libnpmpack 9.1.7 → 10.0.0-pre.0.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/index.js +36 -0
- package/package.json +2 -2
package/lib/index.js
CHANGED
|
@@ -14,6 +14,42 @@ async function pack (spec = 'file:.', opts = {}) {
|
|
|
14
14
|
|
|
15
15
|
const manifest = await pacote.manifest(spec, { ...opts, Arborist, _isRoot: true })
|
|
16
16
|
|
|
17
|
+
if (spec.type === 'directory') {
|
|
18
|
+
const hasBundled = manifest.bundleDependencies?.length > 0
|
|
19
|
+
const hasOverrides = manifest.overrides
|
|
20
|
+
&& typeof manifest.overrides === 'object'
|
|
21
|
+
&& Object.keys(manifest.overrides).length > 0
|
|
22
|
+
if (hasBundled && hasOverrides) {
|
|
23
|
+
// Only refuse when an override rule actually applies to a package that is bundled by the root.
|
|
24
|
+
// Overrides targeting dev dependencies or any package outside the bundled tree are harmless to consumers, because consumers do not apply the publishing package's overrides.
|
|
25
|
+
// We rely on Arborist's own semantics (inBundle/inDepBundle/overridden) rather than reimplementing what npm-packlist/arborist already knows.
|
|
26
|
+
const arb = new Arborist({ path: spec.fetchSpec })
|
|
27
|
+
const tree = await arb.loadActual()
|
|
28
|
+
const offenders = new Set()
|
|
29
|
+
for (const node of tree.inventory.values()) {
|
|
30
|
+
if (node.isRoot) {
|
|
31
|
+
continue
|
|
32
|
+
}
|
|
33
|
+
// Only packages bundled by the root are at risk: nested dep-bundles are published as-is and arborist already treats them as immune to the root's overrides (see Edge#satisfiedBy).
|
|
34
|
+
if (!node.inBundle || node.inDepBundle) {
|
|
35
|
+
continue
|
|
36
|
+
}
|
|
37
|
+
if (node.overridden) {
|
|
38
|
+
offenders.add(node.name)
|
|
39
|
+
}
|
|
40
|
+
}
|
|
41
|
+
if (offenders.size) {
|
|
42
|
+
const names = [...offenders].sort()
|
|
43
|
+
const list = names.join(', ')
|
|
44
|
+
const isOne = names.length === 1
|
|
45
|
+
throw Object.assign(
|
|
46
|
+
new Error(`Cannot pack or publish: "overrides" ${isOne ? 'affects a bundled package' : 'affect bundled packages'} (${list}). Consumers do not apply your package's overrides, so the published bundle will produce invalid dependency edges. Remove ${isOne ? 'this package' : 'these packages'} from "bundledDependencies"/"bundleDependencies" or from "overrides" before publishing.`),
|
|
47
|
+
{ code: 'EBUNDLEOVERRIDE', packages: names }
|
|
48
|
+
)
|
|
49
|
+
}
|
|
50
|
+
}
|
|
51
|
+
}
|
|
52
|
+
|
|
17
53
|
const stdio = opts.foregroundScripts ? 'inherit' : 'pipe'
|
|
18
54
|
|
|
19
55
|
if (spec.type === 'directory' && !opts.ignoreScripts) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "libnpmpack",
|
|
3
|
-
"version": "
|
|
3
|
+
"version": "10.0.0-pre.0.0",
|
|
4
4
|
"description": "Programmatic API for the bits behind npm pack",
|
|
5
5
|
"author": "GitHub Inc.",
|
|
6
6
|
"main": "lib/index.js",
|
|
@@ -37,7 +37,7 @@
|
|
|
37
37
|
"bugs": "https://github.com/npm/libnpmpack/issues",
|
|
38
38
|
"homepage": "https://npmjs.com/package/libnpmpack",
|
|
39
39
|
"dependencies": {
|
|
40
|
-
"@npmcli/arborist": "^
|
|
40
|
+
"@npmcli/arborist": "^10.0.0-pre.0.0",
|
|
41
41
|
"@npmcli/run-script": "^10.0.0",
|
|
42
42
|
"npm-package-arg": "^13.0.0",
|
|
43
43
|
"pacote": "^21.0.2"
|