fix(arborist): prevent workspace bin hoisting collisions#9713
Open
arjun-vegeta wants to merge 1 commit into
Open
fix(arborist): prevent workspace bin hoisting collisions#9713arjun-vegeta wants to merge 1 commit into
arjun-vegeta wants to merge 1 commit into
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description:
Fixes #9712
Bug:
When two workspaces each depended on a different package that exported a binary with the exact same name, Arborist hoisted both dependencies to the root
node_modules/. However, becausebin-linksuses a "first-wins" mechanism, only one shim got created inroot/node_modules/.bin/. This causednpm exec -w <loser-workspace>to fall back to the root and incorrectly execute the other workspace's binary.Root Cause:
Because
bin-linkssafely skips colliding binaries at the root, Arborist wasn't compensating by creating workspace-local fallbacks for the missing hoisted bin shims during the rebuild pipeline.Fix:
Arborist's
rebuildpipeline now iterates over the target'slinkNodesand unconditionally creates workspace-local shims (insidepackages/<workspace>/node_modules/.bin/) for every hoisted dependency that exposes a bin. Because thePATHwalk-up innpm-run-scriptnaturally prefers the local workspace.binover the root.bin, this ensures that a workspace will always execute its specific hoisted binary correctly—bypassing the root-level collision entirely.Testing:
test/arborist/rebuild.jsthat creates a monorepo with multiple workspaces and dependencies exporting conflictingmy-clibinaries.workspace/node_modules/.bin/path and tests pass perfectly.arboristtests maintain 100% line, statement, and branch coverage.