fix(arborist): forward transitive overrides through linked store links#9658
Merged
owlstronaut merged 1 commit intoJun 25, 2026
Merged
Conversation
owlstronaut
approved these changes
Jun 25, 2026
Contributor
|
This usually means the cherry-pick had conflicts. Please create a manual backport: git fetch origin release/v11
git checkout -b backport/v11/9658 origin/release/v11
git cherry-pick -x 541c2865bf2a961554c889f5764bf182cc7f60e2
# resolve any conflicts, then:
git push origin backport/v11/9658Error details |
Contributor
|
@manzoorwanijk this'll need a backport |
Contributor
Author
|
Already on it... |
Contributor
Author
|
Here you go #9668 |
owlstronaut
pushed a commit
that referenced
this pull request
Jun 25, 2026
#9658) (backport release/v11) (#9668) Backport of #9658 to `release/v11`. Under `install-strategy=linked`, an override forcing a transitive dependency outside its dependent's declared range was applied on disk but reported as `invalid` by `npm ls --all`, which then exited 1 (`ELSPROBLEMS`); hoisted reports it as `overridden` and exits 0. It only surfaced when the overridden package's dependent was itself a transitive (store) package. `Link.recalculateOutEdgesOverrides` only forwarded an OverrideSet to a store link's target when a rule named a direct dependency of the target, so the chain to a deeper `dependent -> overridden` edge never received the rule. The fix walks the target's subtree and forwards when a rule actually applies to a reachable edge (matched via `getEdgeRule` on name and spec, preserving #9357), and `loadActual` re-forwards through links once the tree is complete. Cherry-picked cleanly except for a context-only conflict in `load-actual.js` and its test file: the unrelated `packageExtensions` and `.npm-extension` methods and the `applies root packageExtensions to a linked actual tree` test are not present on `release/v11`, so they were dropped from the resolution. Only this fix's changes are included. ## References Backports #9658
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
In continuation of our exploration of using
install-strategy=linkedin the Gutenberg monorepo, which powers the WordPress Block Editor.Under
install-strategy=linked, an override that forces a transitive dependency to a version outside its dependent's declared range was applied on disk but reported asinvalidbynpm ls --all, which then exited 1 (ELSPROBLEMS). The hoisted strategy reports the same edge asoverriddenand exits 0. The bug only surfaced when the overridden package's dependent was itself a transitive (store) package — a direct dependency of the root was handled correctly.npm lsrebuilds the actual tree from the.storelayout, and an OverrideSet propagates down the tree throughLink.recalculateOutEdgesOverrides, which forwards the set from a store symlink to its target node. A prior fix (#9357) gated that forwarding on a rule naming a direct dependency of the target, to avoid flipping an unrelated target to "has overrides" and makingnpm cire-resolve lockfile-pinned edges. That gate was too narrow: a store link whose own direct deps do not name the overridden package never forwarded the set, so the chain to the deeperdependent → overriddenedge never received the rule and was reportedinvalid.The fix walks the target's subtree (following resolved edges, dereferencing links) and forwards the set when an override rule actually applies to any reachable edge, matched via
getEdgeRuleon name and spec so a non-applicable version-qualified rule still does not flip an intermediate node. Because override propagation is event-driven during load, a store link can run its check before its subtree is resolved;loadActualtherefore re-forwards through links once the tree is complete, so the filesystem-scan path resolves transitive overrides asoverriddenrather thaninvalid.References
Fixes #9619