From db157b3ceb46327ca2089604d5f4fc9de391584e Mon Sep 17 00:00:00 2001
From: Ruy Adorno <ruyadorno@hotmail.com>
Date: Tue, 22 Sep 2020 12:24:33 -0400
Subject: [PATCH] @npmcli/arborist@0.0.27

---
 .../arborist/lib/arborist/build-ideal-tree.js | 46 ++++++++++++++++---
 node_modules/@npmcli/arborist/package.json    |  2 +-
 package-lock.json                             | 14 +++---
 package.json                                  |  2 +-
 4 files changed, 48 insertions(+), 16 deletions(-)

diff --git a/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js b/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
index 9cc756f85ec0d..0639a788c9874 100644
--- a/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
+++ b/node_modules/@npmcli/arborist/lib/arborist/build-ideal-tree.js
@@ -368,7 +368,7 @@ module.exports = cls => class IdealTreeBuilder extends cls {
     if (spec.name && !isTag)
       return spec
 
-    const mani = await pacote.manifest(spec)
+    const mani = await pacote.manifest(spec, { ...this.options })
     // if it's a tag type, then we need to run it down to an actual version
     if (isTag)
       return npa(`${mani.name}@${mani.version}`)
@@ -768,12 +768,44 @@ This is a one-time fix-up, please be patient...
     const bundled = new Set(bd || [])
 
     return [...node.edgesOut.values()]
-      .filter(edge => !bundled.has(edge.name) &&
-        !(edge.to && this[_loadFailures].has(edge.to)) &&
-        !(edge.to && edge.to.inShrinkwrap) &&
-        (!edge.valid || !edge.to || this[_updateNames].includes(edge.name) ||
-          this[_isVulnerable](edge.to) ||
-          node.isRoot && this[_explicitRequests].has(edge.name)))
+      .filter(edge => {
+
+        // If it's included in a bundle, we take whatever is specified.
+        if (bundled.has(edge.name))
+          return false
+
+        // If it's already been logged as a load failure, skip it.
+        if (edge.to && this[_loadFailures].has(edge.to))
+          return false
+
+        // If it's shrinkwrapped, we use what the shrinkwap wants.
+        if (edge.to && edge.to.inShrinkwrap)
+          return false
+
+        // If the edge has an error, there's a problem.
+        if (!edge.valid)
+          return true
+
+        // If the edge has no destination, that's a problem.
+        if (!edge.to) {
+          return edge.type !== 'peerOptional'
+        }
+
+        // If user has explicitly asked to update this package by name, it's a problem.
+        if (this[_updateNames].includes(edge.name))
+          return true
+
+        // If we're fixing a security vulnerability with this package, it's a problem.
+        if (this[_isVulnerable](edge.to))
+          return true
+
+        // If the user has explicitly asked to install this package, it's a problem.
+        if (node.isRoot && this[_explicitRequests].has(edge.name))
+          return true
+
+        // No problems!
+        return false
+      })
   }
 
   async [_fetchManifest] (spec) {
diff --git a/node_modules/@npmcli/arborist/package.json b/node_modules/@npmcli/arborist/package.json
index 2c2c425c72350..d87ed47e1c100 100644
--- a/node_modules/@npmcli/arborist/package.json
+++ b/node_modules/@npmcli/arborist/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@npmcli/arborist",
-  "version": "0.0.26",
+  "version": "0.0.27",
   "description": "Manage node_modules trees",
   "dependencies": {
     "@npmcli/installed-package-contents": "^1.0.5",
diff --git a/package-lock.json b/package-lock.json
index 77cf6553cafed..cbf9e3d774a9c 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -88,7 +88,7 @@
       ],
       "license": "Artistic-2.0",
       "dependencies": {
-        "@npmcli/arborist": "^0.0.26",
+        "@npmcli/arborist": "^0.0.27",
         "@npmcli/ci-detect": "^1.2.0",
         "@npmcli/config": "^1.1.8",
         "@npmcli/run-script": "^1.5.0",
@@ -397,9 +397,9 @@
       "dev": true
     },
     "node_modules/@npmcli/arborist": {
-      "version": "0.0.26",
-      "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-0.0.26.tgz",
-      "integrity": "sha512-qRXYOmxnp/qdhaZpkSKPFF+bShEmalNCFTDk+EogEBU+tNWQ/pkrOmiX8mx6oVOyQms53kytUOZSJtk9FH/r7g==",
+      "version": "0.0.27",
+      "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-0.0.27.tgz",
+      "integrity": "sha512-7+uXkEV7d+oY7A3gpQGNx6ufYoihC99R4I3BtWOeC1x3PzgGe1VMiKyirYLkiG2q2sYswa00NBmlG3R3LqVAAg==",
       "inBundle": true,
       "dependencies": {
         "@npmcli/installed-package-contents": "^1.0.5",
@@ -9472,9 +9472,9 @@
       "dev": true
     },
     "@npmcli/arborist": {
-      "version": "0.0.26",
-      "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-0.0.26.tgz",
-      "integrity": "sha512-qRXYOmxnp/qdhaZpkSKPFF+bShEmalNCFTDk+EogEBU+tNWQ/pkrOmiX8mx6oVOyQms53kytUOZSJtk9FH/r7g==",
+      "version": "0.0.27",
+      "resolved": "https://registry.npmjs.org/@npmcli/arborist/-/arborist-0.0.27.tgz",
+      "integrity": "sha512-7+uXkEV7d+oY7A3gpQGNx6ufYoihC99R4I3BtWOeC1x3PzgGe1VMiKyirYLkiG2q2sYswa00NBmlG3R3LqVAAg==",
       "requires": {
         "@npmcli/installed-package-contents": "^1.0.5",
         "@npmcli/map-workspaces": "0.0.0-pre.1",
diff --git a/package.json b/package.json
index afd7075bbb2b4..d4ec3bd9d84d9 100644
--- a/package.json
+++ b/package.json
@@ -42,7 +42,7 @@
     "./package.json": "./package.json"
   },
   "dependencies": {
-    "@npmcli/arborist": "^0.0.26",
+    "@npmcli/arborist": "^0.0.27",
     "@npmcli/ci-detect": "^1.2.0",
     "@npmcli/config": "^1.1.8",
     "@npmcli/run-script": "^1.5.0",