pacquet: wire NpmResolver into the install resolution stage

[zkochan]

Goal

Wire the npm-registry version-picking surface ported in #11755 into the install command so resolution actually flows through the Resolver chain instead of the legacy Package::fetch_from_registry + Package::pinned_version path.

Part of #11633 Stage 2.

Current state (after #11755)

Library code exists; nothing in package-manager or cli calls it.

Piece	Where	Wired into install?
Resolver trait + dispatcher contract	pacquet-resolving-resolver-base::resolve	No (chain is unused)
DefaultResolver chain	pacquet-resolving-default-resolver	Constructed nowhere; chain is empty
parse_wanted_dependency	pacquet-resolving-parse-wanted-dependency	No (raw → (alias, bareSpecifier) split; no protocol routing yet)
pick_package / pick_package_from_meta	pacquet-resolving-npm-resolver	No — what this issue is about
NpmResolutionVerifier	pacquet-resolving-npm-resolver	Yes (lockfile-verification gate)
Legacy Package::pinned_version path	pacquet/crates/package-manager/src/install_package_from_registry.rs:97-108	Yes — currently the only resolution call in install

The legacy path is a plain max-satisfying lookup. It has no latest-tag short-circuit, no preferred-versions bias, no deprecated-fallback, no minimumReleaseAge filter, no in-memory metaCache, no offline / preferOffline support, no conditional GET, and no policy-violation surfacing.

Plan

Phase A — npm resolver bridge

1. Port parseBareSpecifier (upstream) into pacquet-resolving-npm-resolver. Produces RegistryPackageSpec from (bare_specifier, alias, default_tag, registry). Handles the npm:-alias form, tarball-URL parse, and tag/version/range discrimination via version-selector-type.
2. Add NpmResolver struct in pacquet-resolving-npm-resolver. Owns:
   • default registry URL + per-scope registries map (pacquet_config::Registries)
   • named_registries
   • Arc<ThrottledClient> + Arc<AuthHeaders>
   • Arc<dyn PackageMetaCache> (shared across resolves so one install warms one cache)
   • cache_dir
   • flags: offline, prefer_offline, ignore_missing_time_field
3. Implement Resolver::resolve on NpmResolver:
   • run parseBareSpecifier on wanted_dependency.bare_specifier (use wanted_dependency.alias + opts.default_tag)
   • None → Ok(None) (decline, chain continues to next resolver)
   • pick registry via pick_registry_for_package (already exists in named_registry.rs)
   • build PickPackageOptions from ResolveOptions (preferred-versions, pick-lowest, etc.)
   • call pick_package
   • map PickPackageResult → ResolveResult: id = PkgNameVer, latest = meta.dist_tag("latest"), published_at = meta.published_at(version), manifest = JSON, resolution = LockfileResolution::TarballResolution { integrity, tarball }, resolved_via = "npm-registry", normalized_bare_specifier, alias
4. Implement Resolver::resolve_latest on NpmResolver (for pnpm outdated / pnpm update --latest).
5. Surface policy_violation: after the pick, if opts.published_by is set and the picked version's published_at is past the cutoff, populate ResolveResult.policy_violation with the MinimumReleaseAge variant (mirroring upstream's pickRespectingMinReleaseAge fall-back-to-lowest reporting flow).

Phase B — chain wiring

6. Construct NpmResolver at install entry (config, http_client, auth_headers, meta_cache all available there).
7. Build DefaultResolver::new(vec![Box::new(NpmResolver { … })]). Other protocols (git, tarball, workspace, etc.) are separate Tier 2 items and stay out of this chain until their crates land.
8. Hand the DefaultResolver (as a boxed dyn Resolver) into the install path.

Phase C — install refactor (faithful resolveDependencyTree port)

Port pnpm's two-pass approach: build the full resolved tree first (resolve-only, no fetch), then run the fetch+install pass over that tree. Larger refactor than a per-package swap but lines up with eventual lockfile generation, enables sibling dedup, and gives preferred-versions sharing a place to live.

9. Port resolveDependencyTree (or the minimum slice needed to drive npm-registry resolution end-to-end) into a new pacquet crate, e.g. pacquet-resolving-deps-resolver. Outputs a resolved tree keyed by (name, version) with parent/child edges + per-node ResolveResult.
10. Refactor install_package_from_registry:
    • take a pre-resolved ResolveResult (name, version, integrity, tarball URL, manifest) instead of (name, version_range).
    • drop the Package::fetch_from_registry + pinned_version calls.
    • use ResolveResult.resolution for the tarball fetch step.
11. Refactor install_without_lockfile.rs (both call sites at L145 and L299) so the top-level call runs resolveDependencyTree first, then walks the resulting tree calling install_package_from_registry on each node. The recursion in install becomes tree-traversal, not interleaved resolve+install.
12. Decide where the cross-call PackageMetaCache lives: probably owned by the resolveDependencyTree driver and dropped after the resolve pass completes.

Phase D — preferred-versions construction

13. Bootstrap preferred_versions from pnpm-lock.yaml snapshots: in --frozen-lockfile mode the lockfile is already loaded for verification, so harvest the existing pins as EXISTING_VERSION_SELECTOR_WEIGHT entries before the resolve pass begins.
14. Plumb prev_specifier on WantedDependency from the lockfile entry so the resolver can prefer the previously-pinned version when no update was requested.

Phase E — policy-violation surfacing

15. Add a collector on the install side that aggregates ResolveResult.policy_violation across all resolves, modeled after upstream's handleResolutionPolicyViolations and the existing lockfile-verifier's violation flow.
16. On strict-mode minimumReleaseAge, abort install with the collected set; on non-strict, surface as warnings (matching the verifier's split).

Phase F — tests

17. Unit tests on NpmResolver:
    • parseBareSpecifier parity across the upstream test corpus (resolving/npm-resolver/test/parseBareSpecifier.test.ts is already in TEST_PORTING.md)
    • scope-based registry picking
    • ResolveResult shape verification
    • policy_violation population on immature picks
18. Unit tests on the resolveDependencyTree driver: dedup across siblings, preferred-versions propagation, error aggregation.
19. Integration test driving install through the chain via the mocked registry — byte-identical node_modules/ to a pnpm install of the same lockfile.
20. Update pacquet/plans/TEST_PORTING.md checkboxes.

Phase G — docs

21. Update crates/resolving-npm-resolver/src/lib.rs module-doc to reflect that the resolver is now active in install.
22. Note the wiring in pacquet/AGENTS.md if any agent-facing guidance needs to change.

Out of scope

• Other-protocol resolvers (git, tarball, local, jsr, named-registry, workspace). Each is a separate Tier 2 item under Rust Roadmap #11633 and adds an entry to the DefaultResolver chain when it lands.
• Abbreviated metadata fetcher. Pacquet currently fetches full metadata only — documented in feat(pacquet): resolver scaffold + npm version picking #11755. Adding an abbreviated fetcher is a follow-up: Accept-header swap, second mirror dir at v11/metadata, fullMetadata: bool flag through the orchestrator, and resurrection of the abbreviated→full upgrade-for-releaseAge path that's already structurally in place.
• p-limit(1) per-mirror serialization. Atomic rename in save_meta covers write safety today.
• dry_run no-disk-side-effects. Today's fetcher still warms the on-disk mirror under dry_run; restoring upstream parity needs a write-bypass flag on the fetcher.
• Lockfile generation. Pacquet's install today is --frozen-lockfile only; writable-lockfile installs are a separate roadmap item, though Phase C's two-pass shape is a prerequisite.

Acceptance criteria

• install_package_from_registry no longer calls Package::fetch_from_registry or Package::pinned_version. Resolution flows entirely through the Resolver chain.
• DefaultResolver has at least one resolver registered (NpmResolver).
• A pacquet install --frozen-lockfile of a package whose lockfile entry was resolved by pnpm produces byte-identical node_modules/ (modulo timestamps), verifying parity through the chain.
• minimumReleaseAge violations on resolution (not just lockfile verification) surface through the install layer with the same exit code / reporter events as the verifier path.
• All existing pacquet-package-manager tests continue to pass.

References

• feat(pacquet): resolver scaffold + npm version picking #11755 — the picker port these steps build on
• Rust Roadmap #11633 — Stage 2 roadmap parent
• Upstream pickPackage.ts / pickPackageFromMeta.ts at f657b5cb44
• Upstream parseBareSpecifier.ts at f657b5cb44
• Upstream resolveDependencyTree.ts at f657b5cb44
• Upstream createResolver chain at 3687b0e180

---

Written by an agent (Claude Code, claude-opus-4-7).

[zkochan]

Landed via #11760 (097983fbca).

What shipped

Phases A, B, and C of the original plan, plus four additions that surfaced during review.

Phase A — npm resolver bridge

• Ported parseBareSpecifier into pacquet-resolving-npm-resolver as parse_bare_specifier.rs. Handles the npm:-alias form, tarball-URL parse (now prefix-anchored on the scopeless package name to reject mismatched filenames), and tag/version/range discrimination.
• Added NpmResolver struct implementing the Resolver trait. Owns the registries map, named-registry table, Arc<ThrottledClient>, Arc<AuthHeaders>, Arc<dyn PackageMetaCache>, cache dir, and the offline / prefer-offline / ignore-missing-time-field flags. Routes registry picks through the bareSpecifier-aware pick_registry_for_package so an entry like "foo": "npm:@acme/bar@^1" resolves through registries[@acme].
• Resolver::resolve_latest for the pnpm outdated / pnpm update --latest paths.
• ResolveResult.policy_violation populated inline via detect_min_release_age_violation, mirroring upstream's pickRespectingMinReleaseAge fall-back-to-lowest reporting flow.
• Added published_by, published_by_exclude, dry_run to ResolveOptions (resolver-base); PackageVersionPolicy now derives Clone.

Phase B — chain wiring

• install_without_lockfile.rs constructs the NpmResolver at install entry from Config-derived registries and an InMemoryPackageMetaCache shared across the resolve pass (and dropped before the install pass begins). DefaultResolver not yet wired since the chain currently has one entry — once a second per-protocol resolver lands the wrap-through will follow.

Phase C — install refactor (two-pass resolveDependencyTree)

• New crate pacquet-resolving-deps-resolver exposes resolve_dependency_tree: a minimum-slice port that walks manifest deps through the resolver chain and produces a flat name@version-keyed package map plus parent-child edges. Concurrent sibling resolution via try_join_all; per-id dedup gate (in-progress placeholders prevent duplicate walks); now returns a typed SpecNotSupported error when the chain returns None, mirroring default-resolver's SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER.
• install_package_from_registry.rs no longer calls Package::fetch_from_registry or Package::pinned_version. It takes a pre-resolved ResolveResult, reads tarball URL + integrity off LockfileResolution::Tarball, and pulls unpackedSize from the manifest fragment (via checked usize::try_from).
• install_without_lockfile.rs runs resolve_dependency_tree first, then traverses the resulting tree calling install_package_from_registry per node. PackageMetaCache lives in the resolver, dropped before install starts.

Additional fixes that landed during review

• Per-package pnpm:progress signaling. InstallPackageFromRegistry takes a first_visit: bool; the resolved / imported emits plus the tarball download/import fire once per (name, version), while the per-parent symlink_package runs on every edge. Matches upstream's per-package reporter contract.
• Windows symlink race fix. ResolvedPackages is now DashMap<String, tokio::sync::watch::Sender<bool>>; the first writer signals completion via send_replace(true) after import_indexed_dir, so a second visitor's symlink_package doesn't race ahead of the target directory's existence (force_symlink_dir's Windows junction fallback requires an existing target). A dropped first-writer task surfaces as a typed FirstWriterAborted error. Also fixes a cyclic-deps deadlock that hit should_install_circular_dependencies.
• minimumReleaseAge in the resolve pass. Previously only the lockfile-verifier enforced it; the no-lockfile resolve pass now derives published_by and the exclude policy from Config with checked arithmetic at every step (i64::try_from → chrono::Duration::try_minutes → DateTime::checked_sub_signed) so absurd configured values degrade to "policy inactive" rather than fabricating a wrong-direction cutoff. Verifier factory create_npm_resolution_verifier got the same checked-arithmetic treatment.
• TS side: @pnpm/config.pick-registry-for-package unscoped-alias fix. A separate bug surfaced during the scope-routing port: pickRegistryForPackage('@private/foo', 'npm:lodash@^1') was routing through registries['@private'] even though lodash is unscoped. getScope now returns null in the npm-alias branch when the alias target is unscoped, so the call falls through to registries.default. Changeset bumped @pnpm/config.pick-registry-for-package and pnpm (patch).

Tests added

• parse_bare_specifier::tests — 17 cases including npm-alias forms, tarball-URL parse, and the mismatched-filename rejection.
• npm_resolver::tests — 6 cases (range, workspace fallthrough, default tag, policy violation, latest, compatible).
• named_registry::tests — 4 new cases for bareSpecifier-aware scope routing (npm-alias wins over local, scoped-target in different scope wins, unscoped-target routes to default, plain spec fallback).
• resolve_dependency_tree::tests — 3 cases (walk, dedup across subtrees, declined spec → SpecNotSupported).
• install_package_from_registry::tests — 3 mock-registry integration tests, including the first_visit=false contract (second edge skips pnpm:progress emits but still creates the per-parent symlink).
• TS side: 3 cases in pick-registry-for-package/test/index.spec.ts.

Acceptance criteria

Criterion	Status
install_package_from_registry no longer calls Package::fetch_from_registry or Package::pinned_version	✅ done
Resolution flows entirely through the Resolver chain	✅ done
DefaultResolver has at least one resolver registered	⏸️ NpmResolver is the only resolver today; DefaultResolver wrap lands alongside the second per-protocol resolver to avoid surfacing SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER for git/file specs that don't have ported resolvers yet
Byte-identical node_modules/ parity test	⏸️ existing pacquet test suite (incl. mock-registry e2e + pnpm_compatibility checks) covers the parity surface that's exercisable today; explicit byte-identical lockfile parity test pending the lockfile-generation roadmap
minimumReleaseAge violations surface through the install layer	🚧 resolver attaches policy_violation per-pick (Phase A); install-side aggregation (Phase E) follow-up below
All existing pacquet-package-manager tests continue to pass	✅ done

Remaining follow-ups (each their own issue)

• Phase D — bootstrap preferred_versions from pnpm-lock.yaml snapshots, plumb prev_specifier on WantedDependency from the lockfile entry.
• Phase E — install-side policy-violation collector. Today the resolver attaches policy_violation per-pick, but the install layer doesn't yet aggregate or fail on them; needs to mirror handleResolutionPolicyViolations and decide strict vs warn split.
• Phase F — port the rest of parseBareSpecifier.test.ts corpus and add an integration test driving a pacquet install --frozen-lockfile end-to-end through the chain against the mocked registry for byte-identical node_modules/ parity with pnpm.
• Phase G — update pacquet/AGENTS.md and crates/resolving-npm-resolver/src/lib.rs module doc to reflect that the resolver is now active in install (the lib-doc update is done; AGENTS-side notes still TODO).
• Other-protocol resolvers — DefaultResolver chain wrap follows once any of {git, tarball, local, jsr, named-registry, workspace} lands.
• Abbreviated metadata fetcher — separate item under Rust Roadmap #11633 / feat(pacquet): resolver scaffold + npm version picking #11755's out-of-scope notes.

Closing as the core scope landed; remaining items are tracked separately.

---

Written by an agent (Claude Code, claude-opus-4-7).