fix(arborist): skip lockfile entries for optional deps with incomplete manifests#9343
Open
ecanturk wants to merge 1 commit into
Open
fix(arborist): skip lockfile entries for optional deps with incomplete manifests#9343ecanturk wants to merge 1 commit into
ecanturk wants to merge 1 commit into
Conversation
…e manifests
When using a proxy/upstream registry (e.g. Azure Artifacts), fetching
manifests for platform-specific optional dependencies that the proxy
hasn't cached can return incomplete metadata (missing version field).
This caused npm to write lockfile entries like:
"node_modules/@esbuild/aix-ppc64": { "optional": true }
without a version, resolved, or integrity field. Subsequent
`npm ci` runs would fail with 'Invalid Version:' errors.
Fix:
1. build-ideal-tree: When a registry manifest lacks a version field,
treat it as a load failure (EINCOMPLETEMANIFEST) so that
#pruneFailedOptional() marks it inert. Only applies to registry
specs (range/version/tag), not file: dependencies which may
legitimately omit version.
2. shrinkwrap: In commit(), skip writing entries where the node is
optional, has no version, and is not the root. This acts as a
defense-in-depth layer.
Closes: npm#9342
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
When using a proxy/upstream registry (e.g. Azure Artifacts), npm 11 writes lockfile entries for platform-specific optional dependencies without
version,resolved, orintegrityfields. Subsequentnpm cifails withInvalid Version:errors.Example broken lockfile entry:
Why
#fetchManifest()inbuild-ideal-tree.jsfetches manifests for ALL platform variants of optional dependencies. Proxy registries that haven't cached packages for non-current platforms return incomplete metadata (missingversionfield). npm creates a Node with emptypkg.version, andmetaFromNode()writes{"optional": true}to the lockfile without version.npm 10 never attempted to resolve non-current-platform variants, so this only affects npm 11+.
How
Two-layer defense:
build-ideal-tree.js(#nodeFromSpec): When a registry manifest lacks aversionfield, treat it as anEINCOMPLETEMANIFESTload failure so that#pruneFailedOptional()marks it inert. Only applies tospec.registryspecs (notfile:dependencies which may legitimately omit version).shrinkwrap.js(commit()): Skip writing entries where the node is optional, has no version, and is not the root. This acts as a defense-in-depth layer.Testing
workspaces/arborist/test/shrinkwrap.js— simulates proxy registry scenario where an optional dep node has no versionshrinkwrap.js45/45,build-ideal-tree.js114/114)Closes #9342