[pull] latest from npm:latest#14
Open
pull[bot] wants to merge 689 commits intoGraybar-codespace:latestfrom
Open
[pull] latest from npm:latest#14pull[bot] wants to merge 689 commits intoGraybar-codespace:latestfrom
pull[bot] wants to merge 689 commits intoGraybar-codespace:latestfrom
Conversation
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
There was a problem hiding this comment.
The pull request #14 has too many files changed.
We can only review pull requests with up to 300 changed files, and this pull request has 587.
owlstronaut
force-pushed
the
latest
branch
2 times, most recently
from
85ec0c9 to
26b6454
Compare
## References - Related to #4166 - [We've Moved! 🚚](https://github.com/npm/arborist/blob/main/README.md#weve-moved-) --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
<!-- What / Why --> <!-- Describe the request in detail. What it does and why it's being changed. --> Spelling errors hurt usability/readability ## References <!-- Examples: Related to #0 Depends on #0 Blocked by #0 Fixes #0 Closes #0 --> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
<!-- What / Why --> <!-- Describe the request in detail. What it does and why it's being changed. --> Spelling errors hurt usability/readability ## References <!-- Examples: Related to #0 Depends on #0 Blocked by #0 Fixes #0 Closes #0 --> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
<!-- What / Why --> <!-- Describe the request in detail. What it does and why it's being changed. --> Spelling errors hurt usability/readability ## References <!-- Examples: Related to #0 Depends on #0 Blocked by #0 Fixes #0 Closes #0 --> --------- Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
<!-- What / Why --> <!-- Describe the request in detail. What it does and why it's being changed. --> Spelling errors hurt readability/usability. ## References <!-- Examples: Related to #0 Depends on #0 Blocked by #0 Fixes #0 Closes #0 --> Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Remove references to benchmarks workflow https://github.com/npm/benchmarks > This repository was archived by the owner on Jul 1, 2024. It is now read-only. ## References - Related to #7621 Signed-off-by: Josh Soref <2119212+jsoref@users.noreply.github.com>
Discovered while investigating #8535 (comment) Similar to #8566, relates to #8184 Moves `inert` (uninstallable optional) calculation into `buildIdealTree` so it can be used in diff. Also removes most of #8184 in favor of a [simpler fix](https://github.com/npm/cli/pull/8602/files#diff-02626074e1a4a170693607e4a3a69dfc08ee52067734717833b22cf162923e07R354), see PR comments for the journey. Improvements: * we don't see uninstallable packages as "installed" in CLI output * `createSparseTree` no longer creates dirs that will only be cleaned later For the example in the linked issue, it changes output from `added 156 packages` to `added 12 packages` and combined with #8537 it changes to `added 6 packages`, the expected result.
Login urls have tokens in them and need to be shown to the user on stdout, especially if they have no browser and need to copy/paste. This builds off of #8587 and changes things to use proc-log's META notation, which is how this kind of info is sent. --------- Co-authored-by: Jolyn <jolyndenning@gmail.com>
Fixes two typo-related bugs: - ignoring bundled edges in the isolate reifier when assigning common properties in the tree - propagating legacy peer deps in children when calculating place-dep.
…es (#8998) Adds clarification about unsupported custom configuration keys in `.npmrc` starting in npm v11.2.0. Explains: - Why unknown keys produce warnings - That only officially supported npm config keys are recognized - How to use `package.json#config` for package-level configuration - How to pass arguments using `--` - Recommendation to use environment variables instead of custom `.npmrc` keys Closes #8843
#8996) We're looking at using `install-strategy=linked` in the [Gutenberg monorepo](https://github.com/WordPress/gutenberg) (~200 workspace packages), which powers the WordPress Block Editor. While [testing it in a PR](WordPress/gutenberg#75213), we ran into several issues with the linked strategy that this PR fixes. ## Summary 1. Scoped workspace packages were losing their `@scope/` prefix in `node_modules` because the symlink name came from the folder basename instead of the package name. 2. Aliased packages (e.g. `"prettier": "npm:custom-prettier@3.0.3"`) in workspace projects were getting symlinked under the real package name instead of the alias, so `require('prettier')` would fail. 3. With `legacy-peer-deps = true`, peer dependencies weren't being placed alongside packages in the store, so `require()` calls for peer deps failed from within the store. 4. With `strict-peer-deps = true`, the linked strategy could crash with `Cannot read properties of undefined` when store entries or parent nodes were missing for excluded peer deps. ## Root cause `assignCommonProperties` was using a single `result.name` for both consumer-facing symlinks and store-internal paths. For workspaces, `node.name` comes from the folder basename (missing the scope). For aliases, `node.packageName` gives the real name but we need the alias for the consumer symlink. Separately, `legacy-peer-deps` tells the arborist to skip creating peer dep edges entirely, so the isolated reifier never saw them and never placed them in the store. And `strict-peer-deps` can cause nodes to be excluded from the tree while still being referenced by edges, leading to undefined lookups. ## Changes - Split proxy identity into `result.name` (consumer-facing: alias or scoped workspace name) and `result.packageName` (store-internal: real package name from `package.json`). Store paths (`getKey`, `treeHash`, `generateChild`, `processEdges`, `processDeps`) use `packageName`; consumer symlinks keep using `name`. - When `legacyPeerDeps` is enabled, resolve missing peer dep edges from the tree via `node.resolve()` so they still get symlinked in the store. - Guard against undefined `from` and `target` nodes in `processEdges`/`processDeps` to prevent crashes with `strict-peer-deps`. - Guard `idealTree.children.get(ws)` in `reify.js` since the isolated tree uses an array for `children`, not a Map. - Test fixture updates: `recursive: true` for `mkdirSync`, scoped workspace glob support. - New tests for scoped workspace packages, aliased packages in workspaces, and peer deps with `legacyPeerDeps`. ## References Fixes #6122
This pull request adds support for CircleCI as a provider of OpenID
Connect (OIDC) tokens in CI environments, alongside existing support for
GitHub Actions and GitLab. The implementation includes both code changes
to detect and handle CircleCI OIDC tokens and new tests to ensure
correct behavior.
## Usage
In your `.circleci/config.yml`:
```yaml
version: 2.1
jobs:
publish:
docker:
- image: cimg/node:lts
steps:
- checkout
- run:
name: Publish to npm
command: |
NPM_AUDIENCE="npm:$(npm config get registry | sed 's|https\?://||;s|/$||')"
NPM_ID_TOKEN=$(circleci run oidc get --claims "{\"aud\": \"$NPM_AUDIENCE\"}")
npm publish
workflows:
publish:
jobs:
- publish
```
Note: Unlike GitHub Actions and GitLab, CircleCI requires manually
fetching the OIDC token with the correct audience claim using the
`circleci` CLI.
This pull request adds support for CircleCI as a trusted provider in the trust command system. The changes introduce a new `circleci` subcommand, implement its logic for validating and processing CircleCI-specific trust relationships, and update documentation and tests to reflect the new functionality.
Fixes #8892 Older packages on the registry use the deprecated `licenses` array (`"licenses": [{"type": "MIT", ...}]`) instead of the singular `license` string. `npm sbom` only checked for `license`, so these packages all showed up as `NOASSERTION`. This checks for the `licenses` array as a fallback in both the SPDX and CycloneDX codepaths. When there are multiple entries they're joined with ` OR `. Also noticed the CycloneDX expression branch was referencing `node.package.license` directly instead of the already-computed variable, which would break for these legacy packages. Fixed that too.
) Continuing the `install-strategy=linked` fixes from #8996. While testing on the [Gutenberg monorepo](WordPress/gutenberg#75814), `esbuild` installs fail because its postinstall script runs twice in parallel against the same store directory. ## Summary With `install-strategy=linked`, postinstall scripts run twice for every store package — once for the store entry and once for its symlink. For packages like `esbuild` whose postinstall modifies files in-place (`fs.linkSync` to replace the JS wrapper with a native binary), this race condition corrupts the install. ## Root cause In `rebuild.js`, `#runScripts` destructures `isStoreLink` from `node.target` (the store entry) to decide whether to skip a node. But `isStoreLink` is a property of the link node itself (`node`), not its target. Store entries don't have `isStoreLink`, so it's always `undefined` and the guard never triggers. Both the store entry and the store link run scripts against the same directory in parallel. ## Changes - Fixed the skip condition in `rebuild.js` `#runScripts` to use `node.isLink && node.target?.isInStore` instead of reading `isStoreLink` from `node.target`. This correctly skips store links (symlinks pointing to store entries) while still allowing workspace links and store entries themselves to run scripts. - Added a regression test that verifies postinstall scripts run exactly once for store packages. ## References Fixes #9012
npm audit signatures fails when a registry only uses keyless (Sigstore/Fulcio) attestations and doesn't provide registry signing keys. The[ auditedWithKeysCount guard in verify-signatures.js ](https://github.com/npm/cli/blob/latest/lib/utils/verify-signatures.js#L48) treats any registry without keys as unsupported, even though keyless attestations don't need registry keys at all -- the signing certificate is embedded directly in the bundle and verified through Sigstore's TUF root of trust. This updates the check to also accept verified keyless attestations as a valid audit result, so registries that exclusively use Fulcio-based signing (like Chainguard) work correctly with npm audit signatures. Before this change: npm error found no dependencies to audit that were installed from a supported registry After: audited 1 package in 1s 1 package has a verified attestation This change works together with the corresponding pacote fixes ([pacote/pull/454](npm/pacote#454)) ([pacote/pull/452](npm/pacote#452)) which allows keyless attestation bundles to pass the registry key matching check.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
20 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
See Commits and Changes for more details.
Created by
pull[bot]
Can you help keep this open source service alive? 💖 Please sponsor : )