Skip to content

fix(arborist): audit the non-isolated tree under the linked strategy#9631

Merged
owlstronaut merged 1 commit into
release/v11from
backport/v11/9625
Jun 24, 2026
Merged

fix(arborist): audit the non-isolated tree under the linked strategy#9631
owlstronaut merged 1 commit into
release/v11from
backport/v11/9625

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Backport of #9625 to release/v11.

…9625)

In continuation of our exploration of using `install-strategy=linked` in
the [Gutenberg
monorepo](WordPress/gutenberg#75814), which

Under `install-strategy=linked`, `npm install --audit` reported `found 0
vulnerabilities` even with a known-vulnerable package installed, while
standalone `npm audit` reported it correctly. Only the install-time
audit was affected.

## Why

A linked reify swaps `idealTree` for the isolated tree
(`createIsolatedTree()`) before the quick audit runs, so
`_submitQuickAudit()` audited the isolated tree. That tree cannot be
audited: its inventory had a stub `query()` that always returned `[]`,
and its edges route through symlink `Link`s instead of real package
nodes. So `AuditReport.prepareBulkData()` produced an empty bulk request
and the registry was never asked about any installed version. Standalone
`npm audit` was unaffected because it audits the regular tree loaded
from the lockfile.

## How

`reify.js` stashes the original non-isolated ideal tree in
`#linkedIdealForAudit` during the linked swap, and `_submitQuickAudit()`
now audits `this.#linkedIdealForAudit || this.idealTree` — the same tree
standalone `npm audit` uses, with a queryable inventory and real package
nodes. The `_diffTrees()`/`#reifyPackages()`/orphan-sweep block is
wrapped in `try/finally` that restores `idealTree` and clears the
stashed references even if reify throws, so a reused Arborist never
audits or diffs a stale isolated tree. `isolated-classes.js` drops the
now-unused `IsolatedInventory` class (its only caller was the rerouted
audit path) in favor of a plain `Map`; the `query()` stub returning `[]`
was the silent-empty behavior behind this bug.

## References

Fixes #9609
Part of #9608

(cherry picked from commit 989f571)
@owlstronaut owlstronaut merged commit 887ca97 into release/v11 Jun 24, 2026
33 checks passed
@owlstronaut owlstronaut deleted the backport/v11/9625 branch June 24, 2026 14:28
@github-actions github-actions Bot mentioned this pull request Jun 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants