-
Notifications
You must be signed in to change notification settings - Fork 4.5k
Comparing changes
Open a pull request
base repository: npm/cli
base: v11.13.0
head repository: npm/cli
compare: v11.14.0
- 14 commits
- 51 files changed
- 9 contributors
Commits on Apr 22, 2026
-
fix(arborist): propagate overrides through Link nodes to targets (#9198)
In continuation of our exploration of using `install-strategy=linked` in the [Gutenberg monorepo](WordPress/gutenberg#75814), which powers the WordPress Block Editor. When using `install-strategy=linked`, npm overrides for transitive dependencies were ignored. The overridden version was installed but reported as `invalid` instead of `overridden`, and with `strict-peer-deps` the install failed entirely with `ERESOLVE`. The root cause is that override propagation stops at Link nodes and never reaches their targets. Overrides propagate through the tree via `addEdgeIn` -> `updateOverridesEdgeInAdded` -> `recalculateOutEdgesOverrides`. When a Link node receives overrides, `recalculateOutEdgesOverrides` iterates over `this.edgesOut` — but Links have no `edgesOut` (their targets do). So overrides never reach the target node's dependency edges, and those edges use `rawSpec` instead of the overridden spec. In the linked strategy, all packages in `node_modules/` are Links pointing to targets in `.store/`. This meant no overrides propagated past the first level of the dependency tree. The fix overrides `recalculateOutEdgesOverrides` in the `Link` class to forward overrides to the target node. When `buildIdealTree` creates a root Link (e.g. on macOS where `/tmp` -> `/private/tmp`), the target Node is now created with `loadOverrides: true` so it loads override rules from `package.json`. The `#applyRootOverridesToWorkspaces` workaround method is removed — it was compensating for this exact bug by detaching workspace edges whose specs didn't match. With proper propagation, workspace edges already have the correct overridden spec, making the workaround dead code. ## References Fixes #9197 (cherry picked from commit bc32d94)
Configuration menu - View commit details
-
Copy full SHA for e7805c3 - Browse repository at this point
Copy the full SHA e7805c3View commit details
Commits on Apr 28, 2026
-
feat: add allow-directory, allow-file, and allow-remote (#9288)
Backport of #9287 to `release/v11`. Co-authored-by: Gar <gar+gh@danger.computer>
Configuration menu - View commit details
-
Copy full SHA for 45fc5e0 - Browse repository at this point
Copy the full SHA 45fc5e0View commit details
Commits on May 1, 2026
-
fix(config): preserve min-release-age after flattening
(cherry picked from commit 6628d05)
Configuration menu - View commit details
-
Copy full SHA for 574b73a - Browse repository at this point
Copy the full SHA 574b73aView commit details
Commits on May 4, 2026
-
fix: prefer existing tree nodes for peerOptional deps (#9249) (#9283)
When a peerOptional edge conflicts, search descendants for a satisfying node before fetching from the registry. This prevents extraneous packages from blocking hoisting of required deps. This fixes 1/2 or 1/3 of #9249. Before this change a clean install would resolve `nm/jest-util@30` when resolving the conflict at nm/jest-util between ts-jest's jest-util@^29||^30, and expect's ^28, which had been placed at root. `#nodeFromEdge` would create a brand new node, matching greatest ^30. A subequent install would mark nm/jest-util@30 as extraneous and prune it. This tree is valid, but ts-jest's peerOptional jest-util is unsatisfied, while compatible jest-util are installed and duplicated. This change reduces duplication and can prevent peerOptionals from actively installing. 1. Now during initial installs npm will prefer hoisting a dependency to de-dupe a peerOptional conflict over creating a new extraneous edge. 2. It doesn't solve the problem if there's no compatible version in the sub-tree. npm will still use `#nodeFromEdge` and install an extraneous edge. 3. It doesn't fix installs from lockfiles generated before this fix. I think this is okay, because the trees are techincally valid, just not optimal. I think a better solution to all three issues would be: * During problemEdge conflict resolution, npm would hoist nm/jest-util@28 under expect, without replacing it with anything. ts-jest's peerOptional jest-util would be unsatisfied. This creates the same tree as npm's second installs that prune extraneous. * Check for any dependencies that can be hosited. This can run during the initial install on problemEdge conflict resoultion, and in pruneIdealTree on any nodes that are removed. I think this solves all three issues. I didn't implement it because I couldn't find a way to resolve the conflict by leaving a hole in the tree.. (cherry picked from commit 0629fbf)
Configuration menu - View commit details
-
Copy full SHA for e19b349 - Browse repository at this point
Copy the full SHA e19b349View commit details -
fix(arborist): ignore hidden entries in global update (#9299)
## Description Fixes #9298. `buildIdealTree` handles global updates by reading the global `node_modules` folder directly and adding each entry as a synthetic top-level dependency. That path did not ignore hidden entries, so a directory like `.hidden-non-package` was converted to `.hidden-non-package@*` and rejected by `npm-package-arg`. This applies the same hidden-entry filter already used by `loadActual`, so hidden directories and retired scoped package folders are not treated as installed global packages during `npm up -g`. ## Testing ```sh node node_modules/tap/bin/run.js workspaces/arborist/test/arborist/build-ideal-tree.js -g "update global ignores hidden" ``` ```sh npm_config_prefix=/tmp/npm-hidden-global-patched.azXmRd node . up -g ``` ```sh node . run eslint -- workspaces/arborist/lib/arborist/build-ideal-tree.js workspaces/arborist/test/arborist/build-ideal-tree.js ``` (cherry picked from commit 32940e2)
Configuration menu - View commit details
-
Copy full SHA for 3298369 - Browse repository at this point
Copy the full SHA 3298369View commit details
Commits on May 5, 2026
-
feat(arborist): add lockfileString() for in-memory lockfile generation
Exposes a public method on the Arborist class that builds (or reuses) an ideal tree, commits the shrinkwrap metadata, and returns the lockfile contents as a string without writing to disk. This makes a previously-undocumented sequence (`buildIdealTree()` -> `tree.meta.commit()` -> `String(tree.meta)`) a discoverable, supported API, enabling callers to inspect, diff, or store generated lockfiles without mutating the project's package-lock.json. (cherry picked from commit b8655c7)
Configuration menu - View commit details
-
Copy full SHA for 20fb6a0 - Browse repository at this point
Copy the full SHA 20fb6a0View commit details
Commits on May 6, 2026
-
Configuration menu - View commit details
-
Copy full SHA for c3ea2cf - Browse repository at this point
Copy the full SHA c3ea2cfView commit details -
fix(sbom): dedupe per-node dependsOn / relationships (#9318)
Backport of #9311 to `release/v11`. Co-authored-by: Mikael Kristiansson <1733784+mikaelkristiansson@users.noreply.github.com>
Configuration menu - View commit details
-
Copy full SHA for 6c17544 - Browse repository at this point
Copy the full SHA 6c17544View commit details -
chore: add cli-triage team as codeowner (#9320)
Backport of #9317 to `release/v11`. Co-authored-by: Michael Smith <owlstronaut@github.com>
Configuration menu - View commit details
-
Copy full SHA for 89c505a - Browse repository at this point
Copy the full SHA 89c505aView commit details -
Configuration menu - View commit details
-
Copy full SHA for addffcb - Browse repository at this point
Copy the full SHA addffcbView commit details -
Configuration menu - View commit details
-
Copy full SHA for b771289 - Browse repository at this point
Copy the full SHA b771289View commit details -
Configuration menu - View commit details
-
Copy full SHA for 840fe18 - Browse repository at this point
Copy the full SHA 840fe18View commit details -
Configuration menu - View commit details
-
Copy full SHA for 041fd58 - Browse repository at this point
Copy the full SHA 041fd58View commit details -
Configuration menu - View commit details
-
Copy full SHA for 409a717 - Browse repository at this point
Copy the full SHA 409a717View commit details
This comparison is taking too long to generate.
Unfortunately it looks like we can’t render this comparison for you right now. It might be too big, or there might be something weird with your repository.
You can try running this command locally to see the comparison on your machine:
git diff v11.13.0...v11.14.0