fix(arborist): apply registry-tarball allow-remote exemption in linked strategy

[manzoorwanijk]

In continuation of our exploration of using install-strategy=linked in the Gutenberg monorepo, which powers the WordPress Block Editor.

Under install-strategy=linked, a fresh install fails with EALLOWREMOTE on ordinary registry dependencies whose lockfile resolved is a full registry tarball URL, even though allow-remote=none is meant to permit registry-mediated tarballs. The standard (hoisted) reifier installs the same dependency fine; only the linked strategy rejects it.

npm error code EALLOWREMOTE
npm error Fetching packages of type "remote" have been disabled
npm error Refusing to fetch "minimatch@https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz"

Why

Both strategies extract through the same pacote.extract in reify.js, which exempts registry tarballs from the allow-remote gate via #isRegistryResolvedTarball. That check first requires node.isRegistryDependency. In the linked strategy, store nodes are IsolatedNode instances — a standalone class that emulates lib/node.js but has no isRegistryDependency getter and no edges to recompute it from. So node.isRegistryDependency was undefined, the exemption short-circuited to false, the allowRemote: 'all' override was never applied, and pacote rejected the same-origin registry tarball.

This is the second half of the allow-remote registry-tarball handling: the URL-matching half was hardened previously (origin + registry-path-prefix); this fixes the isRegistryDependency half for the linked path. The origin/path security check still runs unchanged on the linked path — a tampered lockfile pointing at a foreign host is still blocked.

How

Carry the registry-dependency flag from the source tree node onto the store node, rather than weakening the guard:

1. IsolatedNode gains an isRegistryDependency field (default false), settable from constructor options.
2. #externalProxy copies node.isRegistryDependency from the real tree node onto the proxy.
3. #generateChild passes it through to the store IsolatedNode.

This preserves exact parity with the hoisted reifier: registry deps are exempt, user-pinned off-registry URLs are not. It also makes the linked strategy's isScriptAllowed matching more accurate — store nodes now carry the trustworthy edge-based flag instead of falling back to guessing registry-ness from the resolved URL.

References

Fixes #9494

[github-actions]

🎉 Backport to release/v11 created: #9500