isolate-package 1.33.0 → 1.35.0

package/dist/{isolate-DyRD5Zd_.mjs → isolate-ts-Igq7C.mjs}

@@ -5,14 +5,15 @@ import path, { join } from "node:path";
 import { isEmpty, omit, pick, unique } from "remeda";
 import { exec, execFileSync, execSync } from "node:child_process";
 import { detectMonorepo } from "detect-monorepo";
-import { pathToFileURL } from "node:url";
+import { fileURLToPath, pathToFileURL } from "node:url";
 import { createConsola } from "consola";
-import { fileURLToPath } from "url";
 import { inspect } from "node:util";
-import fs$1 from "node:fs";
+import fs$1, { createReadStream } from "node:fs";
 import stripJsonComments from "strip-json-comments";
-import tar from "tar-fs";
-import { createGunzip } from "zlib";
+import { randomBytes } from "node:crypto";
+import { pipeline } from "node:stream/promises";
+import { createGunzip } from "node:zlib";
+import { extract } from "tar-fs";
 import yaml from "yaml";
 import Arborist from "@npmcli/arborist";
 import Config from "@npmcli/config";
@@ -21,7 +22,6 @@ import { getLockfileImporterId, readWantedLockfile, writeWantedLockfile } from "
 import { getLockfileImporterId as getLockfileImporterId$1, readWantedLockfile as readWantedLockfile$1, writeWantedLockfile as writeWantedLockfile$1 } from "pnpm_lockfile_file_v9";
 import { pruneLockfile } from "pnpm_prune_lockfile_v8";
 import { pruneLockfile as pruneLockfile$1 } from "pnpm_prune_lockfile_v9";
-import path$1 from "path";
 import { getTsconfig } from "get-tsconfig";
 import outdent$1 from "outdent";
 import { globSync } from "glob";
@@ -178,16 +178,16 @@ function readTypedJsonSync(filePath) {
 	try {
 		const rawContent = fs.readFileSync(filePath, "utf-8");
 		return JSON.parse(stripJsonComments(rawContent, { trailingCommas: true }));
-	} catch (err) {
-		throw new Error(`Failed to read JSON from ${filePath}: ${getErrorMessage(err)}`, { cause: err });
+	} catch (error) {
+		throw new Error(`Failed to read JSON from ${filePath}: ${getErrorMessage(error)}`, { cause: error });
 	}
 }
 async function readTypedJson(filePath) {
 	try {
 		const rawContent = await fs.readFile(filePath, "utf-8");
 		return JSON.parse(stripJsonComments(rawContent, { trailingCommas: true }));
-	} catch (err) {
-		throw new Error(`Failed to read JSON from ${filePath}: ${getErrorMessage(err)}`, { cause: err });
+	} catch (error) {
+		throw new Error(`Failed to read JSON from ${filePath}: ${getErrorMessage(error)}`, { cause: error });
 	}
 }
 //#endregion
@@ -199,162 +199,128 @@ function getIsolateRelativeLogPath(path, isolatePath) {
 	return join("(isolate)", path.replace(isolatePath, ""));
 }
 //#endregion
-//#region src/lib/utils/get-major-version.ts
-function getMajorVersion(version) {
-	return parseInt(version.split(".").at(0) ?? "0", 10);
-}
-//#endregion
-//#region src/lib/package-manager/names.ts
-const supportedPackageManagerNames = [
-	"pnpm",
-	"yarn",
-	"npm",
-	"bun"
-];
-function getLockfileFileName(name) {
-	switch (name) {
-		case "bun": return "bun.lock";
-		case "pnpm": return "pnpm-lock.yaml";
-		case "yarn": return "yarn.lock";
-		case "npm": return "package-lock.json";
-	}
-}
-//#endregion
-//#region src/lib/package-manager/helpers/infer-from-files.ts
-function inferFromFiles(workspaceRoot) {
-	for (const name of supportedPackageManagerNames) {
-		const lockfileName = getLockfileFileName(name);
-		if (fs.existsSync(path.join(workspaceRoot, lockfileName))) try {
-			const version = getVersion(name);
-			return {
-				name,
-				version,
-				majorVersion: getMajorVersion(version)
-			};
-		} catch (err) {
-			throw new Error(`Failed to find package manager version for ${name}: ${getErrorMessage(err)}`, { cause: err });
-		}
-	}
-	/** If no lockfile was found, it could be that there is an npm shrinkwrap file. */
-	if (fs.existsSync(path.join(workspaceRoot, "npm-shrinkwrap.json"))) {
-		const version = getVersion("npm");
-		return {
-			name: "npm",
-			version,
-			majorVersion: getMajorVersion(version)
-		};
-	}
-	throw new Error(`Failed to detect package manager`);
-}
-function getVersion(packageManagerName) {
-	return execSync(`${packageManagerName} --version`).toString().trim();
-}
-//#endregion
-//#region src/lib/package-manager/helpers/infer-from-manifest.ts
-function inferFromManifest(workspaceRoot) {
+//#region src/lib/utils/reset-isolate-dir.ts
+/**
+* Prefix used for trash directories created when resetting the isolate output
+* directory. The leading dot keeps it hidden in file explorers and `ls`
+* without `-a`, so users don't see a flash of two folders while the old
+* contents are being reaped in the background.
+*/
+const TRASH_PREFIX = ".";
+const TRASH_INFIX = ".trash-";
+/**
+* Reset the isolate output directory to a fresh empty directory, avoiding the
+* `ENOTEMPTY` race that occurs when another process (e.g. the Firebase
+* functions emulator, a file watcher) writes into the directory while it is
+* being recursively deleted.
+*
+* Strategy:
+*
+* 1. Sweep any leftover trash directories from previous runs that may have
+*    been killed mid-cleanup. Best-effort: ignore errors.
+* 2. If the isolate directory exists, atomically `rename` it to a hidden
+*    sibling on the same filesystem. The rename is atomic, so the moment it
+*    returns the original path is free for a fresh empty directory and
+*    nothing a concurrent writer does inside the old tree can affect the
+*    new one.
+* 3. Kick off the recursive delete of the trash directory in the background.
+*    We don't await it: it is the slowest part of an isolate run, and any
+*    failure (e.g. another process still holding files open) is harmless
+*    because the logical state is already correct. Stale trash dirs are
+*    reaped by the next run's sweep in step 1.
+* 4. Ensure the (now-vacant) isolate directory exists.
+*/
+async function resetIsolateDir(isolateDir, options = {}) {
 	const log = useLogger();
-	const { packageManager: packageManagerString } = readTypedJsonSync(path.join(workspaceRoot, "package.json"));
-	if (!packageManagerString) {
-		log.debug("No packageManager field found in root manifest");
-		return;
+	const trashParentDir = options.trashParentDir ?? path.dirname(isolateDir);
+	const trashGlobPrefix = `${TRASH_PREFIX}${buildTrashStem(trashParentDir, isolateDir)}${TRASH_INFIX}`;
+	/** Best-effort sweep of leftover trash from previously killed runs. */
+	await sweepStaleTrash(trashParentDir, trashGlobPrefix);
+	if (fs.existsSync(isolateDir)) {
+		const trashDir = path.join(trashParentDir, `${trashGlobPrefix}${process.pid}-${randomBytes(4).toString("hex")}`);
+		try {
+			await fs.ensureDir(trashParentDir);
+			await fs.rename(isolateDir, trashDir);
+			log.debug("Moved existing isolate output directory to trash for cleanup");
+			/**
+			* Fire-and-forget. A concurrent writer can cause `ENOTEMPTY` or
+			* `EBUSY` here, but the logical state is already correct: the real
+			* `isolateDir` is gone. Any debris left behind will be swept on the
+			* next run.
+			*/
+			fs.remove(trashDir).catch((error) => {
+				log.debug("Background cleanup of trashed isolate directory did not complete:", error instanceof Error ? error.message : String(error));
+			});
+		} catch (error) {
+			/**
+			* `rename` can fail with `EXDEV` if `trashParentDir` ends up on a
+			* different filesystem from `isolateDir`, or with `EPERM` on platforms
+			* that disallow renaming busy directories. Fall back to the original
+			* behaviour: a straight recursive delete. This preserves correctness
+			* at the cost of the race the rename was meant to avoid.
+			*/
+			log.debug("Could not rename existing isolate output directory, falling back to recursive delete:", error instanceof Error ? error.message : String(error));
+			await fs.remove(isolateDir);
+		}
 	}
-	const [name, version = "*"] = packageManagerString.split("@");
-	assert(supportedPackageManagerNames.includes(name), `Package manager "${name}" is not currently supported`);
-	const lockfileName = getLockfileFileName(name);
-	assert(fs.existsSync(path.join(workspaceRoot, lockfileName)), `Manifest declares ${name} to be the packageManager, but failed to find ${lockfileName} in workspace root`);
-	return {
-		name,
-		version,
-		majorVersion: getMajorVersion(version),
-		packageManagerString
-	};
-}
-//#endregion
-//#region src/lib/package-manager/index.ts
-let packageManager;
-function usePackageManager() {
-	if (!packageManager) throw Error("No package manager detected. Make sure to call detectPackageManager() before usePackageManager()");
-	return packageManager;
+	await fs.ensureDir(isolateDir);
 }
 /**
-* First we check if the package manager is declared in the manifest. If it is,
-* we get the name and version from there. Otherwise we'll search for the
-* different lockfiles and ask the OS to report the installed version.
+* Build a stable name stem for the trash directory. When `trashParentDir` is
+* the direct parent of `isolateDir` (the default), this is just the isolate
+* dir's basename. When it isn't (e.g. callers placing trash outside the
+* packed dir), include the relative path so multiple isolate dirs sharing
+* the same trash parent don't collide in the sweep filter.
 */
-function detectPackageManager(workspaceRootDir) {
-	if (isRushWorkspace(workspaceRootDir)) packageManager = inferFromFiles(path.join(workspaceRootDir, "common/config/rush"));
-	else
- /**
-	* Disable infer from manifest for now. I doubt it is useful after all but
-	* I'll keep the code as a reminder.
-	*/
-	packageManager = inferFromManifest(workspaceRootDir) ?? inferFromFiles(workspaceRootDir);
-	return packageManager;
+function buildTrashStem(trashParentDir, isolateDir) {
+	const relative = path.relative(trashParentDir, isolateDir);
+	if (!relative || relative.startsWith("..") || path.isAbsolute(relative)) return path.basename(isolateDir);
+	return relative.split(path.sep).filter(Boolean).join("-");
 }
-function shouldUsePnpmPack() {
-	const { name, majorVersion } = usePackageManager();
-	return name === "pnpm" && majorVersion >= 8;
-}
-//#endregion
-//#region src/lib/utils/pack.ts
-async function pack(srcDir, dstDir) {
-	const log = useLogger();
-	const execOptions = { maxBuffer: 10 * 1024 * 1024 };
-	const previousCwd = process.cwd();
-	process.chdir(srcDir);
-	/**
-	* PNPM pack seems to be a lot faster than NPM pack, so when PNPM is detected
-	* we use that instead.
-	*/
-	const stdout = shouldUsePnpmPack() ? await new Promise((resolve, reject) => {
-		exec(`pnpm pack --pack-destination "${dstDir}"`, execOptions, (err, stdout) => {
-			if (err) {
-				log.error(getErrorMessage(err));
-				return reject(err);
-			}
-			resolve(stdout);
-		});
-	}) : await new Promise((resolve, reject) => {
-		exec(`npm pack --pack-destination "${dstDir}"`, execOptions, (err, stdout) => {
-			if (err) return reject(err);
-			resolve(stdout);
+/**
+* Best-effort sweep of leftover trash directories matching this isolate dir's
+* stem. Failures are swallowed: stale trash is debris, not state, and a
+* subsequent run will get another chance to reap it.
+*/
+async function sweepStaleTrash(parentDir, trashGlobPrefix) {
+	let entries;
+	try {
+		entries = await fs.readdir(parentDir);
+	} catch {
+		/** Parent doesn't exist yet; nothing to sweep. */
+		return;
+	}
+	await Promise.all(entries.filter((entry) => entry.startsWith(trashGlobPrefix)).map(async (entry) => {
+		await fs.remove(path.join(parentDir, entry)).catch(() => {
+			/** Best-effort. */
 		});
-	});
-	const lastLine = stdout.trim().split("\n").at(-1);
-	assert(lastLine, `Failed to parse last line from stdout: ${stdout.trim()}`);
-	const fileName = path.basename(lastLine);
-	assert(fileName, `Failed to parse file name from: ${lastLine}`);
-	const filePath = path.join(dstDir, fileName);
-	if (!fs$1.existsSync(filePath)) log.error(`The response from pack could not be resolved to an existing file: ${filePath}`);
-	else log.debug(`Packed (temp)/${fileName}`);
-	process.chdir(previousCwd);
-	/**
-	* Return the path anyway even if it doesn't validate. A later stage will wait
-	* for the file to occur still. Not sure if this makes sense. Maybe we should
-	* stop at the validation error...
-	*/
-	return filePath;
+	}));
 }
 //#endregion
 //#region src/lib/utils/unpack.ts
+/**
+* Extract a gzipped tar archive into the given directory.
+*
+* Uses `stream/promises.pipeline` so that errors at any stage (file read,
+* gunzip, tar extract) propagate as a rejected promise rather than crashing
+* the process as unhandled stream errors.
+*/
 async function unpack(filePath, unpackDir) {
-	await new Promise((resolve, reject) => {
-		fs.createReadStream(filePath).pipe(createGunzip()).pipe(tar.extract(unpackDir)).on("finish", () => resolve()).on("error", (err) => reject(err));
-	});
+	await pipeline(createReadStream(filePath), createGunzip(), extract(unpackDir));
 }
 //#endregion
 //#region src/lib/utils/yaml.ts
+/** @todo Add some zod validation maybe */
 function readTypedYamlSync(filePath) {
 	try {
 		const rawContent = fs.readFileSync(filePath, "utf-8");
-		/** @todo Add some zod validation maybe */
 		return yaml.parse(rawContent);
-	} catch (err) {
-		throw new Error(`Failed to read YAML from ${filePath}: ${getErrorMessage(err)}`, { cause: err });
+	} catch (error) {
+		throw new Error(`Failed to read YAML from ${filePath}: ${getErrorMessage(error)}`, { cause: error });
 	}
 }
+/** @todo Add some zod validation maybe */
 function writeTypedYamlSync(filePath, content) {
-	/** @todo Add some zod validation maybe */
 	fs.writeFileSync(filePath, yaml.stringify(content), "utf-8");
 }
 //#endregion
@@ -486,30 +452,106 @@ function resolveConfig(initialConfig) {
 	return config;
 }
 //#endregion
-//#region src/lib/lockfile/helpers/generate-bun-lockfile.ts
+//#region src/lib/utils/get-major-version.ts
+function getMajorVersion(version) {
+	return parseInt(version.split(".").at(0) ?? "0", 10);
+}
+//#endregion
+//#region src/lib/package-manager/names.ts
+const supportedPackageManagerNames = [
+	"pnpm",
+	"yarn",
+	"npm",
+	"bun"
+];
+const lockfileFileNamesByPackageManager = {
+	bun: "bun.lock",
+	pnpm: "pnpm-lock.yaml",
+	yarn: "yarn.lock",
+	npm: "package-lock.json"
+};
+function getLockfileFileName(name) {
+	return lockfileFileNamesByPackageManager[name];
+}
+//#endregion
+//#region src/lib/package-manager/helpers/infer-from-files.ts
+function inferFromFiles(workspaceRoot) {
+	for (const name of supportedPackageManagerNames) {
+		const lockfileName = getLockfileFileName(name);
+		if (fs.existsSync(path.join(workspaceRoot, lockfileName))) try {
+			const version = getVersion(name);
+			return {
+				name,
+				version,
+				majorVersion: getMajorVersion(version)
+			};
+		} catch (error) {
+			throw new Error(`Failed to find package manager version for ${name}: ${getErrorMessage(error)}`, { cause: error });
+		}
+	}
+	/** If no lockfile was found, it could be that there is an npm shrinkwrap file. */
+	if (fs.existsSync(path.join(workspaceRoot, "npm-shrinkwrap.json"))) {
+		const version = getVersion("npm");
+		return {
+			name: "npm",
+			version,
+			majorVersion: getMajorVersion(version)
+		};
+	}
+	throw new Error(`Failed to detect package manager`);
+}
+function getVersion(packageManagerName) {
+	return execSync(`${packageManagerName} --version`).toString().trim();
+}
+//#endregion
+//#region src/lib/package-manager/helpers/infer-from-manifest.ts
+function inferFromManifest(workspaceRoot) {
+	const log = useLogger();
+	const { packageManager: packageManagerString } = readTypedJsonSync(path.join(workspaceRoot, "package.json"));
+	if (!packageManagerString) {
+		log.debug("No packageManager field found in root manifest");
+		return null;
+	}
+	const [name, version = "*"] = packageManagerString.split("@");
+	assert(supportedPackageManagerNames.includes(name), `Package manager "${name}" is not currently supported`);
+	const lockfileName = getLockfileFileName(name);
+	assert(fs.existsSync(path.join(workspaceRoot, lockfileName)), `Manifest declares ${name} to be the packageManager, but failed to find ${lockfileName} in workspace root`);
+	return {
+		name,
+		version,
+		majorVersion: getMajorVersion(version),
+		packageManagerString
+	};
+}
+//#endregion
+//#region src/lib/package-manager/index.ts
+let packageManager;
+function usePackageManager() {
+	if (!packageManager) throw new Error("No package manager detected. Make sure to call detectPackageManager() before usePackageManager()");
+	return packageManager;
+}
 /**
-* Serialize a value to JSON with trailing commas after every array element and
-* object property, matching Bun's native bun.lock output format.
+* First we check if the package manager is declared in the manifest. If it is,
+* we get the name and version from there. Otherwise we'll search for the
+* different lockfiles and ask the OS to report the installed version.
 */
-function serializeWithTrailingCommas(value, indent = 2) {
-	/**
-	* Add trailing commas after values that precede a closing bracket/brace.
-	* Apply repeatedly because consecutive closing brackets (e.g. ]\n}) need
-	* multiple passes — the first pass adds a comma after the inner value, and
-	* subsequent passes handle the outer brackets.
+function detectPackageManager(workspaceRootDir) {
+	if (isRushWorkspace(workspaceRootDir)) packageManager = inferFromFiles(path.join(workspaceRootDir, "common/config/rush"));
+	else
+ /**
+	* Disable infer from manifest for now. I doubt it is useful after all but
+	* I'll keep the code as a reminder.
 	*/
-	let result = JSON.stringify(value, null, indent);
-	let previous;
-	do {
-		previous = result;
-		result = result.replace(/(["\d\w\]}-])\n(\s*[\]}])/g, "$1,\n$2");
-	} while (result !== previous);
-	return result;
+	packageManager = inferFromManifest(workspaceRootDir) ?? inferFromFiles(workspaceRootDir);
+	return packageManager;
 }
-/**
-* Extract dependency names from a workspace entry, optionally including
-* devDependencies.
-*/
+function shouldUsePnpmPack() {
+	const { name, majorVersion } = usePackageManager();
+	return name === "pnpm" && majorVersion >= 8;
+}
+//#endregion
+//#region src/lib/lockfile/helpers/bun-lockfile.ts
+/** Extract dependency names from a workspace entry. */
 function collectDependencyNames(entry, includeDevDependencies) {
 	const names = /* @__PURE__ */ new Set();
 	for (const name of Object.keys(entry.dependencies ?? {})) names.add(name);
@@ -519,8 +561,8 @@ function collectDependencyNames(entry, includeDevDependencies) {
 	return [...names];
 }
 /**
-* Check whether a package entry represents a workspace package by examining its
-* identifier string (first element in the entry array).
+* Check whether a package entry represents a workspace package by examining
+* its identifier string (first element in the entry array).
 */
 function isWorkspacePackageEntry(entry) {
 	const ident = entry[0];
@@ -532,16 +574,16 @@ function isWorkspacePackageEntry(entry) {
 * - workspace packages: [ident, info] -> index 1
 * - git/github packages: [ident, info, checksum] -> index 1
 *
-* Detection: if the second element is a string (registry URL or checksum), the
-* info object is deeper. Workspace entries have only 2 elements.
+* Detection: if the second element is a string (registry URL or checksum),
+* the info object is deeper. Workspace entries have only 2 elements.
 */
 function getPackageInfoObject(entry) {
 	if (entry.length <= 1) return void 0;
 	/** Workspace entries: [ident, info] */
 	if (isWorkspacePackageEntry(entry)) return typeof entry[1] === "object" ? entry[1] : void 0;
 	/**
-	* npm entries with registry URL: [ident, registryUrl, info, checksum].
-	* The second element is a string (the registry URL).
+	* npm entries with registry URL: [ident, registryUrl, info, checksum]. The
+	* second element is a string (the registry URL).
 	*/
 	if (typeof entry[1] === "string") return typeof entry[2] === "object" ? entry[2] : void 0;
 	/** git/tarball entries: [ident, info, checksum] */
@@ -549,14 +591,14 @@ function getPackageInfoObject(entry) {
 }
 /**
 * Recursively collect all package keys that are required, starting from a set
-* of direct dependency names and walking through their transitive dependencies
-* in the packages section.
+* of direct dependency names and walking through their transitive
+* dependencies in the packages section.
 */
 function collectRequiredPackages(directDependencyNames, packages) {
 	const required = /* @__PURE__ */ new Set();
 	const queue = [...directDependencyNames];
-	while (queue.length > 0) {
-		const name = queue.pop();
+	let name;
+	while ((name = queue.pop()) !== void 0) {
 		if (required.has(name)) continue;
 		const entry = packages[name];
 		if (!entry) continue;
@@ -568,15 +610,40 @@ function collectRequiredPackages(directDependencyNames, packages) {
 			"dependencies",
 			"optionalDependencies",
 			"peerDependencies"
-		]) {
-			const deps = info[depField];
-			if (deps && typeof deps === "object") {
-				for (const depName of Object.keys(deps)) if (!required.has(depName)) queue.push(depName);
-			}
-		}
+		]) enqueueDeps(info[depField], required, queue);
 	}
 	return required;
 }
+/**
+* Push any names from a dependency map onto the BFS queue, skipping anything
+* already marked required so we don't revisit it. `deps` is typed as `unknown`
+* because it comes from a freshly-parsed lockfile entry with no schema.
+*/
+function enqueueDeps(deps, required, queue) {
+	if (!deps || typeof deps !== "object") return;
+	for (const depName of Object.keys(deps)) if (!required.has(depName)) queue.push(depName);
+}
+//#endregion
+//#region src/lib/lockfile/helpers/generate-bun-lockfile.ts
+/**
+* Serialize a value to JSON with trailing commas after every array element and
+* object property, matching Bun's native bun.lock output format.
+*/
+function serializeWithTrailingCommas(value, indent = 2) {
+	/**
+	* Add trailing commas after values that precede a closing bracket/brace.
+	* Apply repeatedly because consecutive closing brackets (e.g. ]\n}) need
+	* multiple passes — the first pass adds a comma after the inner value, and
+	* subsequent passes handle the outer brackets.
+	*/
+	let result = JSON.stringify(value, null, indent);
+	let previous;
+	do {
+		previous = result;
+		result = result.replace(/(["\d\w\]}-])\n(\s*[\]}])/g, "$1,\n$2");
+	} while (result !== previous);
+	return result;
+}
 async function generateBunLockfile({ workspaceRootDir, targetPackageDir, isolateDir, internalDepPackageNames, packagesRegistry, includeDevDependencies }) {
 	const log = useLogger();
 	log.debug("Generating Bun lockfile...");
@@ -660,9 +727,9 @@ async function generateBunLockfile({ workspaceRootDir, targetPackageDir, isolate
 		/** Append trailing newline to match Bun's native output format */
 		await fs.writeFile(outputPath, serializeWithTrailingCommas(outputLockfile) + "\n");
 		log.debug("Created lockfile at", outputPath);
-	} catch (err) {
-		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
-		throw err;
+	} catch (error) {
+		log.error(`Failed to generate lockfile: ${getErrorMessage(error)}`);
+		throw error;
 	}
 }
 //#endregion
@@ -710,9 +777,9 @@ async function generateNpmLockfile({ workspaceRootDir, isolateDir, targetPackage
 			});
 		}
 		log.debug("Created lockfile at", path.join(isolateDir, "package-lock.json"));
-	} catch (err) {
-		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
-		throw err;
+	} catch (error) {
+		log.error(`Failed to generate lockfile: ${getErrorMessage(error)}`);
+		throw error;
 	}
 }
 async function generateFromRootLockfile({ workspaceRootDir, isolateDir, targetPackageName, targetPackageManifest, packagesRegistry, internalDepPackageNames }) {
@@ -728,7 +795,7 @@ async function generateFromRootLockfile({ workspaceRootDir, isolateDir, targetPa
 	const rootTree = await arborist.loadVirtual();
 	const targetImporterNode = arborist.workspaceNodes(rootTree, [targetPackageName])[0];
 	if (!targetImporterNode) throw new Error(`Target workspace "${targetPackageName}" not found in root package-lock.json`);
-	if (typeof targetImporterNode.location !== "string") throw new Error(`Target workspace "${targetPackageName}" resolved to a node without a location`);
+	if (typeof targetImporterNode.location !== "string") throw new TypeError(`Target workspace "${targetPackageName}" resolved to a node without a location`);
 	/**
 	* `workspaceDependencySet` walks `edgesOut` from each seed node. It does
 	* not add the seed node itself to the result, so ensure the target
@@ -767,6 +834,12 @@ async function generateFromRootLockfile({ workspaceRootDir, isolateDir, targetPa
 		srcData,
 		reachable,
 		targetImporterLoc: targetImporterNode.location,
+		/**
+		* npm's lockfile exposes each workspace as a Link at
+		* `node_modules/<name>`. This link is pointless in the isolate (the
+		* target becomes the root), so filter it out if it shows up in the
+		* reachable set.
+		*/
 		targetLinkLoc: `node_modules/${targetPackageName}`,
 		targetPackageManifest
 	});
@@ -796,10 +869,16 @@ function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targ
 	const srcPackages = srcData.packages;
 	if (!srcPackages[targetImporterLoc]) throw new Error(`Source lockfile has no entry for target importer "${targetImporterLoc}"`);
 	const targetNestedNodeModulesPrefix = `${targetImporterLoc}/node_modules/`;
-	/** Track the source location each output entry came from, so we can
-	* produce a clear error if two source paths remap to the same target.
-	*/
+	const remapToOutputLoc = (origLoc) => {
+		if (origLoc === targetImporterLoc) return "";
+		if (origLoc.startsWith(targetNestedNodeModulesPrefix)) return origLoc.slice(targetImporterLoc.length + 1);
+		return origLoc;
+	};
+	const isTargetNested = (origLoc) => origLoc === targetImporterLoc || origLoc.startsWith(targetNestedNodeModulesPrefix);
+	/** Track the source location each output entry came from, used to identify
+	* the displaced entry when a collision occurs. */
 	const origLocByNewLoc = /* @__PURE__ */ new Map();
+	const collisions = [];
 	for (const node of reachable) {
 		const origLoc = node.location;
 		/** The target's self-link has no place in the isolate (root IS the target). */
@@ -815,20 +894,79 @@ function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targ
 		* `packages/app/lib/core`) are preserved verbatim because their disk
 		* location in the isolate is unchanged.
 		*/
-		let newLoc;
-		if (origLoc === targetImporterLoc) newLoc = "";
-		else if (origLoc.startsWith(targetNestedNodeModulesPrefix)) newLoc = origLoc.slice(targetImporterLoc.length + 1);
-		else newLoc = origLoc;
+		const newLoc = remapToOutputLoc(origLoc);
 		const srcEntry = srcPackages[origLoc];
 		if (!srcEntry) throw new Error(`Reachable node "${origLoc}" has no entry in source lockfile packages`);
 		const existing = outPackages[newLoc];
 		if (existing && !entriesAreEquivalent(existing, srcEntry)) {
 			const previousOrigLoc = origLocByNewLoc.get(newLoc) ?? "<unknown>";
-			throw new Error(`Path collision at "${newLoc}": source locations "${previousOrigLoc}" and "${origLoc}" both map there with conflicting entries. This happens when the target pins a nested version override that collides with a hoisted version still needed by another reachable dependency. Please report a reproduction at https://github.com/0x80/isolate-package/issues.`);
+			const incomingIsTargetNested = isTargetNested(origLoc);
+			const previousIsTargetNested = isTargetNested(previousOrigLoc);
+			if (incomingIsTargetNested && !previousIsTargetNested) {
+				/** The target-nested entry wins. The previously-stored hoisted entry
+				* is displaced and must be re-nested under its consumers. */
+				collisions.push({
+					loserOrigLoc: previousOrigLoc,
+					loserEntry: existing
+				});
+				outPackages[newLoc] = { ...srcEntry };
+				origLocByNewLoc.set(newLoc, origLoc);
+				continue;
+			}
+			if (!incomingIsTargetNested && previousIsTargetNested) {
+				/** The previously-stored target-nested entry wins; the incoming
+				* hoisted entry is the loser. */
+				collisions.push({
+					loserOrigLoc: origLoc,
+					loserEntry: { ...srcEntry }
+				});
+				continue;
+			}
+			/** Neither side is the target's nested version, or both are — we have
+			* no rule to pick a winner. Bail loudly. */
+			throw new Error(`Path collision at "${newLoc}": source locations "${previousOrigLoc}" and "${origLoc}" both map there with conflicting entries and no rule applies to pick a winner (neither is a target-nested override, or both are). Please report a reproduction at https://github.com/0x80/isolate-package/issues.`);
 		}
 		outPackages[newLoc] = { ...srcEntry };
 		origLocByNewLoc.set(newLoc, origLoc);
 	}
+	/** Re-nest each displaced entry under the reachable consumers that
+	* originally resolved to it via node_modules walk-up. */
+	for (const collision of collisions) {
+		const loserName = extractPackageNameFromLockfileLoc(collision.loserOrigLoc);
+		if (!loserName) continue;
+		for (const consumer of reachable) {
+			const consumerSrcLoc = consumer.location;
+			if (consumerSrcLoc === collision.loserOrigLoc) continue;
+			if (consumerSrcLoc === targetLinkLoc) continue;
+			const consumerEntry = srcPackages[consumerSrcLoc];
+			if (!consumerEntry) continue;
+			/** Workspace links carry dependency metadata on the importer entry,
+			* not the link entry itself. Skip the link side. */
+			if (consumerEntry.link) continue;
+			if (!entryDependsOn(consumerEntry, loserName)) continue;
+			if (resolveDepInSrcLockfile(consumerSrcLoc, loserName, srcPackages) !== collision.loserOrigLoc) continue;
+			const consumerNewLoc = remapToOutputLoc(consumerSrcLoc);
+			/** Consumer maps to the isolate root (the target itself). The root
+			* slot is already taken by the winning version. The target's own
+			* dependencies use that version — we cannot serve a different one
+			* here without nesting under the target, which would be its own
+			* collision. Accept the resolution shift. */
+			if (consumerNewLoc === "") continue;
+			/** If the consumer was itself displaced by another collision (its
+			* src-side entry doesn't match the entry we actually placed at its
+			* new location), the consumer isn't really present in the isolate.
+			* Its original dep needs are irrelevant here. */
+			const consumerOutEntry = outPackages[consumerNewLoc];
+			if (!consumerOutEntry || !entriesAreEquivalent(consumerOutEntry, consumerEntry)) continue;
+			const nestedLoc = `${consumerNewLoc}/node_modules/${loserName}`;
+			const existingNested = outPackages[nestedLoc];
+			if (existingNested) {
+				if (entriesAreEquivalent(existingNested, collision.loserEntry)) continue;
+				throw new Error(`Cannot re-nest displaced "${loserName}" under "${consumerNewLoc}": the slot "${nestedLoc}" already contains a different entry. Please report a reproduction at https://github.com/0x80/isolate-package/issues.`);
+			}
+			outPackages[nestedLoc] = { ...collision.loserEntry };
+		}
+	}
 	/**
 	* If the target importer didn't make it into the reachable set for any
 	* reason (upstream Arborist bug, programmer error), bail loudly rather
@@ -836,8 +974,10 @@ function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targ
 	*/
 	if (!outPackages[""]) throw new Error(`Target importer "${targetImporterLoc}" was not present in the reachable node set; cannot construct isolate root entry`);
 	/** Overlay the isolate root with the adapted target manifest. */
-	const rootEntry = { ...outPackages[""] };
-	rootEntry.name = targetPackageManifest.name;
+	const rootEntry = {
+		...outPackages[""],
+		name: targetPackageManifest.name
+	};
 	if (targetPackageManifest.version) rootEntry.version = targetPackageManifest.version;
 	overlayManifestDeps(rootEntry, targetPackageManifest);
 	/** The isolate is no longer a workspace root. */
@@ -875,6 +1015,55 @@ function buildIsolatedLockfileJson({ srcData, reachable, targetImporterLoc, targ
 function entriesAreEquivalent(a, b) {
 	return a.version === b.version && a.resolved === b.resolved && a.integrity === b.integrity && !!a.link === !!b.link;
 }
+/**
+* Extracts the package name from a lockfile install location. Handles scoped
+* packages, where the name is two segments after the last `node_modules/`.
+*
+*   "node_modules/foo"                          -> "foo"
+*   "node_modules/@scope/foo"                   -> "@scope/foo"
+*   "node_modules/a/node_modules/b"             -> "b"
+*   "node_modules/a/node_modules/@scope/b"      -> "@scope/b"
+*
+* Returns null for locations that don't contain `node_modules/`.
+*/
+function extractPackageNameFromLockfileLoc(loc) {
+	const lastIdx = loc.lastIndexOf("node_modules/");
+	if (lastIdx < 0) return null;
+	const tail = loc.slice(lastIdx + 13);
+	if (tail.startsWith("@")) {
+		const slashIdx = tail.indexOf("/");
+		if (slashIdx < 0) return tail;
+		/** Stop at the second `/` so we don't include any further nesting. */
+		const secondSlash = tail.indexOf("/", slashIdx + 1);
+		return secondSlash < 0 ? tail : tail.slice(0, secondSlash);
+	}
+	const slashIdx = tail.indexOf("/");
+	return slashIdx < 0 ? tail : tail.slice(0, slashIdx);
+}
+/**
+* Returns true if the lockfile entry lists `depName` in any of its dependency
+* fields. Includes peer/optional/dev because any of them may have been the
+* reason for the dep being installed at runtime.
+*/
+function entryDependsOn(entry, depName) {
+	return entry.dependencies?.[depName] !== void 0 || entry.devDependencies?.[depName] !== void 0 || entry.peerDependencies?.[depName] !== void 0 || entry.optionalDependencies?.[depName] !== void 0;
+}
+/**
+* Resolves `depName` against `srcPackages` from the perspective of a consumer
+* at `consumerLoc`, mirroring Node.js `node_modules` walk-up. Returns the
+* lockfile key of the entry the consumer would load at runtime, or null when
+* no candidate exists.
+*/
+function resolveDepInSrcLockfile(consumerLoc, depName, srcPackages) {
+	let scope = consumerLoc;
+	while (true) {
+		const candidate = scope === "" ? `node_modules/${depName}` : `${scope}/node_modules/${depName}`;
+		if (srcPackages[candidate]) return candidate;
+		if (scope === "") return null;
+		const idx = scope.lastIndexOf("/node_modules/");
+		scope = idx < 0 ? "" : scope.slice(0, idx);
+	}
+}
 function overlayManifestDeps(entry, manifest) {
 	for (const field of [
 		"dependencies",
@@ -983,6 +1172,18 @@ async function generatePnpmLockfile({ workspaceRootDir, targetPackageDir, isolat
 		/** Add packageExtensionsChecksum back to the pruned lockfile if present */
 		if (lockfile.packageExtensionsChecksum) prunedLockfile.packageExtensionsChecksum = lockfile.packageExtensionsChecksum;
 		/**
+		* Pruning drops the catalogs snapshot, but the isolated importers keep
+		* their "catalog:" specifiers (for pnpm we don't resolve catalog deps in
+		* the manifest, since the output is itself a workspace). Restore it
+		* verbatim — like overrides above — so it stays in sync with the importer
+		* specifiers and the preserved pnpm-workspace.yaml catalog definitions,
+		* which are themselves copied verbatim (see issue #198). pnpm tolerates
+		* catalog entries that no retained importer references, so there is no need
+		* to narrow the snapshot.
+		*/
+		const catalogs = lockfile.catalogs;
+		if (catalogs) prunedLockfile.catalogs = catalogs;
+		/**
 		* Use pre-computed patched dependencies with transformed paths. The paths
 		* are already adapted by copyPatches to match the isolated directory
 		* structure, preserving the original folder structure (not flattened).
@@ -996,9 +1197,9 @@ async function generatePnpmLockfile({ workspaceRootDir, targetPackageDir, isolat
 			patchedDependencies
 		});
 		log.debug("Created lockfile at", path.join(isolateDir, "pnpm-lock.yaml"));
-	} catch (err) {
-		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
-		throw err;
+	} catch (error) {
+		log.error(`Failed to generate lockfile: ${getErrorMessage(error)}`);
+		throw error;
 	}
 }
 //#endregion
@@ -1024,9 +1225,9 @@ async function generateYarnLockfile({ workspaceRootDir, isolateDir }) {
 		log.debug(`Running local install`);
 		execSync(`yarn install --cwd ${isolateDir}`);
 		log.debug("Generated lockfile at", newLockfilePath);
-	} catch (err) {
-		log.error(`Failed to generate lockfile: ${getErrorMessage(err)}`);
-		throw err;
+	} catch (error) {
+		log.error(`Failed to generate lockfile: ${getErrorMessage(error)}`);
+		throw error;
 	}
 }
 //#endregion
@@ -1103,7 +1304,7 @@ async function processLockfile({ workspaceRootDir, packagesRegistry, isolateDir,
 //#endregion
 //#region src/lib/manifest/io.ts
 async function readManifest(packageDir) {
-	return readTypedJson(path.join(packageDir, "package.json"));
+	return await readTypedJson(path.join(packageDir, "package.json"));
 }
 async function writeManifest(outputDir, manifest) {
 	await fs.writeFile(path.join(outputDir, "package.json"), JSON.stringify(manifest, null, 2));
@@ -1139,30 +1340,83 @@ function adaptManifestInternalDeps({ manifest, packagesRegistry, parentRootRelat
 }
 //#endregion
 //#region src/lib/manifest/helpers/resolve-catalog-dependencies.ts
+const catalogSourceCache = /* @__PURE__ */ new Map();
+/**
+* Loads catalog definitions by checking pnpm-workspace.yaml first (pnpm
+* format), then falling back to the root package.json (Bun format).
+*
+* Pnpm defines catalogs in pnpm-workspace.yaml:
+*
+* ```yaml
+* catalog:
+*   react: ^18.3.1
+* catalogs:
+*   react18:
+*     react: ^18.3.1
+* ```
+*
+* Bun defines catalogs in package.json (at root level or under workspaces).
+*/
+async function loadCatalogSource(workspaceRootDir) {
+	const cached = catalogSourceCache.get(workspaceRootDir);
+	if (cached) return cached;
+	/**
+	* Drop the cache entry if loading fails so a subsequent call can retry
+	* instead of immediately rethrowing the same rejection.
+	*/
+	const cachedLoadPromise = (async () => {
+		const log = useLogger();
+		/** Try pnpm-workspace.yaml first. */
+		const workspaceYamlPath = path.join(workspaceRootDir, "pnpm-workspace.yaml");
+		if (await fs.pathExists(workspaceYamlPath)) try {
+			const rawContent = await fs.readFile(workspaceYamlPath, "utf-8");
+			const yamlConfig = yaml.parse(rawContent);
+			if (yamlConfig?.catalog || yamlConfig?.catalogs) return {
+				catalog: yamlConfig.catalog,
+				catalogs: yamlConfig.catalogs
+			};
+		} catch (error) {
+			log.warn(`Failed to parse ${workspaceYamlPath}: ${error instanceof Error ? error.message : String(error)}. Falling back to package.json for catalog definitions.`);
+		}
+		const rootManifest = await readTypedJson(path.join(workspaceRootDir, "package.json"));
+		return {
+			catalog: rootManifest.catalog ?? rootManifest.workspaces?.catalog,
+			catalogs: rootManifest.catalogs ?? rootManifest.workspaces?.catalogs
+		};
+	})().catch((error) => {
+		catalogSourceCache.delete(workspaceRootDir);
+		throw error;
+	});
+	catalogSourceCache.set(workspaceRootDir, cachedLoadPromise);
+	return cachedLoadPromise;
+}
 /**
 * Resolves catalog dependencies by replacing "catalog:" specifiers with their
-* actual versions from the root package.json catalog field.
+* actual versions.
 *
 * Supports both pnpm and Bun catalog formats:
 *
-* - Pnpm: catalog at root level
-* - Bun: catalog or catalogs at root level, or workspaces.catalog
+* - Pnpm: catalog/catalogs defined in pnpm-workspace.yaml
+* - Bun: catalog or catalogs at root level, or workspaces.catalog in
+*   package.json
 */
 async function resolveCatalogDependencies(dependencies, workspaceRootDir) {
 	if (!dependencies) return;
 	const log = useLogger();
-	const rootManifest = await readTypedJson(path.join(workspaceRootDir, "package.json"));
-	const flatCatalog = rootManifest.catalog || rootManifest.workspaces?.catalog;
-	const nestedCatalogs = rootManifest.catalogs || rootManifest.workspaces?.catalogs;
+	const { catalog: flatCatalog, catalogs: nestedCatalogs } = await loadCatalogSource(workspaceRootDir);
 	if (!flatCatalog && !nestedCatalogs) return dependencies;
 	const resolved = { ...dependencies };
 	for (const [packageName, specifier] of Object.entries(dependencies)) if (specifier === "catalog:" || specifier.startsWith("catalog:")) {
 		let catalogVersion;
-		if (specifier === "catalog:") catalogVersion = flatCatalog?.[packageName];
-		else {
-			const groupName = specifier.slice(8);
-			catalogVersion = nestedCatalogs?.[groupName]?.[packageName];
-		}
+		const groupName = specifier === "catalog:" ? "default" : specifier.slice(8);
+		if (groupName === "default")
+ /**
+		* Per pnpm semantics, `catalog:` and `catalog:default` are
+		* equivalent: the default catalog can live under the top-level
+		* `catalog` field or under `catalogs.default`, so check both.
+		*/
+		catalogVersion = flatCatalog?.[packageName] ?? nestedCatalogs?.default?.[packageName];
+		else catalogVersion = nestedCatalogs?.[groupName]?.[packageName];
 		if (catalogVersion) {
 			log.debug(`Resolving catalog dependency ${packageName}: "${specifier}" -> "${catalogVersion}"`);
 			resolved[packageName] = catalogVersion;
@@ -1179,6 +1433,14 @@ async function resolveCatalogDependencies(dependencies, workspaceRootDir) {
 */
 async function adaptInternalPackageManifests({ internalPackageNames, packagesRegistry, isolateDir, forceNpm, workspaceRootDir }) {
 	const packageManager = usePackageManager();
+	/**
+	* For PNPM (non-forceNpm) the isolated output is itself a pnpm workspace with
+	* its `pnpm-workspace.yaml` catalog definitions preserved, so "catalog:"
+	* specifiers are kept verbatim to stay in sync with the lockfile importers
+	* (see issue #198). For other package managers the catalog is not available
+	* in the output, so we resolve the specifiers to versions.
+	*/
+	const isPnpmWorkspaceOutput = packageManager.name === "pnpm" && !forceNpm;
 	await Promise.all(internalPackageNames.map(async (packageName) => {
 		const { manifest, rootRelativeDir } = got(packagesRegistry, packageName);
 		/** Dev dependencies are never included for internal deps */
@@ -1191,13 +1453,12 @@ async function adaptInternalPackageManifests({ internalPackageNames, packagesReg
 		* setup (e.g. Prisma client generation).
 		*/
 		if (strippedManifest.scripts) strippedManifest.scripts = omit(strippedManifest.scripts, ["prepare"]);
-		/** Resolve catalog dependencies before adapting internal deps */
-		const manifestWithResolvedCatalogs = {
+		const preparedManifest = isPnpmWorkspaceOutput ? strippedManifest : {
 			...strippedManifest,
 			dependencies: await resolveCatalogDependencies(strippedManifest.dependencies, workspaceRootDir)
 		};
-		const outputManifest = (packageManager.name === "pnpm" || packageManager.name === "bun") && !forceNpm ? manifestWithResolvedCatalogs : adaptManifestInternalDeps({
-			manifest: manifestWithResolvedCatalogs,
+		const outputManifest = (packageManager.name === "pnpm" || packageManager.name === "bun") && !forceNpm ? preparedManifest : adaptManifestInternalDeps({
+			manifest: preparedManifest,
 			packagesRegistry,
 			parentRootRelativeDir: rootRelativeDir
 		});
@@ -1213,7 +1474,7 @@ async function adaptInternalPackageManifests({ internalPackageNames, packagesReg
 */
 async function adoptPnpmFieldsFromRoot(targetPackageManifest, workspaceRootDir) {
 	if (isRushWorkspace(workspaceRootDir)) return targetPackageManifest;
-	const rootPackageManifest = await readTypedJson(path$1.join(workspaceRootDir, "package.json"));
+	const rootPackageManifest = await readTypedJson(path.join(workspaceRootDir, "package.json"));
 	if (usePackageManager().name === "bun") return adoptBunFieldsFromRoot(targetPackageManifest, rootPackageManifest);
 	return adoptPnpmFieldsOnly(targetPackageManifest, rootPackageManifest);
 }
@@ -1233,7 +1494,7 @@ function adoptBunFieldsFromRoot(targetPackageManifest, rootPackageManifest) {
 }
 /** Adopt pnpm-specific fields from the root manifest */
 function adoptPnpmFieldsOnly(targetPackageManifest, rootPackageManifest) {
-	const { overrides, onlyBuiltDependencies, ignoredBuiltDependencies } = rootPackageManifest.pnpm || {};
+	const { overrides, onlyBuiltDependencies, ignoredBuiltDependencies } = rootPackageManifest.pnpm ?? {};
 	/** If no pnpm fields are present, return the original manifest */
 	if (!overrides && !onlyBuiltDependencies && !ignoredBuiltDependencies) return targetPackageManifest;
 	const pnpmConfig = {};
@@ -1259,17 +1520,25 @@ async function adaptTargetPackageManifest({ manifest, packagesRegistry, workspac
 	const { includeDevDependencies, pickFromScripts, omitFromScripts, omitPackageManager, forceNpm } = config;
 	/** Dev dependencies are omitted by default */
 	const inputManifest = includeDevDependencies ? manifest : omit(manifest, ["devDependencies"]);
-	/** Resolve catalog dependencies before adapting internal deps */
-	const manifestWithResolvedCatalogs = {
+	const preparedManifest = packageManager.name === "pnpm" && !forceNpm ? inputManifest : {
 		...inputManifest,
 		dependencies: await resolveCatalogDependencies(inputManifest.dependencies, workspaceRootDir)
 	};
 	return {
-		...(packageManager.name === "pnpm" || packageManager.name === "bun") && !forceNpm ? await adoptPnpmFieldsFromRoot(manifestWithResolvedCatalogs, workspaceRootDir) : adaptManifestInternalDeps({
-			manifest: manifestWithResolvedCatalogs,
+		...(packageManager.name === "pnpm" || packageManager.name === "bun") && !forceNpm ? await adoptPnpmFieldsFromRoot(preparedManifest, workspaceRootDir) : adaptManifestInternalDeps({
+			manifest: preparedManifest,
 			packagesRegistry
 		}),
+		/**
+		* Adopt the package manager definition from the root manifest if available.
+		* The option to omit is there because some platforms might not handle it
+		* properly (Cloud Run, April 24th 2024, does not handle pnpm v9)
+		*/
 		packageManager: omitPackageManager ? void 0 : packageManager.packageManagerString,
+		/**
+		* Scripts are removed by default if not explicitly picked or omitted via
+		* config.
+		*/
 		scripts: pickFromScripts ? pick(manifest.scripts ?? {}, pickFromScripts) : omitFromScripts ? omit(manifest.scripts ?? {}, omitFromScripts) : {}
 	};
 }
@@ -1300,8 +1569,8 @@ function validateManifestMandatoryFields(manifest, packagePath, requireFilesFiel
 	* packed
 	*/
 	if (requireFilesField && (!manifest.files || !Array.isArray(manifest.files) || manifest.files.length === 0)) missingFields.push("files");
-	if (missingFields.length > 0) {
-		const field = missingFields[0];
+	const [field] = missingFields;
+	if (field) {
 		const errorMessage = missingFields.length === 1 ? `Package at ${packagePath} is missing the "${field}" field in its package.json. See ${fieldDocUrls[field] ?? "https://isolate-package.codecompose.dev/getting-started#prerequisites"}` : `Package at ${packagePath} is missing mandatory fields in its package.json: ${missingFields.join(", ")}. See https://isolate-package.codecompose.dev/getting-started#prerequisites`;
 		log.error(errorMessage);
 		throw new Error(errorMessage);
@@ -1310,7 +1579,7 @@ function validateManifestMandatoryFields(manifest, packagePath, requireFilesFiel
 }
 //#endregion
 //#region src/lib/output/get-build-output-dir.ts
-async function getBuildOutputDir({ targetPackageDir, buildDirName, tsconfigPath }) {
+function getBuildOutputDir({ targetPackageDir, buildDirName, tsconfigPath }) {
 	const log = useLogger();
 	if (buildDirName) {
 		log.debug("Using buildDirName from config:", buildDirName);
@@ -1333,6 +1602,91 @@ async function getBuildOutputDir({ targetPackageDir, buildDirName, tsconfigPath
 	}
 }
 //#endregion
+//#region src/lib/utils/wait-for-complete-file.ts
+/**
+* Wait until the given file exists and its size has stopped changing across
+* two consecutive polls. Resolves once the file is considered fully written,
+* rejects with a timeout error otherwise.
+*
+* This is a cheap proxy for "the writer has finished flushing" without
+* inspecting file contents or relying on platform-specific signals. It is
+* intended for cases where an external process (e.g. `pnpm pack`) may report
+* completion before its output is fully visible on disk.
+*/
+async function waitForCompleteFile(filePath, { timeoutMs, pollMs }) {
+	const deadline = Date.now() + timeoutMs;
+	let lastSize = -1;
+	while (Date.now() < deadline) {
+		try {
+			const { size } = await fs$1.promises.stat(filePath);
+			if (size > 0 && size === lastSize) return;
+			lastSize = size;
+		} catch (error) {
+			if (error.code !== "ENOENT") throw error;
+		}
+		await new Promise((resolve) => {
+			setTimeout(resolve, pollMs);
+		});
+	}
+	throw new Error(`Timed out after ${timeoutMs}ms waiting for file to be written: ${filePath}`);
+}
+//#endregion
+//#region src/lib/utils/pack.ts
+/**
+* How long to wait for the packed tarball to appear and stop growing on disk
+* after `pnpm pack` / `npm pack` has exited.
+*/
+const PACK_FILE_READY_TIMEOUT_MS = 5e3;
+const PACK_FILE_READY_POLL_MS = 50;
+async function pack(srcDir, dstDir) {
+	const log = useLogger();
+	const execOptions = {
+		cwd: srcDir,
+		maxBuffer: 10 * 1024 * 1024
+	};
+	/**
+	* PNPM pack seems to be a lot faster than NPM pack, so when PNPM is detected
+	* we use that instead.
+	*/
+	const packStdout = shouldUsePnpmPack() ? await new Promise((resolve, reject) => {
+		exec(`pnpm pack --pack-destination "${dstDir}"`, execOptions, (err, stdout) => {
+			if (err) {
+				log.error(getErrorMessage(err));
+				reject(err);
+				return;
+			}
+			resolve(stdout);
+		});
+	}) : await new Promise((resolve, reject) => {
+		exec(`npm pack --pack-destination "${dstDir}"`, execOptions, (err, stdout) => {
+			if (err) {
+				reject(err);
+				return;
+			}
+			resolve(stdout);
+		});
+	});
+	const lastLine = packStdout.trim().split("\n").at(-1);
+	assert(lastLine, `Failed to parse last line from stdout: ${packStdout.trim()}`);
+	const fileName = path.basename(lastLine);
+	assert(fileName, `Failed to parse file name from: ${lastLine}`);
+	const filePath = path.join(dstDir, fileName);
+	/**
+	* `pnpm pack` (and occasionally `npm pack`) can return before the tarball is
+	* fully visible/flushed to disk. A naive `existsSync` check is not enough:
+	* the directory entry can appear before the file's data has been written,
+	* which causes downstream consumers (gunzip + tar) to fail with
+	* "unexpected end of file". Wait until the file exists and its size has
+	* stopped changing across two consecutive polls before returning.
+	*/
+	await waitForCompleteFile(filePath, {
+		timeoutMs: PACK_FILE_READY_TIMEOUT_MS,
+		pollMs: PACK_FILE_READY_POLL_MS
+	});
+	log.debug(`Packed (temp)/${fileName}`);
+	return filePath;
+}
+//#endregion
 //#region src/lib/output/pack-dependencies.ts
 /**
 * Pack dependencies so that we extract only the files that are supposed to be
@@ -1361,18 +1715,13 @@ async function packDependencies({ packagesRegistry, internalPackageNames, packDe
 }
 //#endregion
 //#region src/lib/output/process-build-output-files.ts
-const TIMEOUT_MS = 5e3;
 async function processBuildOutputFiles({ targetPackageDir, tmpDir, isolateDir }) {
-	const log = useLogger();
 	const packedFilePath = await pack(targetPackageDir, tmpDir);
 	const unpackDir = path.join(tmpDir, "target");
-	const now = Date.now();
-	let isWaitingYet = false;
-	while (!fs.existsSync(packedFilePath) && Date.now() - now < TIMEOUT_MS) {
-		if (!isWaitingYet) log.debug(`Waiting for ${packedFilePath} to become available...`);
-		isWaitingYet = true;
-		await new Promise((resolve) => setTimeout(resolve, 100));
-	}
+	/**
+	* `pack` already waits for the tarball to be fully written before returning,
+	* so it is safe to unpack immediately.
+	*/
 	await unpack(packedFilePath, unpackDir);
 	await fs.copy(path.join(unpackDir, "package"), isolateDir);
 }
@@ -1445,7 +1794,8 @@ function collectReachablePackageNames({ targetPackageManifest, packagesRegistry,
 */
 function findPackagesGlobs(workspaceRootDir) {
 	const log = useLogger();
-	switch (usePackageManager().name) {
+	const packageManager = usePackageManager();
+	switch (packageManager.name) {
 		case "pnpm": {
 			const workspaceConfig = readTypedYamlSync(path.join(workspaceRootDir, "pnpm-workspace.yaml"));
 			if (!workspaceConfig) throw new Error("pnpm-workspace.yaml file is empty. Please specify packages configuration.");
@@ -1461,17 +1811,16 @@ function findPackagesGlobs(workspaceRootDir) {
 			const { workspaces } = readTypedJsonSync(workspaceRootManifestPath);
 			if (!workspaces) throw new Error(`No workspaces field found in ${workspaceRootManifestPath}`);
 			if (Array.isArray(workspaces)) return workspaces;
-			else {
-				/**
-				* For Yarn, workspaces could be defined as an object with { packages:
-				* [], nohoist: [] }. See
-				* https://classic.yarnpkg.com/blog/2018/02/15/nohoist/
-				*/
-				const workspacesObject = workspaces;
-				assert(workspacesObject.packages, "workspaces.packages must be an array");
-				return workspacesObject.packages;
-			}
+			/**
+			* For Yarn, workspaces could be defined as an object with { packages: [],
+			* nohoist: [] }. See
+			* https://classic.yarnpkg.com/blog/2018/02/15/nohoist/
+			*/
+			const workspacesObject = workspaces;
+			assert(Array.isArray(workspacesObject.packages), "workspaces.packages must be an array");
+			return workspacesObject.packages;
 		}
+		default: throw new Error(`Unsupported package manager: ${packageManager.name}`);
 	}
 }
 //#endregion
@@ -1490,15 +1839,14 @@ async function createPackagesRegistry(workspaceRootDir, workspacePackagesOverrid
 		const manifestPath = path.join(absoluteDir, "package.json");
 		if (!fs.existsSync(manifestPath)) {
 			log.warn(`Ignoring directory ${rootRelativeDir} because it does not contain a package.json file`);
-			return;
-		} else {
-			log.debug(`Registering package ${rootRelativeDir}`);
-			return {
-				manifest: await readTypedJson(path.join(absoluteDir, "package.json")),
-				rootRelativeDir,
-				absoluteDir
-			};
+			return null;
 		}
+		log.debug(`Registering package ${rootRelativeDir}`);
+		return {
+			manifest: await readTypedJson(path.join(absoluteDir, "package.json")),
+			rootRelativeDir,
+			absoluteDir
+		};
 	}))).reduce((acc, info) => {
 		if (info) acc[info.manifest.name] = info;
 		return acc;
@@ -1553,10 +1901,252 @@ function listInternalPackages(manifest, packagesRegistry, { includeDevDependenci
 	return [...new Set(result)];
 }
 //#endregion
+//#region src/lib/patches/collect-installed-names-bun.ts
+/**
+* Walk the workspace bun.lock starting from the target package and its
+* internal workspace dependencies, returning the set of every package name
+* that will end up installed in the isolate (including deep
+* external-to-external transitives).
+*
+* Used by `copyPatches` to preserve patches for transitive deps that aren't
+* directly listed on any internal manifest. Returns an empty set on any
+* failure so the caller falls back to manifest-based reachability.
+*/
+function collectInstalledNamesFromBunLockfile({ workspaceRootDir, targetPackageDir, internalDepPackageNames, packagesRegistry, includeDevDependencies }) {
+	const log = useLogger();
+	try {
+		const lockfilePath = path.join(workspaceRootDir, "bun.lock");
+		if (!fs.existsSync(lockfilePath)) {
+			log.debug("No bun.lock available for installed-names walk");
+			return /* @__PURE__ */ new Set();
+		}
+		const lockfile = readTypedJsonSync(lockfilePath);
+		const targetWorkspaceKey = path.relative(workspaceRootDir, targetPackageDir).split(path.sep).join(path.posix.sep);
+		const internalWorkspaceKeys = internalDepPackageNames.map((name) => {
+			const pkg = packagesRegistry[name];
+			if (!pkg) return null;
+			return pkg.rootRelativeDir.split(path.sep).join(path.posix.sep);
+		}).filter(Boolean);
+		const directDependencyNames = /* @__PURE__ */ new Set();
+		const targetEntry = lockfile.workspaces[targetWorkspaceKey];
+		if (targetEntry) for (const name of collectDependencyNames(targetEntry, includeDevDependencies)) directDependencyNames.add(name);
+		for (const workspaceKey of internalWorkspaceKeys) {
+			const entry = lockfile.workspaces[workspaceKey];
+			if (!entry) continue;
+			/** Internal workspace deps never bring in their devDependencies */
+			for (const name of collectDependencyNames(entry, false)) directDependencyNames.add(name);
+		}
+		return collectRequiredPackages(directDependencyNames, lockfile.packages);
+	} catch (error) {
+		log.debug(`Failed to walk bun.lock for installed names: ${error instanceof Error ? error.message : String(error)}`);
+		return /* @__PURE__ */ new Set();
+	}
+}
+//#endregion
+//#region src/lib/patches/collect-installed-names-pnpm.ts
+/**
+* Walk the workspace pnpm lockfile starting from the target package and its
+* internal workspace dependencies, returning the set of every package name
+* that will end up installed in the isolate (including deep
+* external-to-external transitives).
+*
+* Used by `copyPatches` to preserve patches for transitive deps that aren't
+* directly listed on any internal manifest. Returns an empty set on any
+* failure so the caller falls back to manifest-based reachability. When the
+* lockfile is present but lacks a `packages` section, returns just the
+* direct importer dep names.
+*/
+async function collectInstalledNamesFromPnpmLockfile({ workspaceRootDir, targetPackageDir, internalDepPackageNames, packagesRegistry, majorVersion, includeDevDependencies }) {
+	const log = useLogger();
+	try {
+		const useVersion9 = majorVersion >= 9;
+		const isRush = isRushWorkspace(workspaceRootDir);
+		const lockfileDir = isRush ? path.join(workspaceRootDir, "common/config/rush") : workspaceRootDir;
+		const lockfile = useVersion9 ? await readWantedLockfile$1(lockfileDir, { ignoreIncompatible: false }) : await readWantedLockfile(lockfileDir, { ignoreIncompatible: false });
+		if (!lockfile) {
+			log.debug("No pnpm lockfile available for installed-names walk");
+			return /* @__PURE__ */ new Set();
+		}
+		/**
+		* Normalize separators to POSIX so Windows callers match the lockfile's
+		* importer keys (mirrors generate-pnpm-lockfile.ts). Applied once here so
+		* the `isTarget` equality check below compares apples-to-apples — without
+		* this, on Windows the raw id with backslashes wouldn't match the
+		* normalized id used as the importers map key.
+		*/
+		const targetImporterId = toLockfileImporterKey(useVersion9 ? getLockfileImporterId$1(workspaceRootDir, targetPackageDir) : getLockfileImporterId(workspaceRootDir, targetPackageDir), isRush);
+		const importerIds = [targetImporterId, ...internalDepPackageNames.map((name) => packagesRegistry[name]?.rootRelativeDir).filter(Boolean).map((dir) => toLockfileImporterKey(dir, isRush))];
+		const packages = lockfile.packages;
+		if (!packages) {
+			log.debug("Lockfile has no packages section to walk");
+			return collectImporterDirectNames(lockfile.importers, importerIds, targetImporterId, includeDevDependencies);
+		}
+		const names = /* @__PURE__ */ new Set();
+		const seen = /* @__PURE__ */ new Set();
+		const queue = [];
+		for (const importerId of importerIds) {
+			const importer = lockfile.importers[importerId];
+			if (!importer) continue;
+			enqueueImporterDeps({
+				importer,
+				names,
+				queue,
+				useVersion9,
+				includeDevDependencies: importerId === targetImporterId && includeDevDependencies
+			});
+		}
+		let depPath;
+		while ((depPath = queue.pop()) !== void 0) {
+			if (seen.has(depPath)) continue;
+			seen.add(depPath);
+			names.add(extractPackageName(depPath));
+			const pkg = packages[depPath];
+			if (!pkg) continue;
+			enqueueResolvedDeps(pkg.dependencies, names, queue, useVersion9, seen);
+			enqueueResolvedDeps(pkg.optionalDependencies, names, queue, useVersion9, seen);
+			/**
+			* Peer requirement values are name → semver-range, not resolved depPaths.
+			* Just record the names so a patch on a peer-only external transitive
+			* survives filtering (mirrors the bun walker and the sister manifest
+			* walker, which both include peerDependencies).
+			*/
+			collectNames(pkg.peerDependencies, names);
+		}
+		return names;
+	} catch (error) {
+		log.debug(`Failed to walk pnpm lockfile for installed names: ${error instanceof Error ? error.message : String(error)}`);
+		return /* @__PURE__ */ new Set();
+	}
+}
+/**
+* Convert a raw importer id (as returned by `getLockfileImporterId` or a
+* package's rootRelativeDir) to the form actually used as a key in
+* `lockfile.importers`: POSIX separators, with the Rush `../../` prefix when
+* the workspace lives under `common/config/rush`. Lockfile keys are always
+* POSIX regardless of the host OS, so backslashes are normalized
+* unconditionally rather than relying on `path.sep`.
+*/
+function toLockfileImporterKey(importerId, isRush) {
+	const posix = importerId.split(path.sep).join(path.posix.sep).replace(/\\/g, "/");
+	return isRush ? `../../${posix}` : posix;
+}
+function enqueueImporterDeps({ importer, names, queue, useVersion9, includeDevDependencies }) {
+	enqueueResolvedDeps(importer.dependencies, names, queue, useVersion9);
+	enqueueResolvedDeps(importer.optionalDependencies, names, queue, useVersion9);
+	if (includeDevDependencies) enqueueResolvedDeps(importer.devDependencies, names, queue, useVersion9);
+	/**
+	* Importer peerDependencies usually aren't a separate map in the lockfile
+	* (autoInstallPeers folds them into `dependencies`), but record names if
+	* they happen to be present.
+	*/
+	collectNames(importer.peerDependencies, names);
+}
+function enqueueResolvedDeps(deps, names, queue, useVersion9, seen) {
+	if (!deps) return;
+	for (const [alias, ref] of Object.entries(deps)) {
+		/**
+		* The alias is the name as listed in the parent's dependencies map. For
+		* non-aliased installs this is also the resolved package name. We add it
+		* to the set as a candidate name; visiting the actual depPath below
+		* refines this with the true installed name.
+		*/
+		names.add(alias);
+		const depPath = refToRelative(ref, alias, useVersion9);
+		if (depPath && !seen?.has(depPath)) queue.push(depPath);
+	}
+}
+function collectNames(deps, names) {
+	if (!deps) return;
+	for (const name of Object.keys(deps)) names.add(name);
+}
+/**
+* Mirrors `@pnpm/dependency-path`'s `refToRelative`. The depPath shape differs
+* between pnpm 8 (lockfile v6, normalized to v5 keys like `/foo/1.0.0`) and
+* pnpm 9 (lockfile v9 keys like `foo@1.0.0`). Returns the depPath used as a
+* key in `lockfile.packages`, or null if the ref points to a workspace link.
+*/
+function refToRelative(reference, pkgName, useVersion9) {
+	if (!reference) return null;
+	if (reference.startsWith("link:")) return null;
+	return useVersion9 ? refToRelativeV9(reference, pkgName) : refToRelativeV8(reference, pkgName);
+}
+function refToRelativeV9(reference, pkgName) {
+	if (reference.startsWith("@")) return reference;
+	const atIndex = reference.indexOf("@");
+	if (atIndex === -1) return `${pkgName}@${reference}`;
+	const colonIndex = reference.indexOf(":");
+	const bracketIndex = reference.indexOf("(");
+	if ((colonIndex === -1 || atIndex < colonIndex) && (bracketIndex === -1 || atIndex < bracketIndex)) return reference;
+	return `${pkgName}@${reference}`;
+}
+/**
+* v8 form: pnpm 8 (lockfile v6) is normalized on read to v5-style depPaths
+* with leading slash and `/` separator between name and version. Plain
+* version refs build that key; refs already containing a `/` (peer-suffixed
+* or pre-formed) are returned verbatim. Mirrors `@pnpm/dependency-path@2.x`.
+*/
+function refToRelativeV8(reference, pkgName) {
+	if (reference.startsWith("file:")) return reference;
+	const slashIndex = reference.indexOf("/");
+	const bracketIndex = reference.indexOf("(");
+	const noSlashBeforeBracket = bracketIndex !== -1 && reference.lastIndexOf("/", bracketIndex) === -1;
+	if (slashIndex === -1 || noSlashBeforeBracket) return `/${pkgName}/${reference}`;
+	return reference;
+}
+/**
+* Extract the bare package name from a pnpm depPath. Strips the optional
+* peer-resolution suffix (e.g. `(react@18.0.0)`) before parsing. Handles
+* both v9 (`@scope/foo@1.0.0`) and v8 (`/@scope/foo/1.0.0`) shapes.
+*/
+function extractPackageName(depPath) {
+	const peerStart = indexOfPeersSuffix(depPath);
+	const trimmed = peerStart === -1 ? depPath : depPath.slice(0, peerStart);
+	if (trimmed.startsWith("/")) {
+		/** v8 v5-style: `/<name>/<version>` */
+		const stripped = trimmed.slice(1);
+		if (stripped.startsWith("@")) {
+			const secondSlash = stripped.indexOf("/", stripped.indexOf("/") + 1);
+			return secondSlash === -1 ? stripped : stripped.slice(0, secondSlash);
+		}
+		const firstSlash = stripped.indexOf("/");
+		return firstSlash === -1 ? stripped : stripped.slice(0, firstSlash);
+	}
+	return getPackageName(trimmed);
+}
+/**
+* Mirrors `@pnpm/dependency-path`'s `indexOfPeersSuffix`. Returns the index
+* where the peer-resolution suffix starts, or -1 if there is none.
+*/
+function indexOfPeersSuffix(depPath) {
+	if (!depPath.endsWith(")")) return -1;
+	let open = 1;
+	for (let i = depPath.length - 2; i >= 0; i--) if (depPath[i] === "(") open--;
+	else if (depPath[i] === ")") open++;
+	else if (!open) return i + 1;
+	return -1;
+}
+/**
+* Fallback when the lockfile is missing `packages`: just return importer
+* direct dep names so we at least cover some of the graph.
+*/
+function collectImporterDirectNames(importers, importerIds, targetImporterId, includeDevDependencies) {
+	const names = /* @__PURE__ */ new Set();
+	for (const importerId of importerIds) {
+		const importer = importers[importerId];
+		if (!importer) continue;
+		const isTarget = importerId === targetImporterId;
+		for (const name of Object.keys(importer.dependencies ?? {})) names.add(name);
+		for (const name of Object.keys(importer.optionalDependencies ?? {})) names.add(name);
+		for (const name of Object.keys(importer.peerDependencies ?? {})) names.add(name);
+		if (isTarget && includeDevDependencies) for (const name of Object.keys(importer.devDependencies ?? {})) names.add(name);
+	}
+	return names;
+}
+//#endregion
 //#region src/lib/patches/copy-patches.ts
-async function copyPatches({ workspaceRootDir, targetPackageManifest, packagesRegistry, isolateDir, includeDevDependencies }) {
+async function copyPatches({ workspaceRootDir, targetPackageDir, targetPackageManifest, packagesRegistry, internalDepPackageNames, isolateDir, includeDevDependencies }) {
 	const log = useLogger();
-	const { name: packageManagerName } = usePackageManager();
+	const { name: packageManagerName, majorVersion } = usePackageManager();
 	let patchedDependencies;
 	/**
 	* Only try reading pnpm-workspace.yaml for pnpm workspaces. Bun workspaces
@@ -1594,6 +2184,28 @@ async function copyPatches({ workspaceRootDir, targetPackageManifest, packagesRe
 		packagesRegistry,
 		includeDevDependencies
 	});
+	/**
+	* Manifest-based reachability misses external→external transitives because
+	* external manifests aren't loaded here. Walk the package-manager's
+	* lockfile to also pick up those names, so a patch for a deeply-nested
+	* external dep (e.g. `@react-pdf/render` reached via `@react-pdf/renderer`)
+	* survives isolation.
+	*/
+	const lockfileInstalledNames = packageManagerName === "pnpm" ? await collectInstalledNamesFromPnpmLockfile({
+		workspaceRootDir,
+		targetPackageDir,
+		internalDepPackageNames,
+		packagesRegistry,
+		majorVersion,
+		includeDevDependencies
+	}) : packageManagerName === "bun" ? collectInstalledNamesFromBunLockfile({
+		workspaceRootDir,
+		targetPackageDir,
+		internalDepPackageNames,
+		packagesRegistry,
+		includeDevDependencies
+	}) : /* @__PURE__ */ new Set();
+	for (const name of lockfileInstalledNames) reachableDependencyNames.add(name);
 	const filteredPatches = filterPatchedDependencies({
 		patchedDependencies,
 		targetPackageManifest,
@@ -1698,16 +2310,16 @@ function writeIsolatePnpmWorkspace({ workspaceRootDir, isolateDir, copiedPatches
 //#endregion
 //#region src/isolate.ts
 const __dirname = getDirname(import.meta.url);
-function createIsolator(config) {
-	const resolvedConfig = resolveConfig(config);
-	return async function isolate() {
+function createIsolator(initialConfig) {
+	const resolvedConfig = resolveConfig(initialConfig);
+	return async function runIsolate() {
 		const config = resolvedConfig;
 		setLogLevel(config.logLevel);
 		const log = useLogger();
 		const { version: libraryVersion } = await readTypedJson(path.join(path.join(__dirname, "..", "package.json")));
 		log.debug("Using isolate-package version", libraryVersion);
 		const { targetPackageDir, workspaceRootDir } = resolveWorkspacePaths(config);
-		const buildOutputDir = await getBuildOutputDir({
+		const buildOutputDir = getBuildOutputDir({
 			targetPackageDir,
 			buildDirName: config.buildDirName,
 			tsconfigPath: config.tsconfigPath
@@ -1717,11 +2329,14 @@ function createIsolator(config) {
 		log.debug("Isolate target package", getRootRelativeLogPath(targetPackageDir, workspaceRootDir));
 		const isolateDir = path.join(targetPackageDir, config.isolateDirName);
 		log.debug("Isolate output directory", getRootRelativeLogPath(isolateDir, workspaceRootDir));
-		if (fs.existsSync(isolateDir)) {
-			await fs.remove(isolateDir);
-			log.debug("Cleaned the existing isolate output directory");
-		}
-		await fs.ensureDir(isolateDir);
+		/**
+		* Place the trash sibling outside `targetPackageDir`, since that directory
+		* is later packed by `processBuildOutputFiles`. Keeping the trash next to
+		* the target package (still on the same filesystem) preserves the atomic
+		* rename without risking that the trash gets picked up by `npm pack` or
+		* races with that step.
+		*/
+		await resetIsolateDir(isolateDir, { trashParentDir: path.dirname(targetPackageDir) });
 		const tmpDir = path.join(isolateDir, "__tmp");
 		await fs.ensureDir(tmpDir);
 		const targetPackageManifest = await readTypedJson(path.join(targetPackageDir, "package.json"));
@@ -1794,8 +2409,10 @@ function createIsolator(config) {
 		await writeManifest(isolateDir, outputManifest);
 		const copiedPatches = (packageManager.name === "pnpm" || packageManager.name === "bun") && !config.forceNpm ? await copyPatches({
 			workspaceRootDir,
+			targetPackageDir,
 			targetPackageManifest: outputManifest,
 			packagesRegistry,
+			internalDepPackageNames: internalPackageNames,
 			isolateDir,
 			includeDevDependencies: config.includeDevDependencies
 		}) : {};
@@ -1824,7 +2441,7 @@ function createIsolator(config) {
 				const patchEntries = Object.fromEntries(Object.entries(copiedPatches).map(([spec, patchFile]) => [spec, patchFile.path]));
 				if (packageManager.name === "bun") manifest.patchedDependencies = patchEntries;
 				else {
-					if (!manifest.pnpm) manifest.pnpm = {};
+					manifest.pnpm ??= {};
 					manifest.pnpm.patchedDependencies = patchEntries;
 				}
 				log.debug(`Added ${Object.keys(copiedPatches).length} patches to isolated package.json`);
@@ -1891,6 +2508,6 @@ async function isolate(config) {
 	return createIsolator(config)();
 }
 //#endregion
-export { loadConfigFromFile as a, detectPackageManager as c, defineConfig as i, readTypedJson as l, listInternalPackages as n, resolveConfig as o, createPackagesRegistry as r, resolveWorkspacePaths as s, isolate as t, filterObjectUndefined as u };
+export { defineConfig as a, resolveWorkspacePaths as c, detectPackageManager as i, readTypedJson as l, listInternalPackages as n, loadConfigFromFile as o, createPackagesRegistry as r, resolveConfig as s, isolate as t, filterObjectUndefined as u };
 
-//# sourceMappingURL=isolate-DyRD5Zd_.mjs.map
+//# sourceMappingURL=isolate-ts-Igq7C.mjs.map