fix(arborist): don't load store packages' devDependencies as required edges#9626
Merged
owlstronaut merged 1 commit intoJun 24, 2026
Merged
Conversation
manzoorwanijk
force-pushed
the
fix/linked-sbom-store-devdeps
branch
from
f110560 to
e38faa0
Compare
owlstronaut
approved these changes
Jun 24, 2026
Contributor
|
This usually means the cherry-pick had conflicts. Please create a manual backport: git fetch origin release/v11
git checkout -b backport/v11/9626 origin/release/v11
git cherry-pick -x 851558c02a9c79412aa454113973cab047a47f20
# resolve any conflicts, then:
git push origin backport/v11/9626Error details |
Contributor
|
@manzoorwanijk would you be able to create the manual backport of this? |
Contributor
Author
Sure, I will try. |
Contributor
Author
|
PR for backport to v11: #9633 |
owlstronaut
pushed a commit
that referenced
this pull request
Jun 24, 2026
… edges (#9633) Backport of #9626 to `release/v11`. Under `install-strategy=linked`, `npm sbom` exited with `ESBOMPROBLEMS`, reporting transitive packages' devDependencies as missing/required. A store package lives at `node_modules/.store/<key>/node_modules/<pkg>`, which makes it a structural tree top, so `Node._loadDeps` loaded its devDependencies as required edges. `loadActual` now flags such nodes `isInStore` and `_loadDeps` skips devDependencies for them, matching the hoisted strategy. Cherry-picked cleanly except for a test-file context conflict: the unrelated `applies root packageExtensions to a linked actual tree` test (not part of this PR and not present on `release/v11`) was dropped from the resolution; only this fix's two regression tests are included. ## References Backports #9626
owlstronaut
pushed a commit
that referenced
this pull request
Jun 24, 2026
Restores the global 100% coverage gate on `latest`, which broke after #9626. `filterLinkedStrategyEdges` in `lib/commands/ls.js` skips dev edges on non-root packages — a guard added in #9095 to suppress false `UNMET DEPENDENCY` output in the linked strategy. #9626 fixed the root cause for store packages (they no longer load `devDependencies` as required edges), so the store-based test no longer produces a dev edge, leaving that branch unexercised. Rather than ignore the line, this adds a regression test that genuinely exercises the guard: arborist still loads dev edges for a `file:`-linked transitive package, so listing one with `--all` under the linked strategy reaches the guard at depth > 0 and confirms its devDependency is suppressed instead of reported as `UNMET DEPENDENCY`. The full test suite passes at 100%. This is the `latest` counterpart of #9636, which restored coverage on `release/v11` via an `istanbul ignore`. ## References Follows up #9626
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In continuation of our exploration of using
install-strategy=linkedin the Gutenberg monorepo, which powers the WordPress Block Editor.Under
install-strategy=linked,npm sbomexited non-zero withESBOMPROBLEMS, reporting the devDependencies of transitive packages (e.g.matcha,tape) asmissing: ... required by .... Those dev dependencies are correctly not installed (the same is true under hoisted), yet only the linked strategy treated them as missing-and-required. Hoisted produced a clean SBOM for the same dependency set.Why
A package in the linked strategy's store lives at
node_modules/.store/<key>/node_modules/<pkg>, which makes it a structural tree top (isTop, no parent).Node._loadDepsloads devDependencies for every top node, so each store package — a transitive dependency whose devDependencies are never installed — gained requireddevedges.npm sbomreads the filesystem tree vialoadActual, queries it, and flags every non-optional missing edge, so those spurious dev edges surfaced asESBOMPROBLEMS. Standalonenpm auditwas unaffected because it audits the virtual tree from the lockfile. Hoisted was unaffected because its transitive packages have a real parent, so they are not tops and never load devDependencies.How
load-actual.jsnow flags a node asisInStorewhen its realpath sits inside anode_modules/.store/directory, matching the flag the isolated reifier already sets on ideal-tree store nodes.Node._loadDepsexcludes store nodes from the devDependency load (isTop && !globalTop && path && !this.isInStore), so a store package — a transitive dependency by definition — never gains required dev edges. This makes the linked actual tree's edge semantics match hoisted.References
Fixes #9610
Part of #9608