fix: Enforce allow-git/allow-file/allow-directory/allow-remote configs at the arborist resolution layer#9348
Merged
Merged
Conversation
owlstronaut
force-pushed
the
owl/add-checkallow
branch
3 times, most recently
from
9e9d7dd to
3f6545d
Compare
owlstronaut
force-pushed
the
owl/add-checkallow
branch
from
3f6545d to
8605d10
Compare
owlstronaut
force-pushed
the
owl/add-checkallow
branch
from
a42d830 to
d4b454e
Compare
nishantms
reviewed
May 13, 2026
nishantms
left a comment
nishantms
left a comment
There was a problem hiding this comment.
Read-through of the arborist allow-* enforcement. Approach (lift the gate above the symlink branch and the manifest cache) is right, and the soft-fail-via-#loadFailures handling for optional transitives is the correct behavior. A few non-blocking nits below.
nishantms
approved these changes
May 13, 2026
Contributor
|
This usually means the cherry-pick had conflicts. Please create a manual backport: git fetch origin release/v11
git checkout -b backport/v11/9348 origin/release/v11
git cherry-pick -x f550eb415de0aff83a5fa297850104f5390a6e30~3..f550eb415de0aff83a5fa297850104f5390a6e30
# resolve any conflicts, then:
git push origin backport/v11/9348Error details |
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pacote already enforces these settings inside FetcherBase.get, but it only sees what its callers tell it — specifically the _isRoot flag, and it never gets called at all for directory specs, which arborist resolves by creating a Link node directly.
That left two gaps: pacote couldn't gate directory deps because it never saw them, and the _isRoot hint it received was wrong for any transitive that flowed through a synthesized virtualRoot or a hoisted location. Moving the check into arborist closes both: arborist is the only layer that has the real tree context (the actual edge being resolved, with its true from node) and the only layer that sees every spec type before any branching. Pacote's gate stays in place as defense-in-depth for direct pacote consumers, but the authoritative enforcement now lives where the truth lives.
fixes #9347