetPackageD
 			const pkg = packagesRegistry[name];
 			if (!pkg) return null;
 			return pkg.rootRelativeDir.split(path.sep).join(path.posix.sep);
-		}).filter((key) => Boolean(key));
+		}).filter(Boolean);
 		const directDependencyNames = /* @__PURE__ */ new Set();
 		const targetEntry = lockfile.workspaces[targetWorkspaceKey];
 		if (targetEntry) for (const name of collectDependencyNames(targetEntry, includeDevDependencies)) directDependencyNames.add(name);
@@ -1588,8 +1919,8 @@ function collectInstalledNamesFromBunLockfile({ workspaceRootDir, targetPackageD
 			for (const name of collectDependencyNames(entry, false)) directDependencyNames.add(name);
 		}
 		return collectRequiredPackages(directDependencyNames, lockfile.packages);
-	} catch (err) {
-		log.debug(`Failed to walk bun.lock for installed names: ${err instanceof Error ? err.message : String(err)}`);
+	} catch (error) {
+		log.debug(`Failed to walk bun.lock for installed names: ${error instanceof Error ? error.message : String(error)}`);
 		return /* @__PURE__ */ new Set();
 	}
 }
@@ -1626,7 +1957,7 @@ async function collectInstalledNamesFromPnpmLockfile({ workspaceRootDir, targetP
 		* normalized id used as the importers map key.
 		*/
 		const targetImporterId = toLockfileImporterKey(useVersion9 ? getLockfileImporterId$1(workspaceRootDir, targetPackageDir) : getLockfileImporterId(workspaceRootDir, targetPackageDir), isRush);
-		const importerIds = [targetImporterId, ...internalDepPackageNames.map((name) => packagesRegistry[name]?.rootRelativeDir).filter((dir) => Boolean(dir)).map((dir) => toLockfileImporterKey(dir, isRush))];
+		const importerIds = [targetImporterId, ...internalDepPackageNames.map((name) => packagesRegistry[name]?.rootRelativeDir).filter(Boolean).map((dir) => toLockfileImporterKey(dir, isRush))];
 		const packages = lockfile.packages;
 		if (!packages) {
 			log.debug("Lockfile has no packages section to walk");
@@ -1646,8 +1977,8 @@ async function collectInstalledNamesFromPnpmLockfile({ workspaceRootDir, targetP
 				includeDevDependencies: importerId === targetImporterId && includeDevDependencies
 			});
 		}
-		while (queue.length > 0) {
-			const depPath = queue.pop();
+		let depPath;
+		while ((depPath = queue.pop()) !== void 0) {
 			if (seen.has(depPath)) continue;
 			seen.add(depPath);
 			names.add(extractPackageName(depPath));
@@ -1664,8 +1995,8 @@ async function collectInstalledNamesFromPnpmLockfile({ workspaceRootDir, targetP
 			collectNames(pkg.peerDependencies, names);
 		}
 		return names;
-	} catch (err) {
-		log.debug(`Failed to walk pnpm lockfile for installed names: ${err instanceof Error ? err.message : String(err)}`);
+	} catch (error) {
+		log.debug(`Failed to walk pnpm lockfile for installed names: ${error instanceof Error ? error.message : String(error)}`);
 		return /* @__PURE__ */ new Set();
 	}
 }
@@ -1751,7 +2082,7 @@ function refToRelativeV8(reference, pkgName) {
 */
 function extractPackageName(depPath) {
 	const peerStart = indexOfPeersSuffix(depPath);
-	const trimmed = peerStart === -1 ? depPath : depPath.substring(0, peerStart);
+	const trimmed = peerStart === -1 ? depPath : depPath.slice(0, peerStart);
 	if (trimmed.startsWith("/")) {
 		/** v8 v5-style: `/<name>/<version>` */
 		const stripped = trimmed.slice(1);
@@ -1961,16 +2292,16 @@ function writeIsolatePnpmWorkspace({ workspaceRootDir, isolateDir, copiedPatches
 //#endregion
 //#region src/isolate.ts
 const __dirname = getDirname(import.meta.url);
-function createIsolator(config) {
-	const resolvedConfig = resolveConfig(config);
-	return async function isolate() {
+function createIsolator(initialConfig) {
+	const resolvedConfig = resolveConfig(initialConfig);
+	return async function runIsolate() {
 		const config = resolvedConfig;
 		setLogLevel(config.logLevel);
 		const log = useLogger();
 		const { version: libraryVersion } = await readTypedJson(path.join(path.join(__dirname, "..", "package.json")));
 		log.debug("Using isolate-package version", libraryVersion);
 		const { targetPackageDir, workspaceRootDir } = resolveWorkspacePaths(config);
-		const buildOutputDir = await getBuildOutputDir({
+		const buildOutputDir = getBuildOutputDir({
 			targetPackageDir,
 			buildDirName: config.buildDirName,
 			tsconfigPath: config.tsconfigPath
@@ -1980,11 +2311,14 @@ function createIsolator(config) {
 		log.debug("Isolate target package", getRootRelativeLogPath(targetPackageDir, workspaceRootDir));
 		const isolateDir = path.join(targetPackageDir, config.isolateDirName);
 		log.debug("Isolate output directory", getRootRelativeLogPath(isolateDir, workspaceRootDir));
-		if (fs.existsSync(isolateDir)) {
-			await fs.remove(isolateDir);
-			log.debug("Cleaned the existing isolate output directory");
-		}
-		await fs.ensureDir(isolateDir);
+		/**
+		* Place the trash sibling outside `targetPackageDir`, since that directory
+		* is later packed by `processBuildOutputFiles`. Keeping the trash next to
+		* the target package (still on the same filesystem) preserves the atomic
+		* rename without risking that the trash gets picked up by `npm pack` or
+		* races with that step.
+		*/
+		await resetIsolateDir(isolateDir, { trashParentDir: path.dirname(targetPackageDir) });
 		const tmpDir = path.join(isolateDir, "__tmp");
 		await fs.ensureDir(tmpDir);
 		const targetPackageManifest = await readTypedJson(path.join(targetPackageDir, "package.json"));
@@ -2089,7 +2423,7 @@ function createIsolator(config) {
 				const patchEntries = Object.fromEntries(Object.entries(copiedPatches).map(([spec, patchFile]) => [spec, patchFile.path]));
 				if (packageManager.name === "bun") manifest.patchedDependencies = patchEntries;
 				else {
-					if (!manifest.pnpm) manifest.pnpm = {};
+					manifest.pnpm ??= {};
 					manifest.pnpm.patchedDependencies = patchEntries;
 				}
 				log.debug(`Added ${Object.keys(copiedPatches).length} patches to isolated package.json`);
@@ -2156,6 +2490,6 @@ async function isolate(config) {
 	return createIsolator(config)();
 }
 //#endregion
-export { loadConfigFromFile as a, detectPackageManager as c, defineConfig as i, readTypedJson as l, listInternalPackages as n, resolveConfig as o, createPackagesRegistry as r, resolveWorkspacePaths as s, isolate as t, filterObjectUndefined as u };
+export { defineConfig as a, resolveWorkspacePaths as c, detectPackageManager as i, readTypedJson as l, listInternalPackages as n, loadConfigFromFile as o, createPackagesRegistry as r, resolveConfig as s, isolate as t, filterObjectUndefined as u };
-//# sourceMappingURL=isolate-DTwgcMAN.mjs.map
+//# sourceMappingURL=isolate-DI3eUTci.mjs.map