fix(shrinkwrap-extractor): Handle dependencies hoisted to the workspace root for packages other than the target

Author: RandomByte

internal/shrinkwrap-extractor/lib/convertPackageLockToShrinkwrap.js

@@ -60,7 +60,12 @@ export default async function convertPackageLockToShrinkwrap(workspaceRootDir, t
 
 	// Using the keys, extract relevant package-entries from package-lock.json
 	const extractedPackages = Object.create(null);
+	const resolvedConflicts = new Set();
 	for (let [packageLoc, node] of relevantPackageLocations) {
+		if (resolvedConflicts.has(packageLoc)) {
+			// This package location was already moved due to a conflict
+			continue;
+		}
 		let pkg = packageLockJson.packages[packageLoc];
 		if (pkg.link) {
 			pkg = packageLockJson.packages[pkg.resolved];
@@ -72,15 +77,47 @@ export default async function convertPackageLockToShrinkwrap(workspaceRootDir, t
 				throw new Error(`Duplicate root package entry for "${targetPackageName}"`);
 			}
 		} else {
-			packageLoc = normalizePackageLocation(packageLoc, node, targetPackageName, tree.packageName);
-		}
-		if (packageLoc !== "" && !pkg.resolved) {
-			// For all but the root package, ensure that "resolved" and "integrity" fields are present
-			// These are always missing for locally linked packages, but sometimes also for others (e.g. if installed
-			// from local cache)
-			const {resolved, integrity} = await fetchPackageMetadata(node.packageName, node.version, workspaceRootDir);
-			pkg.resolved = resolved;
-			pkg.integrity = integrity;
+			if (!pkg.resolved) {
+				// For all but the root package, ensure that "resolved" and "integrity" fields are present
+				// These are always missing for locally linked packages, but sometimes also for others
+				// (e.g. if installed from local cache)
+				const {resolved, integrity} = await fetchPackageMetadata(
+					node.packageName, node.version, workspaceRootDir);
+				pkg.resolved = resolved;
+				pkg.integrity = integrity;
+			}
+			// Align package locations with new target
+			const newPackageLoc = normalizePackageLocation(packageLoc, node, targetPackageName, tree.packageName);
+			// Detect conflicts with dependencies hoisted to root level for packages other than the target
+			const existingPackageAtNewLocation = relevantPackageLocations.get(newPackageLoc);
+			if (newPackageLoc !== packageLoc && existingPackageAtNewLocation) {
+				if (pkg.version !== existingPackageAtNewLocation.version) {
+					console.log(
+						`Hoisting conflict: Package "${node.packageName}" (from "${packageLoc}") already exists at ` +
+						`new location ${newPackageLoc} in version ${existingPackageAtNewLocation.version}`);
+					resolvedConflicts.add(newPackageLoc);
+					const conflictPkg = packageLockJson.packages[newPackageLoc];
+					if (!conflictPkg.resolved) {
+						// For all but the root package, ensure that "resolved" and "integrity" fields are present
+						// These are always missing for locally linked packages, but sometimes also for others
+						// (e.g. if installed from local cache)
+						const {resolved, integrity} = await fetchPackageMetadata(
+							existingPackageAtNewLocation.packageName, existingPackageAtNewLocation.version,
+							workspaceRootDir);
+						conflictPkg.resolved = resolved;
+						conflictPkg.integrity = integrity;
+					}
+					// Move existing package to a package-specific subdirectories to avoid conflict
+					for (const edge of existingPackageAtNewLocation.edgesIn) {
+						const parentPackage = edge.from.top.packageName;
+						console.log(`Moving conflicting package "${node.packageName}" under ` +
+							`"node_modules/${parentPackage}/node_modules/"`);
+						const subPath = `node_modules/${parentPackage}/node_modules/${node.packageName}`;
+						extractedPackages[subPath] = structuredClone(conflictPkg);
+					}
+				}
+			}
+			packageLoc = newPackageLoc;
 		}
 		extractedPackages[packageLoc] = pkg;
 	}

internal/shrinkwrap-extractor/test/lib/convertToShrinkwrap.js

@@ -27,6 +27,7 @@ function setupPacoteMock() {
  */
 async function setupFixtureSymlink(fixtureDir) {
 	const symlinkPath = path.join(fixtureDir, "package-lock.json");
+	await await unlink(symlinkPath).catch(() => {});
 	const targetPath = "package-lock.fixture.json";
 	await symlink(targetPath, symlinkPath);
 	return symlinkPath;
@@ -86,37 +87,51 @@ test("Convert package-lock.json to shrinkwrap", async (t) => {
 
 test("Workspace paths should be normalized to node_modules format", async (t) => {
 	const __dirname = import.meta.dirname;
-
 	const cwd = path.join(__dirname, "..", "fixture", "project.a");
 	const symlinkPath = await setupFixtureSymlink(cwd);
 	t.after(async () => await unlink(symlinkPath).catch(() => {}));
 
-	const targetPackageName = "@ui5/cli";
-	const shrinkwrapJson = await convertPackageLockToShrinkwrap(cwd, targetPackageName);
-
-	// Verify that no package paths contain workspace prefixes like "packages/cli/node_modules/..."
-	const packagePaths = Object.keys(shrinkwrapJson.packages);
+	const shrinkwrapJson = await convertPackageLockToShrinkwrap(cwd, "@ui5/cli");
+	const packagePaths = Object.keys(shrinkwrapJson.packages).filter((p) => p !== "");
 
+	// All paths must start with node_modules/, never with packages/
 	for (const packagePath of packagePaths) {
-		// Skip root package (empty string)
-		if (packagePath === "") continue;
-
-		// Assert that no path starts with "packages/"
 		assert.ok(!packagePath.startsWith("packages/"),
-			`Package path "${packagePath}" should not start with "packages/" prefix`);
-
-		// Assert that non-root paths start with "node_modules/"
+			`Path "${packagePath}" should not contain workspace prefix`);
 		assert.ok(packagePath.startsWith("node_modules/"),
-			`Package path "${packagePath}" should start with "node_modules/" prefix`);
+			`Path "${packagePath}" should start with node_modules/`);
 	}
 
-	// Specifically check a package that would have been under packages/cli/node_modules in the monorepo
-	// The "@npmcli/config" package is a direct dependency that exists in the CLI's node_modules
-	const npmCliConfigPackage = shrinkwrapJson.packages["node_modules/@npmcli/config"];
-	assert.ok(npmCliConfigPackage, "The '@npmcli/config' package should be present at normalized path");
-	assert.equal(npmCliConfigPackage.version, "9.0.0", "@npmcli/config package should have correct version");
+	// Verify a CLI dependency was normalized correctly
+	const npmCliConfig = shrinkwrapJson.packages["node_modules/@npmcli/config"];
+	assert.ok(npmCliConfig, "@npmcli/config should be at normalized path");
+	assert.equal(npmCliConfig.version, "9.0.0");
+
+	console.log(`✓ All ${packagePaths.length} package paths correctly normalized`);
+});
+
+test("Version collisions: root packages get priority at top level", async (t) => {
+	const __dirname = import.meta.dirname;
+	const cwd = path.join(__dirname, "..", "fixture", "project.b");
+	const symlinkPath = await setupFixtureSymlink(cwd);
+	t.after(async () => await unlink(symlinkPath).catch(() => {}));
+
+	const shrinkwrapJson = await convertPackageLockToShrinkwrap(cwd, "@ui5/cli");
+
+	// ansi-regex: root has v6.2.2, CLI workspace has v5.0.1
+	// Root version should be at top level, workspace version nested
+	const rootAnsiRegex = shrinkwrapJson.packages["node_modules/ansi-regex"];
+	assert.equal(rootAnsiRegex?.version, "6.2.2", "Root ansi-regex at top level");
+
+	const cliAnsiRegex = shrinkwrapJson.packages["node_modules/@ui5/cli/node_modules/ansi-regex"];
+	assert.equal(cliAnsiRegex?.version, "5.0.1", "Workspace ansi-regex nested under @ui5/cli");
+
+	// Verify root version satisfies dependents
+	const stripAnsi = shrinkwrapJson.packages["node_modules/strip-ansi"];
+	assert.equal(stripAnsi.dependencies["ansi-regex"], "^6.0.1");
+	assert.ok(rootAnsiRegex.version.startsWith("6."), "Root v6.2.2 satisfies ^6.0.1");
 
-	console.log(`✓ All ${packagePaths.length - 1} package paths correctly normalized`);
+	console.log("✓ Root package prioritized at top level, workspace version nested");
 });
 
 test("Compare generated shrinkwrap with expected result: package.a", async (t) => {