fix(arborist): correct dev/prod dep flags for workspaces under the linked strategy#9655
Merged
owlstronaut merged 2 commits intoJun 25, 2026
Merged
Conversation
owlstronaut
approved these changes
Jun 25, 2026
Contributor
|
🎉 Backport to |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In continuation of our exploration of using
install-strategy=linkedin the Gutenberg monorepo, which powers the WordPress Block Editor.Under
install-strategy=linked,npm queryreports the wrongdev/prodflags for workspaces and their dependencies. In a workspace project the entire non-root tree is flaggeddev, so:is(.prod)returns almost nothing and:is(.dev)returns almost everything — the opposite of the hoisted strategy. This breaks tooling that classifies dependencies vianpm query, e.g. a license checker that selects.proddependencies.Why
Two compounding defects, both exercised only by the linked layout.
First, the linked strategy does not symlink undeclared workspaces into the root's
node_modules, so the root'sworkspaceedges resolve tonull.calcDepFlagswalks outward from the root via edges, dead-ends immediately, and never reaches any workspace or its transitive deps, leaving them at their defaultdev=true.Second, the
node.isLinkbranch incalcDepFlagsassigned target flags unconditionally (target.dev = link.dev), unlike every other flag in that file which is only ever unset (true to false). When a target is reachable through more than one link — the norm under linked, where each workspace's ownnode_moduleslinks to a shared target — the last link visited could overwrite an already-correctdev=falseback totrue.How
Make the
calcDepFlagslink branch monotonic: only unset flags, matching the edge walk below it, and queue the target on first visit so its own deps are still walked. A target reachable through multiple links now keeps the most permissive flags regardless of visit order.In
loadActual, when the install strategy is linked, synthesize the missing root-to-workspace links from the already-loaded workspace targets so the root's workspace edges resolve and flags propagate. The synthesis is gated to linked because under hoisted an unresolved workspace edge is a genuinely missing symlink that reify must recreate, not synthesize. Workspaces already linked into the rootnode_modulesare skipped.This targets the path used by
npm queryand non-lockfilenpm sbom, which force a filesystem read of the actual tree. Commands that load from the hidden lockfile (npm ls,npm outdated,npm audit signatures) are unchanged; their separate, pre-existing linked flag gap is left for a follow-up.References
Fixes #9100