feat: .npm-extension transformManifest for imperative manifest repairs (#9586)

Implements the accepted RFC
[npm/rfcs#903](npm/rfcs#903): a root-owned
`.npm-extension.mjs` / `.npm-extension.cjs` file exporting
`transformManifest(pkg, context)` that imperatively repairs third-party
dependency manifests **before** Arborist finalizes the ideal tree. It is
the imperative counterpart to [`packageExtensions`
(#9496)](#9496) and operates in the same
pre-resolution phase, running **before** `packageExtensions`.

```js
// .npm-extension.mjs
export function transformManifest(pkg, context) {
  if (pkg.name === "foo" && pkg.version.startsWith("1.")) {
    pkg.dependencies = { ...pkg.dependencies, bar: "^2.0.0" };
    context.log("added bar to foo@1");
  }
  return pkg;
}
```

## Why

`packageExtensions` is declarative JSON: it cannot carry comments or
issue links, repeats itself across many packages, is add-only, and lives
in `package.json` (so public packages cannot publish while it is
present). `.npm-extension` covers the gap for advanced projects that
need conditional repairs, deletion, range rewrites, repeated rules
expressed as code, stale-repair guards, and a policy location outside
the published manifest.

## What it does

- **Discovery** — one root `.npm-extension.mjs` or `.npm-extension.cjs`
(both present is an error). The `extension-file` config overrides
discovery with a project-local path that must resolve inside the project
root and use `.mjs`/`.cjs`.
- **`transformManifest(pkg, context)`** — receives a deeply isolated
copy of the normalized manifest; `context` exposes `log`, `root`, and
`extensionPoint`. Must return a manifest synchronously;
`null`/primitive/array/promise returns and throws fail the install with
a `.npm-extension`-named error.
- **Allowlist** — only `dependencies`, `optionalDependencies`,
`peerDependencies`, and `peerDependenciesMeta` may change (add, replace,
or delete). Any other changed field (`scripts`, `bin`, …) is rejected.
pacote's cached manifest is never mutated.
- **Caching** — runs at most once per resolved package identity
(integrity, else resolved source + name@version); the entry file is
hash-keyed so a changed file is reloaded rather than served stale from
the module cache.
- **Lockfile** — the root entry records `npmExtensionHash` (a
format-tagged digest of the file bytes); affected entries record minimal
`npmExtensionApplied` provenance. Extension state reuses the existing
`lockfileVersion: 4` threshold.
- **Re-resolution** — changing or removing the file re-resolves the
affected packages on the next `npm install`, reverting transforms that
no longer apply.
- **`npm ci`** — never imports or executes the file; it validates the
recorded hash and reifies the locked graph (which already carries the
extension-influenced edges).
- **Configs** — `ignore-extension` disables import/execution;
`ignore-scripts` implies it; `extension-file` is honored only from
project config or the command line, never from user/global/builtin
sources.
- **Workspaces** — a `.npm-extension` file in a non-root workspace is
ignored with a warning; only the workspace root's file is honored.
- **Visibility** — `npm explain` annotates extension-changed edges and
`npm ls` (human + `--json`) surfaces the provenance.
- **Publish** — companion change in `npm-packlist` force-excludes root
`.npm-extension.{mjs,cjs}` from package tarballs.

## Companion change

Requires
[npm/npm-packlist#294](npm/npm-packlist#294) to
exclude root `.npm-extension.{mjs,cjs}` from tarballs. `pacote`/CLI will
pick this up via a version bump once that publishes.

## Notes / out of scope for this PR

One item is deferred for a genuine structural reason the RFC itself
flags:

- **Local `file:`/`link:`/directory sources.** `transformManifest`
applies to fetched manifests (registry, git, remote tarball, `file:`
tarballs) and is re-derived on the installed tree across all install
strategies including `install-strategy=linked`. It is **not yet**
applied to local sources that create `Link` nodes directly and bypass
the fetch phase — the RFC flags this as net-new wiring ("npm must add an
analogous pre-edge-read transform path for the `Link` target").
Follow-up.

## References

Implements npm/rfcs#903
Builds on #9496
Companion: npm/npm-packlist#294

Author: manzoorwanijk

docs/lib/build.js

@@ -107,6 +107,7 @@ const generateNav = async (contentPath, navPath) => {
     '/configuring-npm/npmrc',
     '/configuring-npm/package-json',
     '/configuring-npm/package-lock-json',
+    '/configuring-npm/npm-extension',
   ]
 
   // Hardcoded order for using-npm section (only urls - title/description come from frontmatter)

docs/lib/content/configuring-npm/npm-extension.md

@@ -0,0 +1,90 @@
+---
+title: .npm-extension
+section: 5
+description: Imperative, root-owned manifest repairs
+---
+
+### Description
+
+A root-owned `.npm-extension.mjs` or `.npm-extension.cjs` file lets a project imperatively repair the manifests of third-party dependencies before npm resolves the dependency tree. It exports a `transformManifest(pkg, context)` function that receives a candidate dependency manifest and returns the effective manifest npm should use.
+
+`.npm-extension` is the imperative counterpart to the declarative [`packageExtensions`](/configuring-npm/package-json#packageextensions) field, and runs in the same pre-resolution phase, **before** `packageExtensions`. Prefer `packageExtensions` for simple, data-only repairs; reach for `.npm-extension` when you need comments and links explaining a repair, conditional logic, repeated repairs expressed as code, deletion or range rewrites, stale-repair guards, or a policy location outside `package.json`.
+
+### Example
+
+```js
+// .npm-extension.mjs
+export function transformManifest (pkg, context) {
+  if (pkg.name === 'foo' && pkg.version.startsWith('1.')) {
+    pkg.dependencies = { ...pkg.dependencies, bar: '^2.0.0' }
+    context.log(`added bar to ${pkg.name}@${pkg.version}`)
+  }
+  return pkg
+}
+```
+
+The `.cjs` form uses CommonJS exports instead:
+
+```js
+// .npm-extension.cjs
+module.exports = {
+  transformManifest (pkg, context) {
+    return pkg
+  },
+}
+```
+
+### The `transformManifest` function
+
+`transformManifest(pkg, context)` receives a deeply isolated copy of a candidate dependency manifest. It may mutate and return that copy, or return a new manifest object. It **must** return a manifest object synchronously; returning `null`, `undefined`, a primitive, an array, or a promise fails the install.
+
+The `context` argument is intentionally small:
+
+* `context.log(message)` writes an npm debug log message.
+* `context.root` is the absolute path to the project root.
+* `context.extensionPoint` is the string `"transformManifest"`.
+
+npm provides no registry, fetch, lockfile, or extraction helpers. Keep the extension file self-contained or limited to Node builtins; npm does not guarantee that project dependencies are available when the file is loaded.
+
+### Supported mutations
+
+Only the four resolution-affecting fields may change:
+
+* `dependencies`
+* `optionalDependencies`
+* `peerDependencies`
+* `peerDependenciesMeta`
+
+Within those fields you may add, replace, or delete entries. Changing any other field (such as `scripts`, `bin`, `engines`, `os`, `cpu`, `exports`, or `main`) is rejected, and the install fails with an error naming `.npm-extension` and the package being processed. The package tarball and the installed `node_modules/<pkg>/package.json` are never rewritten.
+
+### Discovery and `extension-file`
+
+npm looks for a single `.npm-extension.mjs` or `.npm-extension.cjs` at the project root (the workspace root in a workspace project). Having both files present is an error. A `.npm-extension` file in a dependency or in a non-root workspace is ignored; a non-root workspace file produces a warning.
+
+The [`extension-file`](/using-npm/config#extension-file) config selects a different project-local file. It must resolve inside the project root and use a `.mjs` or `.cjs` extension, and it is honored only from project config or the command line — never from user, global, or builtin config.
+
+### Interaction with `packageExtensions` and `overrides`
+
+When both are present, `transformManifest` runs first and `packageExtensions` is applied to its output. Avoid targeting the same package with both unless you intend to rely on that ordering. `overrides` still controls the final resolution target of any edge, including edges created by `transformManifest`.
+
+### Lockfile and `npm ci`
+
+A lockfile influenced by `.npm-extension` records an `npmExtensionHash` (a digest of the selected file's bytes and module format) on its root entry, and minimal `npmExtensionApplied` provenance on each affected package entry. Extension state requires `lockfileVersion: 4`.
+
+Changing the file's contents makes `npm install` re-resolve the affected packages. `npm ci` does **not** import or execute `.npm-extension`; it verifies the recorded hash against the file and reifies the locked graph, failing if the file and lockfile disagree (or if one has extension state and the other does not).
+
+The hash proves only that the install uses the same extension file bytes that generated the lockfile. It does not make arbitrary JavaScript deterministic: extension output that depends on environment variables, the network, the clock, or files imported by the extension can still produce non-reproducible installs. Treat `.npm-extension` as trusted, deterministic project code, and only enable it in repositories you trust.
+
+### Disabling
+
+Set [`ignore-extension`](/using-npm/config#ignore-extension) to skip importing and executing `.npm-extension`. [`ignore-scripts`](/using-npm/config#ignore-scripts) implies `ignore-extension`, since both disable root-owned install-time code. `npm ci` still verifies the file hash even when execution is disabled.
+
+### Publishing
+
+`.npm-extension.mjs` and `.npm-extension.cjs` are project configuration, not package contents. npm excludes the root file from the package tarball produced by `npm pack` and `npm publish`, even when the package's `files` list would include it, so a public package can keep `.npm-extension` in its repository for local use without publishing it.
+
+### See also
+
+* [package.json `packageExtensions`](/configuring-npm/package-json#packageextensions)
+* [package-lock.json](/configuring-npm/package-lock-json)
+* [config](/using-npm/config)

docs/lib/content/nav.yml

@@ -232,6 +232,9 @@
   - title: package-lock.json
     url: /configuring-npm/package-lock-json
     description: A manifestation of the manifest
+  - title: .npm-extension
+    url: /configuring-npm/npm-extension
+    description: Imperative, root-owned manifest repairs
 - title: Using npm
   shortName: Using
   url: /using-npm

lib/commands/ci.js

@@ -6,7 +6,7 @@ const fs = require('node:fs/promises')
 const path = require('node:path')
 const { log, time } = require('proc-log')
 const validateLockfile = require('../utils/validate-lockfile.js')
-const { validatePackageExtensions } = require('../utils/validate-lockfile.js')
+const { validatePackageExtensions, validateNpmExtension } = require('../utils/validate-lockfile.js')
 const ArboristWorkspaceCmd = require('../arborist-cmd.js')
 const getWorkspaces = require('../utils/get-workspaces.js')
 
@@ -66,6 +66,9 @@ class CI extends ArboristWorkspaceCmd {
       save: false, // npm ci should never modify the lockfile or package.json
       workspaces: this.workspaceNames,
       allowScripts: allowScriptsPolicy,
+      // npm ci reifies the locked graph, which already carries extension-influenced edges, so it must never import or execute .npm-extension.
+      // The extension file hash is still validated below, independent of execution.
+      ignoreExtension: true,
     }
 
     // generate an inventory from the virtual tree in the lockfile
@@ -92,6 +95,16 @@ class CI extends ArboristWorkspaceCmd {
     const errors = validateLockfile(virtualInventory, arb.idealTree.inventory)
     // Verifies that the root packageExtensions state matches the lockfile and is still consistent with the locked tree.
     errors.push(...validatePackageExtensions(virtualArb.virtualTree, arb.idealTree))
+    // Verifies that the root .npm-extension file matches the lockfile hash.
+    // The hash comes from discovering the file (no import or execution), so this holds even under ignore-extension/ignore-scripts.
+    const { NpmExtension } = require('@npmcli/arborist')
+    let fileHash = null
+    try {
+      fileHash = new NpmExtension({ root: where, extensionFile: opts.extensionFile }).hash
+    } catch (err) {
+      errors.push(`Invalid: ${err.message}`)
+    }
+    errors.push(...validateNpmExtension(virtualArb.virtualTree, fileHash))
     if (errors.length) {
       throw this.usageError(
         '`npm ci` can only install packages when your package.json and package-lock.json are in sync. ' +

lib/commands/ls.js

@@ -278,8 +278,8 @@ const augmentItemWithIncludeMetadata = (node, item) => {
   return item
 }
 
-// Render a node's packageExtensions provenance as a short "field.name" list, empty when none.
-const formatPackageExtensions = (applied) => {
+// Render a manifest-extension provenance object as a short "field.name" list, empty when none.
+const formatExtensionApplied = (applied) => {
   if (!applied) {
     return ''
   }
@@ -354,8 +354,13 @@ const getHumanOutputItem = (node, { args, chalk, global, long }) => {
         : ''
     ) +
     (
-      formatPackageExtensions(node.packageExtensionsApplied)
-        ? ' ' + chalk.dim(`packageExtensions: ${formatPackageExtensions(node.packageExtensionsApplied)}`)
+      formatExtensionApplied(node.packageExtensionsApplied)
+        ? ' ' + chalk.dim(`packageExtensions: ${formatExtensionApplied(node.packageExtensionsApplied)}`)
+        : ''
+    ) +
+    (
+      formatExtensionApplied(node.npmExtensionApplied)
+        ? ' ' + chalk.dim(`.npm-extension: ${formatExtensionApplied(node.npmExtensionApplied)}`)
         : ''
     ) +
     (isGitNode(node) ? ` (${node.resolved})` : '') +
@@ -386,6 +391,10 @@ const getJsonOutputItem = (node, { global, long }) => {
     item.packageExtensionsApplied = node.packageExtensionsApplied
   }
 
+  if (node.npmExtensionApplied) {
+    item.npmExtensionApplied = node.npmExtensionApplied
+  }
+
   item[_name] = node.name
 
   // special formatting for top-level package name

lib/npm.js

@@ -118,6 +118,19 @@ class Npm {
       return { exec: false }
     }
 
+    // extension-file selects root-owned install-time code, so it is only honored from project config or the command line.
+    // This is checked after #display.load() so the error is surfaced to the user instead of being swallowed during early config loading.
+    const extensionFile = this.config.get('extension-file')
+    if (extensionFile != null) {
+      const where = this.config.find('extension-file')
+      if (!['cli', 'project', 'default'].includes(where)) {
+        throw Object.assign(
+          new Error(`\`extension-file\` may only be set in project config or on the command line, not from ${where} config`),
+          { code: 'ENPMEXTENSIONCONFIG' }
+        )
+      }
+    }
+
     // mkdir this separately since the logs dir can be set to a different location.
     // if this fails, then we don't have a cache dir, but we don't want to fail immediately since the command might not need a cache dir (like `npm --version`)
     await time.start('npm:load:mkdirpcache', () =>

lib/utils/explain-dep.js

@@ -76,7 +76,7 @@ const explainDependents = ({ dependents }, depth, chalk, seen) => {
 }
 
 const explainEdge = (
-  { name, type, bundled, from, spec, rawSpec, overridden, packageExtensions },
+  { name, type, bundled, from, spec, rawSpec, overridden, packageExtensions, npmExtension },
   depth, chalk, seen = new Set()
 ) => {
   let dep = type === 'workspace'
@@ -93,9 +93,14 @@ const explainEdge = (
     ? chalk.dim(` (added by packageExtensions["${packageExtensions.selector}"].${packageExtensions.field}.${name})`)
     : ''
 
+  // note an edge created or changed by a root .npm-extension repair
+  const npmExtMsg = npmExtension
+    ? chalk.dim(` (changed by .npm-extension ${npmExtension.extensionPoint} ${npmExtension.field}.${name})`)
+    : ''
+
   return (type === 'prod' ? '' : `${colorType(type, chalk)} `) +
     (bundled ? `${colorType('bundled', chalk)} ` : '') +
-    `${dep}${fromMsg}${extMsg}`
+    `${dep}${fromMsg}${extMsg}${npmExtMsg}`
 }
 
 const explainFrom = (from, depth, chalk, seen) => {

lib/utils/validate-lockfile.js

@@ -98,5 +98,33 @@ function validatePackageExtensions (virtualTree, idealTree) {
   return errors
 }
 
+// validates that the .npm-extension state recorded in the lockfile still matches the selected extension file.
+// Validation is hash-based: arbitrary code has no selector to re-check, so a matching hash is trusted and a mismatch fails.
+// fileHash is computed from the on-disk file (discovery only, no execution), so this holds even under ignore-extension/ignore-scripts.
+// The lockfile carries extension state if it records a root hash or any per-package npmExtensionApplied provenance.
+// Returns an array of human-readable error strings, empty when valid.
+function validateNpmExtension (virtualTree, fileHash) {
+  const lockHash = virtualTree?.meta?.npmExtensionHash || null
+  const hasProvenance = !!virtualTree &&
+    [...virtualTree.inventory.values()].some(node => node.npmExtensionApplied)
+  fileHash = fileHash || null
+
+  if (fileHash) {
+    if (!lockHash) {
+      return ['Missing: .npm-extension state from lock file']
+    }
+    if (lockHash !== fileHash) {
+      return ['Invalid: .npm-extension file does not match the lock file']
+    }
+    return []
+  }
+  // no extension file present
+  if (lockHash || hasProvenance) {
+    return ['Invalid: lock file records .npm-extension state but no .npm-extension file is present']
+  }
+  return []
+}
+
 module.exports = validateLockfile
 module.exports.validatePackageExtensions = validatePackageExtensions
+module.exports.validateNpmExtension = validateNpmExtension

tap-snapshots/test/lib/commands/config.js.test.cjs

@@ -58,6 +58,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "expect-result-count": null,
   "expect-results": null,
   "expires": null,
+  "extension-file": null,
   "fetch-retries": 2,
   "fetch-retry-factor": 10,
   "fetch-retry-maxtimeout": 60000,
@@ -76,6 +77,7 @@ exports[`test/lib/commands/config.js TAP config list --json > output matches sna
   "heading": "npm",
   "https-proxy": null,
   "if-present": false,
+  "ignore-extension": false,
   "ignore-scripts": false,
   "include": [],
   "include-staged": false,
@@ -254,6 +256,7 @@ engine-strict = false
 expect-result-count = null
 expect-results = null
 expires = null
+extension-file = null
 fetch-retries = 2
 fetch-retry-factor = 10
 fetch-retry-maxtimeout = 60000
@@ -273,6 +276,7 @@ heading = "npm"
 https-proxy = null
 if-present = false
 ignore-existing = false
+ignore-extension = false
 ignore-patch-failures = false
 ignore-scripts = false
 include = []

tap-snapshots/test/lib/commands/install.js.test.cjs

@@ -135,8 +135,8 @@ verbose stack Error: The developer of this package has specified the following t
 verbose stack Invalid devEngines.runtime
 verbose stack Invalid name "nondescript" does not match "node" for "runtime"
 verbose stack     at Install.checkDevEngines ({CWD}/lib/base-cmd.js:249:27)
-verbose stack     at MockNpm.execCommandClass ({CWD}/lib/npm.js:281:7)
-verbose stack     at MockNpm.exec ({CWD}/lib/npm.js:181:9)
+verbose stack     at MockNpm.execCommandClass ({CWD}/lib/npm.js:294:7)
+verbose stack     at MockNpm.exec ({CWD}/lib/npm.js:194:9)
 error code EBADDEVENGINES
 error EBADDEVENGINES The developer of this package has specified the following through devEngines
 error EBADDEVENGINES Invalid devEngines.runtime
@@ -200,8 +200,8 @@ verbose stack Error: The developer of this package has specified the following t
 verbose stack Invalid devEngines.runtime
 verbose stack Invalid name "nondescript" does not match "node" for "runtime"
 verbose stack     at Install.checkDevEngines ({CWD}/lib/base-cmd.js:249:27)
-verbose stack     at MockNpm.execCommandClass ({CWD}/lib/npm.js:281:7)
-verbose stack     at MockNpm.exec ({CWD}/lib/npm.js:181:9)
+verbose stack     at MockNpm.execCommandClass ({CWD}/lib/npm.js:294:7)
+verbose stack     at MockNpm.exec ({CWD}/lib/npm.js:194:9)
 error code EBADDEVENGINES
 error EBADDEVENGINES The developer of this package has specified the following through devEngines
 error EBADDEVENGINES Invalid devEngines.runtime
@@ -226,8 +226,8 @@ verbose stack Error: The developer of this package has specified the following t
 verbose stack Invalid devEngines.runtime
 verbose stack Invalid name "nondescript" does not match "node" for "runtime"
 verbose stack     at Install.checkDevEngines ({CWD}/lib/base-cmd.js:249:27)
-verbose stack     at MockNpm.execCommandClass ({CWD}/lib/npm.js:281:7)
-verbose stack     at MockNpm.exec ({CWD}/lib/npm.js:181:9)
+verbose stack     at MockNpm.execCommandClass ({CWD}/lib/npm.js:294:7)
+verbose stack     at MockNpm.exec ({CWD}/lib/npm.js:194:9)
 error code EBADDEVENGINES
 error EBADDEVENGINES The developer of this package has specified the following through devEngines
 error EBADDEVENGINES Invalid devEngines.runtime