isolate-package 1.33.0 → 1.35.0

package/src/lib/patches/collect-installed-names-pnpm.ts

@@ -0,0 +1,365 @@
+import path from "node:path";
+import {
+  getLockfileImporterId as getLockfileImporterId_v8,
+  readWantedLockfile as readWantedLockfile_v8,
+} from "pnpm_lockfile_file_v8";
+import {
+  getLockfileImporterId as getLockfileImporterId_v9,
+  readWantedLockfile as readWantedLockfile_v9,
+} from "pnpm_lockfile_file_v9";
+import { useLogger } from "#/lib/logger";
+import type { PackagesRegistry } from "#/lib/types";
+import { getPackageName, isRushWorkspace } from "#/lib/utils";
+
+/**
+ * Walk the workspace pnpm lockfile starting from the target package and its
+ * internal workspace dependencies, returning the set of every package name
+ * that will end up installed in the isolate (including deep
+ * external-to-external transitives).
+ *
+ * Used by `copyPatches` to preserve patches for transitive deps that aren't
+ * directly listed on any internal manifest. Returns an empty set on any
+ * failure so the caller falls back to manifest-based reachability. When the
+ * lockfile is present but lacks a `packages` section, returns just the
+ * direct importer dep names.
+ */
+export async function collectInstalledNamesFromPnpmLockfile({
+  workspaceRootDir,
+  targetPackageDir,
+  internalDepPackageNames,
+  packagesRegistry,
+  majorVersion,
+  includeDevDependencies,
+}: {
+  workspaceRootDir: string;
+  targetPackageDir: string;
+  internalDepPackageNames: string[];
+  packagesRegistry: PackagesRegistry;
+  majorVersion: number;
+  includeDevDependencies: boolean;
+}): Promise<Set<string>> {
+  const log = useLogger();
+
+  try {
+    const useVersion9 = majorVersion >= 9;
+    const isRush = isRushWorkspace(workspaceRootDir);
+    const lockfileDir = isRush
+      ? path.join(workspaceRootDir, "common/config/rush")
+      : workspaceRootDir;
+
+    const lockfile = useVersion9
+      ? await readWantedLockfile_v9(lockfileDir, { ignoreIncompatible: false })
+      : await readWantedLockfile_v8(lockfileDir, { ignoreIncompatible: false });
+
+    if (!lockfile) {
+      log.debug("No pnpm lockfile available for installed-names walk");
+      return new Set();
+    }
+
+    const rawTargetImporterId = useVersion9
+      ? getLockfileImporterId_v9(workspaceRootDir, targetPackageDir)
+      : getLockfileImporterId_v8(workspaceRootDir, targetPackageDir);
+
+    /**
+     * Normalize separators to POSIX so Windows callers match the lockfile's
+     * importer keys (mirrors generate-pnpm-lockfile.ts). Applied once here so
+     * the `isTarget` equality check below compares apples-to-apples — without
+     * this, on Windows the raw id with backslashes wouldn't match the
+     * normalized id used as the importers map key.
+     */
+    const targetImporterId = toLockfileImporterKey(rawTargetImporterId, isRush);
+
+    const importerIds = [
+      targetImporterId,
+      ...(
+        internalDepPackageNames
+          .map((name) => packagesRegistry[name]?.rootRelativeDir)
+          .filter(Boolean) as string[]
+      ).map((dir) => toLockfileImporterKey(dir, isRush)),
+    ];
+
+    const packages = (lockfile as { packages?: Record<string, PnpmPackage> })
+      .packages;
+
+    if (!packages) {
+      log.debug("Lockfile has no packages section to walk");
+      return collectImporterDirectNames(
+        lockfile.importers,
+        importerIds,
+        targetImporterId,
+        includeDevDependencies,
+      );
+    }
+
+    const names = new Set<string>();
+    const seen = new Set<string>();
+    const queue: string[] = [];
+
+    for (const importerId of importerIds) {
+      const importer = lockfile.importers[importerId];
+      if (!importer) continue;
+
+      const isTarget = importerId === targetImporterId;
+
+      enqueueImporterDeps({
+        importer,
+        names,
+        queue,
+        useVersion9,
+        includeDevDependencies: isTarget && includeDevDependencies,
+      });
+    }
+
+    let depPath: string | undefined;
+    while ((depPath = queue.pop()) !== undefined) {
+      if (seen.has(depPath)) continue;
+      seen.add(depPath);
+
+      names.add(extractPackageName(depPath));
+
+      const pkg = packages[depPath];
+      if (!pkg) continue;
+
+      enqueueResolvedDeps(pkg.dependencies, names, queue, useVersion9, seen);
+      enqueueResolvedDeps(
+        pkg.optionalDependencies,
+        names,
+        queue,
+        useVersion9,
+        seen,
+      );
+
+      /**
+       * Peer requirement values are name → semver-range, not resolved depPaths.
+       * Just record the names so a patch on a peer-only external transitive
+       * survives filtering (mirrors the bun walker and the sister manifest
+       * walker, which both include peerDependencies).
+       */
+      collectNames(pkg.peerDependencies, names);
+    }
+
+    return names;
+  } catch (error) {
+    log.debug(
+      `Failed to walk pnpm lockfile for installed names: ${error instanceof Error ? error.message : String(error)}`,
+    );
+    return new Set();
+  }
+}
+
+/**
+ * Convert a raw importer id (as returned by `getLockfileImporterId` or a
+ * package's rootRelativeDir) to the form actually used as a key in
+ * `lockfile.importers`: POSIX separators, with the Rush `../../` prefix when
+ * the workspace lives under `common/config/rush`. Lockfile keys are always
+ * POSIX regardless of the host OS, so backslashes are normalized
+ * unconditionally rather than relying on `path.sep`.
+ */
+function toLockfileImporterKey(importerId: string, isRush: boolean): string {
+  const posix = importerId
+    .split(path.sep)
+    .join(path.posix.sep)
+    .replace(/\\/g, "/");
+  return isRush ? `../../${posix}` : posix;
+}
+
+type ResolvedDeps = Record<string, string>;
+
+type PnpmImporter = {
+  dependencies?: ResolvedDeps;
+  optionalDependencies?: ResolvedDeps;
+  devDependencies?: ResolvedDeps;
+  peerDependencies?: ResolvedDeps;
+};
+
+type PnpmPackage = {
+  dependencies?: ResolvedDeps;
+  optionalDependencies?: ResolvedDeps;
+  peerDependencies?: ResolvedDeps;
+};
+
+function enqueueImporterDeps({
+  importer,
+  names,
+  queue,
+  useVersion9,
+  includeDevDependencies,
+}: {
+  importer: PnpmImporter;
+  names: Set<string>;
+  queue: string[];
+  useVersion9: boolean;
+  includeDevDependencies: boolean;
+}): void {
+  enqueueResolvedDeps(importer.dependencies, names, queue, useVersion9);
+  enqueueResolvedDeps(importer.optionalDependencies, names, queue, useVersion9);
+  if (includeDevDependencies) {
+    enqueueResolvedDeps(importer.devDependencies, names, queue, useVersion9);
+  }
+  /**
+   * Importer peerDependencies usually aren't a separate map in the lockfile
+   * (autoInstallPeers folds them into `dependencies`), but record names if
+   * they happen to be present.
+   */
+  collectNames(importer.peerDependencies, names);
+}
+
+function enqueueResolvedDeps(
+  deps: ResolvedDeps | undefined,
+  names: Set<string>,
+  queue: string[],
+  useVersion9: boolean,
+  seen?: Set<string>,
+): void {
+  if (!deps) return;
+
+  for (const [alias, ref] of Object.entries(deps)) {
+    /**
+     * The alias is the name as listed in the parent's dependencies map. For
+     * non-aliased installs this is also the resolved package name. We add it
+     * to the set as a candidate name; visiting the actual depPath below
+     * refines this with the true installed name.
+     */
+    names.add(alias);
+
+    const depPath = refToRelative(ref, alias, useVersion9);
+    if (depPath && !seen?.has(depPath)) {
+      queue.push(depPath);
+    }
+  }
+}
+
+function collectNames(
+  deps: ResolvedDeps | undefined,
+  names: Set<string>,
+): void {
+  if (!deps) return;
+  for (const name of Object.keys(deps)) {
+    names.add(name);
+  }
+}
+
+/**
+ * Mirrors `@pnpm/dependency-path`'s `refToRelative`. The depPath shape differs
+ * between pnpm 8 (lockfile v6, normalized to v5 keys like `/foo/1.0.0`) and
+ * pnpm 9 (lockfile v9 keys like `foo@1.0.0`). Returns the depPath used as a
+ * key in `lockfile.packages`, or null if the ref points to a workspace link.
+ */
+function refToRelative(
+  reference: string,
+  pkgName: string,
+  useVersion9: boolean,
+): string | null {
+  if (!reference) return null;
+  if (reference.startsWith("link:")) return null;
+  return useVersion9
+    ? refToRelativeV9(reference, pkgName)
+    : refToRelativeV8(reference, pkgName);
+}
+
+function refToRelativeV9(reference: string, pkgName: string): string | null {
+  if (reference.startsWith("@")) return reference;
+  const atIndex = reference.indexOf("@");
+  if (atIndex === -1) return `${pkgName}@${reference}`;
+  const colonIndex = reference.indexOf(":");
+  const bracketIndex = reference.indexOf("(");
+  if (
+    (colonIndex === -1 || atIndex < colonIndex) &&
+    (bracketIndex === -1 || atIndex < bracketIndex)
+  ) {
+    return reference;
+  }
+  return `${pkgName}@${reference}`;
+}
+
+/**
+ * v8 form: pnpm 8 (lockfile v6) is normalized on read to v5-style depPaths
+ * with leading slash and `/` separator between name and version. Plain
+ * version refs build that key; refs already containing a `/` (peer-suffixed
+ * or pre-formed) are returned verbatim. Mirrors `@pnpm/dependency-path@2.x`.
+ */
+function refToRelativeV8(reference: string, pkgName: string): string | null {
+  if (reference.startsWith("file:")) return reference;
+  const slashIndex = reference.indexOf("/");
+  const bracketIndex = reference.indexOf("(");
+  const noSlashBeforeBracket =
+    bracketIndex !== -1 && reference.lastIndexOf("/", bracketIndex) === -1;
+  if (slashIndex === -1 || noSlashBeforeBracket) {
+    return `/${pkgName}/${reference}`;
+  }
+  return reference;
+}
+
+/**
+ * Extract the bare package name from a pnpm depPath. Strips the optional
+ * peer-resolution suffix (e.g. `(react@18.0.0)`) before parsing. Handles
+ * both v9 (`@scope/foo@1.0.0`) and v8 (`/@scope/foo/1.0.0`) shapes.
+ */
+function extractPackageName(depPath: string): string {
+  const peerStart = indexOfPeersSuffix(depPath);
+  const trimmed = peerStart === -1 ? depPath : depPath.slice(0, peerStart);
+
+  if (trimmed.startsWith("/")) {
+    /** v8 v5-style: `/<name>/<version>` */
+    const stripped = trimmed.slice(1);
+    if (stripped.startsWith("@")) {
+      const secondSlash = stripped.indexOf("/", stripped.indexOf("/") + 1);
+      return secondSlash === -1 ? stripped : stripped.slice(0, secondSlash);
+    }
+    const firstSlash = stripped.indexOf("/");
+    return firstSlash === -1 ? stripped : stripped.slice(0, firstSlash);
+  }
+
+  return getPackageName(trimmed);
+}
+
+/**
+ * Mirrors `@pnpm/dependency-path`'s `indexOfPeersSuffix`. Returns the index
+ * where the peer-resolution suffix starts, or -1 if there is none.
+ */
+function indexOfPeersSuffix(depPath: string): number {
+  if (!depPath.endsWith(")")) return -1;
+  let open = 1;
+  for (let i = depPath.length - 2; i >= 0; i--) {
+    if (depPath[i] === "(") {
+      open--;
+    } else if (depPath[i] === ")") {
+      open++;
+    } else if (!open) {
+      return i + 1;
+    }
+  }
+  return -1;
+}
+
+/**
+ * Fallback when the lockfile is missing `packages`: just return importer
+ * direct dep names so we at least cover some of the graph.
+ */
+function collectImporterDirectNames(
+  importers: Record<string, PnpmImporter>,
+  importerIds: string[],
+  targetImporterId: string,
+  includeDevDependencies: boolean,
+): Set<string> {
+  const names = new Set<string>();
+  for (const importerId of importerIds) {
+    const importer = importers[importerId];
+    if (!importer) continue;
+    const isTarget = importerId === targetImporterId;
+    for (const name of Object.keys(importer.dependencies ?? {}))
+      names.add(name);
+    for (const name of Object.keys(importer.optionalDependencies ?? {})) {
+      names.add(name);
+    }
+    for (const name of Object.keys(importer.peerDependencies ?? {})) {
+      names.add(name);
+    }
+    if (isTarget && includeDevDependencies) {
+      for (const name of Object.keys(importer.devDependencies ?? {})) {
+        names.add(name);
+      }
+    }
+  }
+  return names;
+}

package/src/lib/patches/copy-patches.test.ts

@@ -1,5 +1,5 @@
 import { describe, it, expect, beforeEach, afterEach, vi } from "vitest";
-import type { PackageManifest, PnpmSettings } from "~/lib/types";
+import type { PackageManifest, PnpmSettings } from "#/lib/types";
 import { copyPatches } from "./copy-patches";
 
 /** Mock fs-extra */
@@ -12,33 +12,50 @@ vi.mock("fs-extra", () => ({
 }));
 
 /** Mock the utils */
-vi.mock("~/lib/utils", () => ({
+vi.mock("#/lib/utils", () => ({
   filterPatchedDependencies: vi.fn(),
   getIsolateRelativeLogPath: vi.fn((p: string) => p),
+  getPackageName: vi.fn((spec: string) => {
+    if (spec.startsWith("@")) {
+      const parts = spec.split("@");
+      return `@${parts[1] ?? ""}`;
+    }
+    return spec.split("@")[0] ?? "";
+  }),
   getRootRelativeLogPath: vi.fn((p: string) => p),
   isRushWorkspace: vi.fn(() => false),
   readTypedJson: vi.fn(),
+  readTypedJsonSync: vi.fn(),
   readTypedYamlSync: vi.fn(),
 }));
 
 /** Mock the package manager */
-vi.mock("~/lib/package-manager", () => ({
+vi.mock("#/lib/package-manager", () => ({
   usePackageManager: vi.fn(() => ({ name: "pnpm", majorVersion: 9 })),
 }));
 
 /** Mock the pnpm lockfile readers */
 vi.mock("pnpm_lockfile_file_v8", () => ({
   readWantedLockfile: vi.fn(() => Promise.resolve(null)),
+  getLockfileImporterId: vi.fn(
+    (root: string, dir: string) => dir.replace(`${root}/`, "") || ".",
+  ),
 }));
 
 vi.mock("pnpm_lockfile_file_v9", () => ({
   readWantedLockfile: vi.fn(() => Promise.resolve(null)),
+  getLockfileImporterId: vi.fn(
+    (root: string, dir: string) => dir.replace(`${root}/`, "") || ".",
+  ),
 }));
 
 const fs = vi.mocked((await import("fs-extra")).default);
 const { filterPatchedDependencies, readTypedJson, readTypedYamlSync } =
-  vi.mocked(await import("~/lib/utils"));
-const { usePackageManager } = vi.mocked(await import("~/lib/package-manager"));
+  vi.mocked(await import("#/lib/utils"));
+const { usePackageManager } = vi.mocked(await import("#/lib/package-manager"));
+const { readWantedLockfile: readWantedLockfile_v9 } = vi.mocked(
+  await import("pnpm_lockfile_file_v9"),
+);
 
 describe("copyPatches", () => {
   beforeEach(() => {
@@ -49,14 +66,6 @@ describe("copyPatches", () => {
     vi.restoreAllMocks();
   });
 
-  const mockJsonSettings = (settings: PnpmSettings | undefined) => {
-    readTypedJson.mockResolvedValue({
-      name: "root",
-      version: "1.0.0",
-      pnpm: settings,
-    });
-  };
-
   it("should return empty object when workspace root package.json cannot be read", async () => {
     readTypedYamlSync.mockImplementation(() => {
       throw new Error("File not found");
@@ -65,6 +74,8 @@ describe("copyPatches", () => {
 
     const result = await copyPatches({
       workspaceRootDir: "/workspace",
+      targetPackageDir: "/workspace/packages/test",
+      internalDepPackageNames: [],
       targetPackageManifest: { name: "test", version: "1.0.0" },
       isolateDir: "/workspace/isolate",
       packagesRegistry: {},
@@ -126,6 +137,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: { name: "test", version: "1.0.0" },
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -146,6 +159,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: { name: "test", version: "1.0.0" },
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -176,6 +191,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: targetManifest,
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -214,6 +231,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: targetManifest,
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -256,6 +275,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: targetManifest,
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -287,6 +308,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: targetManifest,
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -321,6 +344,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: targetManifest,
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -364,6 +389,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: targetManifest,
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -409,6 +436,8 @@ describe("copyPatches", () => {
 
       const result = await copyPatches({
         workspaceRootDir: "/workspace",
+        targetPackageDir: "/workspace/packages/test",
+        internalDepPackageNames: [],
         targetPackageManifest: targetManifest,
         isolateDir: "/workspace/isolate",
         packagesRegistry: {},
@@ -456,6 +485,8 @@ describe("copyPatches", () => {
 
     const result = await copyPatches({
       workspaceRootDir: "/workspace",
+      targetPackageDir: "/workspace/packages/test",
+      internalDepPackageNames: [],
       targetPackageManifest: targetManifest,
       isolateDir: "/workspace/isolate",
       packagesRegistry: {},
@@ -509,6 +540,8 @@ describe("copyPatches", () => {
 
     const result = await copyPatches({
       workspaceRootDir: "/workspace",
+      targetPackageDir: "/workspace/packages/test",
+      internalDepPackageNames: [],
       targetPackageManifest: consumerManifest,
       isolateDir: "/workspace/isolate",
       packagesRegistry: {
@@ -536,4 +569,88 @@ describe("copyPatches", () => {
     expect(reachable!.has("firebase-package")).toBe(true);
     expect(reachable!.has("tslib")).toBe(true);
   });
+
+  it("should pick up deep external-to-external transitives from the pnpm lockfile (regression: issue #167 follow-up)", async () => {
+    /**
+     * Target depends on `@react-pdf/renderer` (external). The patched
+     * `@react-pdf/render` is only a transitive of `@react-pdf/renderer`. The
+     * manifest walker can't see it because it can't open external manifests,
+     * so the lockfile walker has to surface it.
+     */
+    const targetManifest: PackageManifest = {
+      name: "consumer",
+      version: "1.0.0",
+      dependencies: { "@react-pdf/renderer": "^4.0.0" },
+    };
+
+    readTypedYamlSync.mockReturnValue({
+      patchedDependencies: {
+        "@react-pdf/render@4.3.0": "patches/@react-pdf__render@4.3.0.patch",
+      },
+    });
+    readTypedJson.mockResolvedValue({
+      name: "root",
+      version: "1.0.0",
+    } as PackageManifest);
+
+    filterPatchedDependencies.mockReturnValue({
+      "@react-pdf/render@4.3.0": "patches/@react-pdf__render@4.3.0.patch",
+    });
+
+    fs.existsSync.mockReturnValue(true);
+
+    usePackageManager.mockReturnValue({
+      name: "pnpm",
+      majorVersion: 9,
+      version: "9.0.0",
+      packageManagerString: "pnpm@9.0.0",
+    });
+
+    /**
+     * Fake v9 lockfile: target importer depends on @react-pdf/renderer, which
+     * has @react-pdf/render as its only resolved dep.
+     */
+    readWantedLockfile_v9.mockResolvedValue({
+      lockfileVersion: "9.0",
+      importers: {
+        "packages/consumer": {
+          specifiers: { "@react-pdf/renderer": "^4.0.0" },
+          dependencies: { "@react-pdf/renderer": "4.0.0" },
+        },
+      },
+      packages: {
+        "@react-pdf/renderer@4.0.0": {
+          resolution: { integrity: "sha512-x" },
+          dependencies: { "@react-pdf/render": "4.3.0" },
+        },
+        "@react-pdf/render@4.3.0": {
+          resolution: { integrity: "sha512-y" },
+        },
+      },
+    } as unknown as Awaited<ReturnType<typeof readWantedLockfile_v9>>);
+
+    const result = await copyPatches({
+      workspaceRootDir: "/workspace",
+      targetPackageDir: "/workspace/packages/consumer",
+      internalDepPackageNames: [],
+      targetPackageManifest: targetManifest,
+      isolateDir: "/workspace/isolate",
+      packagesRegistry: {},
+      includeDevDependencies: false,
+    });
+
+    expect(result).toEqual({
+      "@react-pdf/render@4.3.0": {
+        path: "patches/@react-pdf__render@4.3.0.patch",
+        hash: "",
+      },
+    });
+
+    const filterCall = filterPatchedDependencies.mock.calls[0]?.[0];
+    expect(filterCall).toBeDefined();
+    const reachable = filterCall!.reachableDependencyNames;
+    expect(reachable).toBeInstanceOf(Set);
+    expect(reachable!.has("@react-pdf/renderer")).toBe(true);
+    expect(reachable!.has("@react-pdf/render")).toBe(true);
+  });
 });