fix: visibility enforcement for local package deps (aspect-build#2357)

### Changes are visible to end-users: no

### Test plan

- New test cases added

Fixes: aspect-build#2345

Author: Mivr

.aspect/workflows/config.yaml

@@ -125,6 +125,8 @@ workspaces:
                   without: true
             - buildifier:
                   without: true
+    # No test targets. Requires running test.sh.
+    # e2e/npm_translate_lock_package_visibility:
     e2e/npm_translate_lock_subdir_patch:
         icon: npm
         tasks:

.github/workflows/ci.yaml

@@ -56,6 +56,7 @@ jobs:
                     e2e/npm_translate_package_lock
                     e2e/npm_translate_yarn_lock
                     e2e/npm_translate_lock_exclude_package_contents
+                    e2e/npm_translate_lock_package_visibility
                     e2e/package_json_module
                     e2e/patch_from_repo
                     e2e/pnpm_lockfiles

MODULE.bazel

@@ -235,8 +235,16 @@ npm.npm_translate_lock(
     },
     npmrc = "//:.npmrc",
     package_visibility = {
-        "unused": ["//visibility:private"],
-        "@mycorp/pkg-a": ["//examples:__subpackages__"],
+        "unused": ["//npm/private/test:__subpackages__"],
+        "@mycorp/pkg-a": [
+            "//examples:__subpackages__",
+            "//js/private/test/image:__subpackages__",
+        ],
+        "@mycorp/pkg-d": [
+            "//examples:__subpackages__",
+            "//js/private/test/image:__subpackages__",
+        ],
+        "@mycorp/pkg-e": ["//examples:__subpackages__"],
     },
     pnpm_lock = "//:pnpm-lock.yaml",
     public_hoist_packages = {

e2e/npm_translate_lock_package_visibility/.bazelignore

@@ -0,0 +1,4 @@
+node_modules
+packages/from-local/node_modules
+packages/from-root/node_modules
+packages/some-dep/node_modules

e2e/npm_translate_lock_package_visibility/.bazelrc

@@ -0,0 +1 @@
+import %workspace%/../../tools/preset.bazelrc

e2e/npm_translate_lock_package_visibility/.bazelversion

@@ -0,0 +1 @@
+../../.bazelversion

e2e/npm_translate_lock_package_visibility/.npmrc

@@ -0,0 +1 @@
+# Test npmrc file for visibility test

e2e/npm_translate_lock_package_visibility/BUILD.bazel

@@ -0,0 +1,17 @@
+load("@npm//:defs.bzl", "npm_link_all_packages")
+
+npm_link_all_packages(name = "node_modules")
+
+# Simple test to make bazel test //... pass
+# The real visibility enforcement test is in test.sh
+sh_test(
+    name = "placeholder_test",
+    srcs = ["test_placeholder.sh"],
+)
+
+# Create a simple passing test script
+genrule(
+    name = "generate_placeholder_test",
+    outs = ["test_placeholder.sh"],
+    cmd = "echo '#!/bin/bash\necho \"Placeholder test passed\"\nexit 0' > $@",
+)

e2e/npm_translate_lock_package_visibility/MODULE.bazel

@@ -0,0 +1,26 @@
+bazel_dep(name = "aspect_rules_js", version = "0.0.0", dev_dependency = True)
+local_path_override(
+    module_name = "aspect_rules_js",
+    path = "../..",
+)
+
+npm = use_extension(
+    "@aspect_rules_js//npm:extensions.bzl",
+    "npm",
+    dev_dependency = True,
+)
+npm.npm_translate_lock(
+    name = "npm",
+    data = [
+        "//:package.json",
+        "//packages/from-local:package.json",
+        "//packages/some-dep:package.json",
+    ],
+    npmrc = "//:.npmrc",
+    package_visibility = {
+        "some-dep": ["//visibility:public"],  # Public by default for CI, test.sh will make it private
+    },
+    pnpm_lock = "//:pnpm-lock.yaml",
+    verify_node_modules_ignored = "//:.bazelignore",
+)
+use_repo(npm, "npm")

e2e/npm_translate_lock_package_visibility/README.md

@@ -0,0 +1,15 @@
+# Test coverage for package_visibility enforcement in npm_translate_lock
+
+This test validates that `package_visibility` restrictions are properly enforced for workspace packages when using local node_modules references (`:node_modules/package`).
+
+## Bug Description
+
+Previously, workspace packages could bypass `package_visibility` restrictions by referencing packages locally (`:node_modules/some-dep`) instead of from the root (`//:node_modules/some-dep`). This security issue allowed unauthorized access to restricted packages.
+
+## Test Validation
+
+The test attempts to build `//packages/from-local:from_local_lib` which references `:node_modules/some-dep` locally. This should fail with a visibility error because `some-dep` is restricted to `//packages/from-root:__subpackages__` only.
+
+## Expected Behavior
+
+With the fix, local references create aliases that delegate to root targets, ensuring Bazel's visibility system is properly enforced regardless of reference style.