[pull] latest from npm:latest#226
Merged
Merged
Conversation
…#9671) A root `overrides` entry targeting a transitive dependency was silently dropped when the path to that dependency crossed a `file:`/workspace link, so the dependency resolved to its un-overridden version and the lockfile pinned the wrong version. It reproduced under both the `hoisted` and `linked` install strategies, while the same override applied correctly when the dependency was reached without crossing a link. Override rules propagate through dependency edges, but a Link and its target are not edge-connected, so they are bridged by forwarding the Link's `OverrideSet` to its target. That forwarding ran while the target's subtree was still unbuilt, so its guard found no matching rule and never forwarded, leaving the target and its descendant edges without the rule. `buildIdealTree` now forwards a link's overrides to its target before the target's subtree is resolved, so descendant edges inherit the rule as they are added, matching how a registry node always inherits its ancestor's `OverrideSet`. `loadActual` now repropagates overrides through links once all edges are resolved, so a transitive override reached through a `file:` link is reported as `overridden` rather than `invalid` by `npm ls`. ## References Fixes #9659
#9674) Removes the experimental designation from `install-strategy=linked` (isolated mode): drops the install-time warning and the `(experimental)` note in the config docs. `linked` is now a supported, opt-in install strategy. The default stays `hoisted`. ## Why `install-strategy=linked` (RFC-0042) has been experimental since it shipped, warning on every install. It has since been hardened extensively — the discrepancies tracked in #9608, plus ~50 earlier PRs, are resolved — and it now produces hoisted-equivalent results across `install`/`ci`/`ls`/`query`/`explain`/`audit`/`sbom`/`exec`/`run`/`link`/`uninstall`, the supply-chain controls (`allow-scripts`/`allow-remote`/`allow-git`, `--strict-allow-scripts`), and the v12 features (`npm patch`, `packageExtensions`, `.npm-extension`), with a project lockfile identical to hoisted. It has also been exercised against the [Gutenberg monorepo](WordPress/gutenberg#75814), which powers the WordPress Block Editor. The experimental warning no longer reflects its state. ## How - `@npmcli/arborist` (`reify.js`): remove the `The "linked" install strategy is EXPERIMENTAL and may contain bugs.` warning emitted on every linked install. - `@npmcli/config` (`definitions.js`): drop `(experimental)` from the `install-strategy` description for `linked`. - Regenerate the config docs snapshot to match. The `node_modules/.store/` layout remains an internal implementation detail. This does not change the default install strategy. ## References - Hardening tracked in #9608 - RFC-0042 (isolated mode): https://github.com/npm/rfcs/blob/main/accepted/0042-isolated-mode.md
Owner
|
| Status | Scan Engine |  Critical |
 High |
 Medium |
 Low |
Total (2) |
|---|---|---|---|---|---|---|
| Open Source Security | 1 | 1 | 0 | 0 | See details |
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot] (v2.0.0-alpha.4)
Can you help keep this open source service alive? 💖 Please sponsor : )