fix(arborist): skip lockfile entries for optional deps with incomplete manifests#9343
Open
ecanturk wants to merge 1 commit into
Open
fix(arborist): skip lockfile entries for optional deps with incomplete manifests#9343ecanturk wants to merge 1 commit into
ecanturk wants to merge 1 commit into
Conversation
owlstronaut
reviewed
May 13, 2026
ecanturk
force-pushed
the
fix/optional-missing-version
branch
3 times, most recently
from
e988ac0 to
4ce71e2
Compare
…e manifests
When using a proxy/upstream registry, fetching manifests for platform-specific
optional dependencies that the proxy has not cached can return incomplete
metadata (missing version field). This caused npm to write lockfile entries like:
"node_modules/@esbuild/aix-ppc64": { "optional": true }
without a version, resolved, or integrity field. Subsequent `npm ci` runs would
fail with "Invalid Version:" errors.
Fix (both layers are independently needed):
1. build-ideal-tree: When a registry manifest lacks a version field, treat it
as a load failure (EINCOMPLETEMANIFEST) so that #pruneFailedOptional() marks
it inert. Only applies to registry specs, not file: dependencies which may
legitimately omit version.
2. shrinkwrap: In commit(), inventory iteration does not filter inert nodes, so
a separate guard skips writing entries where the node is optional, has no
version, is not the root, and has a registry-resolved URL (https://). Local
deps (file: or resolved=null) are preserved.
Closes: npm#9342
ecanturk
force-pushed
the
fix/optional-missing-version
branch
from
4ce71e2 to
8f34f13
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
When using a proxy/upstream registry (e.g. Azure Artifacts), npm 11 writes lockfile entries for platform-specific optional dependencies without
version,resolved, orintegrityfields. Subsequentnpm cifails withInvalid Version:errors.Example broken lockfile entry:
Why
#fetchManifest()inbuild-ideal-tree.jsfetches manifests for ALL platform variants of optional dependencies. Proxy registries that haven't cached packages for non-current platforms return incomplete metadata (missingversionfield). npm creates a Node with emptypkg.version, andmetaFromNode()writes{"optional": true}to the lockfile without version.npm 10 never attempted to resolve non-current-platform variants, so this only affects npm 11+.
How
Two-layer defense:
build-ideal-tree.js(#nodeFromSpec): When a registry manifest lacks aversionfield, treat it as anEINCOMPLETEMANIFESTload failure so that#pruneFailedOptional()marks it inert. Only applies tospec.registryspecs (notfile:dependencies which may legitimately omit version).shrinkwrap.js(commit()): Skip writing entries where the node is optional, has no version, and is not the root. This acts as a defense-in-depth layer.Testing
workspaces/arborist/test/shrinkwrap.js— simulates proxy registry scenario where an optional dep node has no versionshrinkwrap.js45/45,build-ideal-tree.js114/114)Closes #9342