Skip to content

fix(arborist): prevent workspace bin hoisting collisions#9713

Open
arjun-vegeta wants to merge 1 commit into
npm:latestfrom
arjun-vegeta:fix/workspace-bin-collision
Open

fix(arborist): prevent workspace bin hoisting collisions#9713
arjun-vegeta wants to merge 1 commit into
npm:latestfrom
arjun-vegeta:fix/workspace-bin-collision

Conversation

@arjun-vegeta

Copy link
Copy Markdown
Contributor

Description:
Fixes #9712

Bug:
When two workspaces each depended on a different package that exported a binary with the exact same name, Arborist hoisted both dependencies to the root node_modules/. However, because bin-links uses a "first-wins" mechanism, only one shim got created in root/node_modules/.bin/. This caused npm exec -w <loser-workspace> to fall back to the root and incorrectly execute the other workspace's binary.

Root Cause:
Because bin-links safely skips colliding binaries at the root, Arborist wasn't compensating by creating workspace-local fallbacks for the missing hoisted bin shims during the rebuild pipeline.

Fix:
Arborist's rebuild pipeline now iterates over the target's linkNodes and unconditionally creates workspace-local shims (inside packages/<workspace>/node_modules/.bin/) for every hoisted dependency that exposes a bin. Because the PATH walk-up in npm-run-script naturally prefers the local workspace .bin over the root .bin, this ensures that a workspace will always execute its specific hoisted binary correctly—bypassing the root-level collision entirely.

Testing:

  • Added a regression test in test/arborist/rebuild.js that creates a monorepo with multiple workspaces and dependencies exporting conflicting my-cli binaries.
  • Fails correctly without the fix. With the fix, all expected local shims are successfully written to each respective workspace/node_modules/.bin/ path and tests pass perfectly.
  • All arborist tests maintain 100% line, statement, and branch coverage.

@arjun-vegeta arjun-vegeta requested review from a team as code owners July 2, 2026 19:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] Workspace Bin Hoisting Collision causes incorrect binary execution via npm exec

1 participant