fix(arborist): use the edge-based registry check on the install path too and cover the mixed registry/file: case

Author: manzoorwanijk

lib/commands/patch.js

@@ -104,7 +104,7 @@ class Patch extends BaseCommand {
       }
     }
 
-    // a version cannot be patched if a consumer depends on it through a non-registry spec (file:, git:, link:).
+    // a version cannot be patched if a consumer depends on it through a non-registry spec (file:, git:, http(s)); npm: aliases stay registry.
     // checking the edges (not isRegistryDependency) avoids rejecting edgeless store nodes and linked symlinks, which are registry deps.
     const ensureRegistry = version => {
       const nodes = installed.get(version) || []

test/lib/commands/patch.js

@@ -355,6 +355,38 @@ t.test('add: an installed file: dependency is rejected as non-registry', async t
   )
 })
 
+t.test('add: a version installed as both registry and file: is rejected', async t => {
+  // one consumer pulls the registry copy, another pulls a file: copy of the same version;
+  // the file: edge must still cause a rejection even though a registry edge also exists
+  const { npm } = await loadMockNpm(t, {
+    config: { 'ignore-scripts': true, audit: false },
+    prefixDir: {
+      'package.json': JSON.stringify({
+        name: 'root-project',
+        version: '1.0.0',
+        dependencies: { [DEP_NAME]: '1.0.0', b: '1.0.0' },
+      }),
+      local: { 'package.json': JSON.stringify({ name: DEP_NAME, version: DEP_VERSION }) },
+      node_modules: {
+        [DEP_NAME]: { 'package.json': JSON.stringify({ name: DEP_NAME, version: DEP_VERSION }) },
+        b: {
+          'package.json': JSON.stringify({
+            name: 'b', version: '1.0.0', dependencies: { [DEP_NAME]: 'file:../../local' },
+          }),
+          node_modules: {
+            [DEP_NAME]: { 'package.json': JSON.stringify({ name: DEP_NAME, version: DEP_VERSION }) },
+          },
+        },
+      },
+    },
+  })
+  await t.rejects(
+    npm.exec('patch', ['add', DEP_NAME]),
+    { code: 'EPATCHNONREGISTRY' },
+    'a version with any file: consumer cannot be patched'
+  )
+})
+
 t.test('add: a range matching multiple installed versions is ambiguous', async t => {
   const { npm } = await loadMockNpm(t, {
     config: { 'ignore-scripts': true, audit: false },

workspaces/arborist/lib/patched-dependencies.js

@@ -2,6 +2,7 @@
 // Attaches node.patched = { path, integrity } to each matched node.
 // Enforces the failure modes (workspace-member entry, missing file, unused patch, non-registry target, ambiguous selectors) as hard errors.
 const semver = require('semver')
+const npa = require('npm-package-arg')
 const { resolve, relative, isAbsolute } = require('node:path')
 const { readFile } = require('node:fs/promises')
 const { patchIntegrity } = require('./patch.js')
@@ -118,8 +119,9 @@ const resolvePatchedDependencies = async (tree, { path, allowUnusedPatches }) =>
       continue
     }
 
-    // links and other non-registry resolutions cannot be patched
-    if (node.isLink || !node.isRegistryDependency) {
+    // a non-registry consumer edge (file:, git:, http(s)) means there is no registry tarball to patch; npm: aliases stay registry.
+    // checking edges (not isRegistryDependency) avoids rejecting an edgeless node, which is still a registry dep.
+    if ([...node.edgesIn].some(e => e.spec && !npa(e.spec).registry)) {
       throw err(
         `Cannot patch non-registry dependency ${node.name}@${node.version} ` +
           `(selector "${selector.key}"). Only registry dependencies can be patched.`,