Restrict access to hoisted packages

[zkochan]

Problem

The shamefully-flatten flag is used too frequently due to issues with eslint, vue, angular and other popular tools that require all subdeps to be hoisted. This is especcially bad because the application code gets access to all those hoisted subdeps.

Proposed solution

Instead of hoisting all dependencies into the project's node_modules, pnpm can use a hidden node_modules that only dependencies will have access to.

Lets see it on an example. The next project has foo in dependencies and foo has bar in dependencies

project
+ node_modules
  + foo -> .pnpm/registry.npmjs.org/foo/1.0.0/node_modules/foo
  + .pnpm
     + node_modules
        + bar -> ../registry.npmjs.org/bar/1.0.0/node_modules/bar
        + foo -> ../registry.npmjs.org/foo/1.0.0/node_modules/foo
     + registry.npmjs.org
        + foo/1.0.0/node_modules/foo
        + bar/1.0.0/node_modules/bar

---

This can be turned on by default for the new hoist config (see #1997)

cc @KSXGitHub @ExE-Boss @shellscape

[KSXGitHub]

Your hypothetical dependency tree does not make it obvious for me. How about this:

• My project depends on A.
• A require()s C and D directly (index.js).
• A depends on B (package.json).
• B depends on C (package.json).
• C depends on D (package.json).

[zkochan]

In your example it will look like this

project
+ node_modules
  + a
  + .pnpm_deps
     + node_modules
        + a
        + b
        + c
        + d
     + registry.npmjs.org
        + a/1.0.0/node_modules
           + a
           + b
        + b/1.0.0/node_modules
           + b
           + c
        + c/1.0.0/node_modules
           + c
           + d
        + d/1.0.0/node_modules
           + d

[KSXGitHub]

So A should be able to require() C and D as well as itself. Theoretically, this should enable us to use packages like A without --shamefully-flatten. Cool!

However, I would like you to keep flatten around just in case.

[KSXGitHub]

Looking back at the example, I see that A, B, C, D all have their own node_modules directory ({a,b,c,d}/1.0.0/node_modules). Are these directories necessary since A, B, C, D all appear in .pnpm_deps/node_modules?

[zkochan]

They are not necessary per se but this redundancy makes things easier. If someone installs a different version of c as a direct dependency, we will only need to change the symlink in .pnpm-deps/node_modules and we won't have to do anything in node_modules of b

[zkochan]

Seems like we might still need something like shamefully-hoist because some tools might only search for the unlisted deps in node_modules

#1300, for instance, is reproducible with this new restricted hoisting.

[shellscape]

Appreciate the continued diligence on this.

[zkochan]

The shamefully-hoist PR is ready as well: #2006