1// The arborist manages three trees: 2// - actual 3// - virtual 4// - ideal 5// 6// The actual tree is what's present on disk in the node_modules tree 7// and elsewhere that links may extend. 8// 9// The virtual tree is loaded from metadata (package.json and lock files). 10// 11// The ideal tree is what we WANT that actual tree to become. This starts 12// with the virtual tree, and then applies the options requesting 13// add/remove/update actions. 14// 15// To reify a tree, we calculate a diff between the ideal and actual trees, 16// and then turn the actual tree into the ideal tree by taking the actions 17// required. At the end of the reification process, the actualTree is 18// updated to reflect the changes. 19// 20// Each tree has an Inventory at the root. Shrinkwrap is tracked by Arborist 21// instance. It always refers to the actual tree, but is updated (and written 22// to disk) on reification. 23 24// Each of the mixin "classes" adds functionality, but are not dependent on 25// constructor call order. So, we just load them in an array, and build up 26// the base class, so that the overall voltron class is easier to test and 27// cover, and separation of concerns can be maintained. 28 29const { resolve } = require('path') 30const { homedir } = require('os') 31const { depth } = require('treeverse') 32const mapWorkspaces = require('@npmcli/map-workspaces') 33const log = require('proc-log') 34 35const { saveTypeMap } = require('../add-rm-pkg-deps.js') 36const AuditReport = require('../audit-report.js') 37const relpath = require('../relpath.js') 38 39const mixins = [ 40 require('../tracker.js'), 41 require('./build-ideal-tree.js'), 42 require('./load-actual.js'), 43 require('./load-virtual.js'), 44 require('./rebuild.js'), 45 require('./reify.js'), 46 require('./isolated-reifier.js'), 47] 48 49const _setWorkspaces = Symbol.for('setWorkspaces') 50const Base = mixins.reduce((a, b) => b(a), require('events')) 51 52// if it's 1, 2, or 3, set it explicitly that. 53// if undefined or null, set it null 54// otherwise, throw. 55const lockfileVersion = lfv => { 56 if (lfv === 1 || lfv === 2 || lfv === 3) { 57 return lfv 58 } 59 60 if (lfv === undefined || lfv === null) { 61 return null 62 } 63 64 throw new TypeError('Invalid lockfileVersion config: ' + lfv) 65} 66 67class Arborist extends Base { 68 constructor (options = {}) { 69 process.emit('time', 'arborist:ctor') 70 super(options) 71 this.options = { 72 nodeVersion: process.version, 73 ...options, 74 Arborist: this.constructor, 75 binLinks: 'binLinks' in options ? !!options.binLinks : true, 76 cache: options.cache || `${homedir()}/.npm/_cacache`, 77 force: !!options.force, 78 global: !!options.global, 79 ignoreScripts: !!options.ignoreScripts, 80 installStrategy: options.global ? 'shallow' : (options.installStrategy ? options.installStrategy : 'hoisted'), 81 lockfileVersion: lockfileVersion(options.lockfileVersion), 82 packumentCache: options.packumentCache || new Map(), 83 path: options.path || '.', 84 rebuildBundle: 'rebuildBundle' in options ? !!options.rebuildBundle : true, 85 replaceRegistryHost: options.replaceRegistryHost, 86 scriptShell: options.scriptShell, 87 workspaces: options.workspaces || [], 88 workspacesEnabled: options.workspacesEnabled !== false, 89 } 90 // TODO is this even used? If not is that a bug? 91 this.replaceRegistryHost = this.options.replaceRegistryHost = 92 (!this.options.replaceRegistryHost || this.options.replaceRegistryHost === 'npmjs') ? 93 'registry.npmjs.org' : this.options.replaceRegistryHost 94 95 if (options.saveType && !saveTypeMap.get(options.saveType)) { 96 throw new Error(`Invalid saveType ${options.saveType}`) 97 } 98 this.cache = resolve(this.options.cache) 99 this.path = resolve(this.options.path) 100 process.emit('timeEnd', 'arborist:ctor') 101 } 102 103 // TODO: We should change these to static functions instead 104 // of methods for the next major version 105 106 // Get the actual nodes corresponding to a root node's child workspaces, 107 // given a list of workspace names. 108 workspaceNodes (tree, workspaces) { 109 const wsMap = tree.workspaces 110 if (!wsMap) { 111 log.warn('workspaces', 'filter set, but no workspaces present') 112 return [] 113 } 114 115 const nodes = [] 116 for (const name of workspaces) { 117 const path = wsMap.get(name) 118 if (!path) { 119 log.warn('workspaces', `${name} in filter set, but not in workspaces`) 120 continue 121 } 122 123 const loc = relpath(tree.realpath, path) 124 const node = tree.inventory.get(loc) 125 126 if (!node) { 127 log.warn('workspaces', `${name} in filter set, but no workspace folder present`) 128 continue 129 } 130 131 nodes.push(node) 132 } 133 134 return nodes 135 } 136 137 // returns a set of workspace nodes and all their deps 138 // TODO why is includeWorkspaceRoot a param? 139 // TODO why is workspaces a param? 140 workspaceDependencySet (tree, workspaces, includeWorkspaceRoot) { 141 const wsNodes = this.workspaceNodes(tree, workspaces) 142 if (includeWorkspaceRoot) { 143 for (const edge of tree.edgesOut.values()) { 144 if (edge.type !== 'workspace' && edge.to) { 145 wsNodes.push(edge.to) 146 } 147 } 148 } 149 const wsDepSet = new Set(wsNodes) 150 const extraneous = new Set() 151 for (const node of wsDepSet) { 152 for (const edge of node.edgesOut.values()) { 153 const dep = edge.to 154 if (dep) { 155 wsDepSet.add(dep) 156 if (dep.isLink) { 157 wsDepSet.add(dep.target) 158 } 159 } 160 } 161 for (const child of node.children.values()) { 162 if (child.extraneous) { 163 extraneous.add(child) 164 } 165 } 166 } 167 for (const extra of extraneous) { 168 wsDepSet.add(extra) 169 } 170 171 return wsDepSet 172 } 173 174 // returns a set of root dependencies, excluding dependencies that are 175 // exclusively workspace dependencies 176 excludeWorkspacesDependencySet (tree) { 177 const rootDepSet = new Set() 178 depth({ 179 tree, 180 visit: node => { 181 for (const { to } of node.edgesOut.values()) { 182 if (!to || to.isWorkspace) { 183 continue 184 } 185 for (const edgeIn of to.edgesIn.values()) { 186 if (edgeIn.from.isRoot || rootDepSet.has(edgeIn.from)) { 187 rootDepSet.add(to) 188 } 189 } 190 } 191 return node 192 }, 193 filter: node => node, 194 getChildren: (node, tree) => 195 [...tree.edgesOut.values()].map(edge => edge.to), 196 }) 197 return rootDepSet 198 } 199 200 async [_setWorkspaces] (node) { 201 const workspaces = await mapWorkspaces({ 202 cwd: node.path, 203 pkg: node.package, 204 }) 205 206 if (node && workspaces.size) { 207 node.workspaces = workspaces 208 } 209 210 return node 211 } 212 213 async audit (options = {}) { 214 this.addTracker('audit') 215 if (this.options.global) { 216 throw Object.assign( 217 new Error('`npm audit` does not support testing globals'), 218 { code: 'EAUDITGLOBAL' } 219 ) 220 } 221 222 // allow the user to set options on the ctor as well. 223 // XXX: deprecate separate method options objects. 224 options = { ...this.options, ...options } 225 226 process.emit('time', 'audit') 227 let tree 228 if (options.packageLock === false) { 229 // build ideal tree 230 await this.loadActual(options) 231 await this.buildIdealTree() 232 tree = this.idealTree 233 } else { 234 tree = await this.loadVirtual() 235 } 236 if (this.options.workspaces.length) { 237 options.filterSet = this.workspaceDependencySet( 238 tree, 239 this.options.workspaces, 240 this.options.includeWorkspaceRoot 241 ) 242 } 243 if (!options.workspacesEnabled) { 244 options.filterSet = 245 this.excludeWorkspacesDependencySet(tree) 246 } 247 this.auditReport = await AuditReport.load(tree, options) 248 const ret = options.fix ? this.reify(options) : this.auditReport 249 process.emit('timeEnd', 'audit') 250 this.finishTracker('audit') 251 return ret 252 } 253} 254 255module.exports = Arborist 256