fix(arborist): apply min-release-age-exclude on reify fallback#9716
Open
Sanjays2402 wants to merge 1 commit into
Open
fix(arborist): apply min-release-age-exclude on reify fallback#9716Sanjays2402 wants to merge 1 commit into
Sanjays2402 wants to merge 1 commit into
Conversation
When omit-lockfile-registry-resolved=true, the lockfile has no `resolved` URL so #extractOrLink falls back to a name@version registry spec. Pacote resolves that via pickManifest which honors `before`, so a package pinned in the lockfile can throw ETARGET even when its name is in min-release-age-exclude. Mirror #releaseAgeBefore in build-ideal-tree and drop `before` for excluded packages on this fallback path. Fixes: npm#9715
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
When
omit-lockfile-registry-resolved=trueis set, the lockfile is written with theresolvedURL stripped from registry deps. Onnpm ci(or subsequentnpm iruns that hit the reify fallback),#extractOrLinkreaches the!node.resolvedbranch and rebuilds aname@versionspec so pacote can re-fetch the packument.That fallback spec goes through
pickManifest, which honorsbefore. Oncemin-release-ageis set (which flows through tobefore), pacote throwsETARGETfor the pinned version even though the package name is inmin-release-age-exclude. The exemption logic is only applied inbuild-ideal-tree's#releaseAgeBefore, not on the reify fallback path, so the user-configured exclude is effectively ignored during install.This change mirrors
#releaseAgeBeforeat the reify site: on the!node.resolvedfallback, if the package name matchesmin-release-age-exclude,beforeis dropped from the pacote options so the excluded package installs as the user asked. Behavior is unchanged for packages that are not in the exclude list, for lockfile entries that still haveresolved, and whenbeforeis not set at all.Existing Issue
Fixes #9715
Screenshots
N/A (behavioral bug in the CLI, no UI surface).
AI disclosure
Written with the assistance of Claude. I have reviewed the diff and the test and take responsibility for the code.
Test Coverage
Added a regression test in
workspaces/arborist/test/arborist/reify.jsthat reifies from a lockfile with theresolvedURL stripped andbeforeset to a date that excludes the pinned version. It covers four cases:min-release-age-exclude→ETARGET(documents the existing filter behavior).min-release-age-exclude→ pinned version installs.min-release-age-exclude→ pinned version installs.min-release-age-exclude→ETARGET(exemption is scoped to matched names only).Verified both directions locally: on
latestwithout the fix, the two "matching exclude" subtests fail withETARGET; with the fix, all four subtests pass. The existingmin-release-age-exclude exempts matched packages from the before filtertests inbuild-ideal-tree.jsand theweirdly broken lockfile without resolved valuereify test continue to pass.