Merge pull request #213 from ext/bugfix/npm-prefix-backport

fix: handle `npm:` prefix in dependencies

src/rules/verify-engine-constraint.spec.ts

@@ -118,3 +118,32 @@ it("should ignore @types/node", async () => {
 	await verifyEngineConstraint(pkg);
 	expect(npmInfo).not.toHaveBeenCalled();
 });
+
+it("should handle npm: prefix", async () => {
+	expect.assertions(1);
+	const pkg: PackageJson = {
+		name: "my-app",
+		version: "1.0.0",
+		dependencies: { spam: "npm:foo@1.0.0" },
+		engines: { node: ">= 10" },
+	};
+	npmInfoMockAdd("foo@1.0.0", {
+		name: "foo",
+		version: "1.0.0",
+		dependencies: { spam: "npm:bar@1.0.0" },
+		engines: { node: ">= 12" },
+	});
+	npmInfoMockAdd("bar@1.0.0", { name: "bar", version: "1.0.0", engines: { node: ">= 12" } });
+	expect(await verifyEngineConstraint(pkg)).toEqual([
+		expect.objectContaining({
+			ruleId: "invalid-engine-constraint",
+			message:
+				'the transitive dependency "foo@1.0.0" (node >= 12) does not satisfy the declared node engine ">= 10"',
+		}),
+		expect.objectContaining({
+			ruleId: "invalid-engine-constraint",
+			message:
+				'the transitive dependency "bar@1.0.0" (node >= 12) does not satisfy the declared node engine ">= 10"',
+		}),
+	]);
+});

src/rules/verify-engine-constraint.ts

@@ -10,7 +10,14 @@ async function* getDeepDependencies(pkg: PackageJson, dependency?: string): Asyn
 	if (!pkgData) {
 		return;
 	}
-	for (const [key, value] of Object.entries(pkgData.dependencies ?? {})) {
+	for (let [key, value] of Object.entries(pkgData.dependencies ?? {})) {
+		/* handle npm: prefix */
+		if (value.startsWith("npm:")) {
+			const [newKey, newVersion] = value.slice("npm:".length).split("@", 2);
+			key = newKey;
+			value = newVersion;
+		}
+
 		/* ignore this as this package is sometimes is present as version "*" which
 		 * just yields way to many versions to handle causing MaxBuffer errors and
 		 * there is another rule to make sure the outermost @types/node package