refactor: Properly handle shrinkwrap root dependencies

d3xter666 · d3xter666 · commit 40d48f6a8b34 · 2025-12-09T13:53:15.000+02:00
diff --git a/internal/shrinkwrap-extractor/lib/convertPackageLockToShrinkwrap.js b/internal/shrinkwrap-extractor/lib/convertPackageLockToShrinkwrap.js
@@ -58,13 +58,31 @@ export default async function convertPackageLockToShrinkwrap(workspaceRootDir, t
 	// Collect all package keys using arborist
 	collectDependencies(targetNode, relevantPackageLocations);
 
+
+	// Build a map of package paths to their versions for collision detection
+	function buildVersionMap(relevantPackageLocations) {
+		const versionMap = new Map();
+		for (const [key, node] of relevantPackageLocations) {
+			const pkgPath = key.split("|")[0];
+			versionMap.set(pkgPath, node.version);
+		}
+		return versionMap;
+	}
+
+	// Build a map: key = package path, value = array of unique versions
+	const existingLocationsAndVersions = buildVersionMap(relevantPackageLocations);
 	// Using the keys, extract relevant package-entries from package-lock.json
+	// Extract and process packages
 	const extractedPackages = Object.create(null);
-	for (let [packageLoc, node] of relevantPackageLocations) {
-		let pkg = packageLockJson.packages[packageLoc];
+	for (const [locAndParentPackage, node] of relevantPackageLocations) {
+		const [originalLocation, parentPackage] = locAndParentPackage.split("|");
+
+		let pkg = packageLockJson.packages[node.location];
 		if (pkg.link) {
 			pkg = packageLockJson.packages[pkg.resolved];
 		}
+
+		let packageLoc;
 		if (pkg.name === targetPackageName) {
 			// Make the target package the root package
 			packageLoc = "";
@@ -73,7 +91,13 @@ export default async function convertPackageLockToShrinkwrap(workspaceRootDir, t
 			}
 		} else {
 			packageLoc = normalizePackageLocation(
-				packageLoc, node, targetPackageName, tree.packageName, relevantPackageLocations);
+				[originalLocation, parentPackage],
+				node,
+				targetPackageName,
+				tree.packageName,
+				existingLocationsAndVersions,
+				targetNode
+			);
 		}
 		if (packageLoc !== "" && !pkg.resolved) {
 			// For all but the root package, ensure that "resolved" and "integrity" fields are present
@@ -106,61 +130,72 @@ export default async function convertPackageLockToShrinkwrap(workspaceRootDir, t
 	return shrinkwrap;
 }
 
-/**
- * Normalize package locations from workspace-specific paths to standard npm paths.
- * Automatically detects and resolves version collisions by checking source locations.
- *
- * Examples (assuming @ui5/cli is the targetPackageName):
- * 	- packages/cli/node_modules/foo -> node_modules/foo (if no collision)
- * 	- packages/cli/node_modules/foo -> node_modules/@ui5/cli/node_modules/foo (if root has different version)
- * 	- packages/fs/node_modules/bar -> node_modules/@ui5/fs/node_modules/bar
- *
- * @param {string} location - Package location from arborist
- * @param {object} node - Package node from arborist
- * @param {string} targetPackageName - Target package name for shrinkwrap file
- * @param {string} rootPackageName - Root / workspace package name
- * @param {Map<string, object>} relevantPackageLocations
- * @returns {string} - Normalized location for npm-shrinkwrap.json
- */
+function isDirectDependency(node, targetNode) {
+	return Array.from(node.edgesIn.values()).some((edge) => edge.from === targetNode);
+}
+
 function normalizePackageLocation(
-	location, node, targetPackageName, rootPackageName, relevantPackageLocations) {
+	[location, parentPackage],
+	node,
+	targetPackageName,
+	rootPackageName,
+	existingLocationsAndVersions,
+	targetNode
+) {
 	const topPackageName = node.top.packageName;
 
 	if (topPackageName === targetPackageName) {
-		// Package is within target package (e.g. @ui5/cli)
+		// Package belongs to target package
 		const normalizedPath = location.substring(node.top.location.length + 1);
-		const existing = relevantPackageLocations.get(normalizedPath);
+		const existingVersion = existingLocationsAndVersions.get(normalizedPath);
+
+		// Handle version collision
+		if (existingVersion && existingVersion !== node.version) {
+			// Direct dependencies get priority, transitive ones get nested
+			const finalPath = isDirectDependency(node, targetNode) ?
+				normalizedPath : `node_modules/${topPackageName}/${normalizedPath}`;
 
-		// Check for version collision
-		if (existing && existing.version !== node.version) {
-			// Different version exists - nest this one under the target package
-			return `node_modules/${topPackageName}/${normalizedPath}`;
+			existingLocationsAndVersions.set(finalPath, node.version);
+			return finalPath;
 		}
 
+		existingLocationsAndVersions.set(normalizedPath, node.version);
 		return normalizedPath;
 	} else if (topPackageName !== rootPackageName) {
-		// Add package within node_modules of actual package name (e.g. @ui5/fs)
-		return `node_modules/${topPackageName}/${location.substring(node.top.location.length + 1)}`;
+		// Package belongs to another workspace package - nest under it
+		const nestedPath = `node_modules/${topPackageName}/${location.substring(node.top.location.length + 1)}`;
+		existingLocationsAndVersions.set(nestedPath, node.version);
+		return nestedPath;
+	} else {
+		const existingVersion = existingLocationsAndVersions.get(location);
+		if (existingVersion && existingVersion !== node.version) {
+			// Version collision at root - nest under parent
+			const nestedPath = `node_modules/${parentPackage}/${location}`;
+			existingLocationsAndVersions.set(nestedPath, node.version);
+			return nestedPath;
+		}
 	}
 
-	// Package is within root workspace, keep as-is
 	return location;
 }
 
-function collectDependencies(node, relevantPackageLocations) {
-	if (relevantPackageLocations.has(node.location)) {
+function collectDependencies(node, relevantPackageLocations, parentPackage = "") {
+	if (relevantPackageLocations.has(node.location + "|" + parentPackage)) {
 		// Already processed
 		return;
 	}
-	relevantPackageLocations.set(node.location, node);
+	// We need this as the module could be in the root node_modules and later might need to be nested
+	// under many different parent packages due to version collisions. If this step is skipped, some
+	// packages might be missing in the final shrinkwrap due to key overwrites.
+	relevantPackageLocations.set(node.location + "|" + parentPackage, node);
 	if (node.isLink) {
 		node = node.target;
 	}
 	for (const edge of node.edgesOut.values()) {
 		if (edge.dev) {
 			continue;
 		}
-		collectDependencies(edge.to, relevantPackageLocations);
+		collectDependencies(edge.to, relevantPackageLocations, node.packageName);
 	}
 }
 
