Skip to content

docs: recommend install-strategy=linked to catch phantom dependencies#9690

Merged
owlstronaut merged 1 commit into
release/v11from
backport/v11/9678
Jun 29, 2026
Merged

docs: recommend install-strategy=linked to catch phantom dependencies#9690
owlstronaut merged 1 commit into
release/v11from
backport/v11/9678

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Backport of #9678 to release/v11.

…#9678)

Encourages package authors to develop under `install-strategy=linked` to
surface undeclared ("phantom") dependencies before publishing.

Under the default hoisted `node_modules`, a package can `import` a
dependency it never declared and still resolve it: a transitive
dependency hoisted alongside it (or a workspace root's `node_modules`)
happens to satisfy the import. That undeclared dependency passes the
author's own build silently, then fails for a consumer who installs the
package on its own. The linked (isolated) layout exposes only a
package's declared dependencies, so such an import can fail at the
author's build instead of shipping broken.

The change documents this in two places:

- The `install-strategy` entry in the config reference now recommends
that authors use `--install-strategy=linked` during development,
cross-linked to the developers guide.
- The Developers guide gains a "Catching undeclared ("phantom")
dependencies" section under "Before Publishing", with a note that this
is one check — a dependency satisfied by a `devDependency` or a
workspace root's `node_modules` can still resolve locally — alongside
auditing the dependencies the published package actually uses.

This is documentation-only; the config reference text is generated from
the `install-strategy` definition description.

## References

Closes #9675

(cherry picked from commit fdcfcee)
@owlstronaut owlstronaut merged commit 3658bb5 into release/v11 Jun 29, 2026
55 checks passed
@owlstronaut owlstronaut deleted the backport/v11/9678 branch June 29, 2026 14:45
@github-actions github-actions Bot mentioned this pull request Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants