Skip to content

fix(arborist): audit the non-isolated tree under the linked strategy#9625

Merged
owlstronaut merged 1 commit into
npm:latestfrom
manzoorwanijk:fix/linked-install-audit-9609
Jun 24, 2026
Merged

fix(arborist): audit the non-isolated tree under the linked strategy#9625
owlstronaut merged 1 commit into
npm:latestfrom
manzoorwanijk:fix/linked-install-audit-9609

Conversation

@manzoorwanijk

@manzoorwanijk manzoorwanijk commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

In continuation of our exploration of using install-strategy=linked in the Gutenberg monorepo, which powers the WordPress Block Editor.

Under install-strategy=linked, npm install --audit reported found 0 vulnerabilities even with a known-vulnerable package installed, while standalone npm audit reported it correctly. Only the install-time audit was affected.

Why

A linked reify swaps idealTree for the isolated tree (createIsolatedTree()) before the quick audit runs, so _submitQuickAudit() audited the isolated tree. That tree cannot be audited: its inventory had a stub query() that always returned [], and its edges route through symlink Links instead of real package nodes. So AuditReport.prepareBulkData() produced an empty bulk request and the registry was never asked about any installed version. Standalone npm audit was unaffected because it audits the regular tree loaded from the lockfile.

How

reify.js stashes the original non-isolated ideal tree in #linkedIdealForAudit during the linked swap, and _submitQuickAudit() now audits this.#linkedIdealForAudit || this.idealTree — the same tree standalone npm audit uses, with a queryable inventory and real package nodes. The _diffTrees()/#reifyPackages()/orphan-sweep block is wrapped in try/finally that restores idealTree and clears the stashed references even if reify throws, so a reused Arborist never audits or diffs a stale isolated tree. isolated-classes.js drops the now-unused IsolatedInventory class (its only caller was the rerouted audit path) in favor of a plain Map; the query() stub returning [] was the silent-empty behavior behind this bug.

References

Fixes #9609
Part of #9608

@manzoorwanijk manzoorwanijk marked this pull request as ready for review June 24, 2026 06:05
@manzoorwanijk manzoorwanijk requested review from a team as code owners June 24, 2026 06:05
@owlstronaut owlstronaut merged commit 989f571 into npm:latest Jun 24, 2026
25 checks passed
@github-actions

Copy link
Copy Markdown
Contributor

🎉 Backport to release/v11 created: #9631

@manzoorwanijk manzoorwanijk deleted the fix/linked-install-audit-9609 branch June 24, 2026 14:22
owlstronaut pushed a commit that referenced this pull request Jun 24, 2026
…9631)

Backport of #9625 to `release/v11`.

Co-authored-by: Manzoor Wani <manzoorwani.jk@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[BUG] install-strategy=linked: npm install --audit reports "0 vulnerabilities" when a vulnerable package is installed

2 participants