Skip to content

feat: update @npmcli/arborist #1966

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Julusian wants to merge 7 commits into
base: master
Choose a base branch
from
+8,319 −11,182
Open

feat: update @npmcli/arborist #1966

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
eeb73c9
fix: update @npmcli/arborist
Julusian Feb 9, 2026
9adaa1e
chore: update babel-jest to match jest
Julusian Feb 10, 2026
58b1067
chore: update types/jest and ts-jest to match
Julusian Feb 10, 2026
6502439
fix jest usage
Julusian Feb 10, 2026
0be64c7
fix: try adding ws
Julusian Feb 11, 2026
9592efd
chore: remove unused jest-esm-transformer
Julusian Feb 11, 2026
aeb0bc2
update changeset
Julusian Feb 17, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changeset/funky-phones-care.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
"@asyncapi/generator": patch
---

Update @npmcli/arborist
4 changes: 2 additions & 2 deletions apps/generator/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,7 +54,7 @@
"@asyncapi/generator-react-sdk": "*",
"@asyncapi/multi-parser": "^2.2.0",
"@asyncapi/parser": "^3.6.0",
"@npmcli/arborist": "5.6.3",
"@npmcli/arborist": "^9.2.0",
Copy link

@coderabbitai coderabbitai bot Feb 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find how `@npmcli/arborist` is used in the generator codebase
rg -n "arborist|Arborist" apps/generator/ --type js

Repository: asyncapi/generator

Length of output: 2911

🌐 Web query:

@npmcli/arborist v5 v6 v7 v8 v9 breaking changes migration guide

💡 Result:

@npmcli/arborist major-version breaking changes (v5 → v9) + what to do

v5 (released 2022-02-24)

  • I could not find any published “BREAKING CHANGES” notes for @npmcli/arborist@5.0.0 in the release information I could access (it lists features/fixes only). Treat the v4→v5 jump as “potentially breaking” and regression-test your dependency-tree workflows. [1]

v6 (2022)

Breaking changes

  • Node engine range change (workspace packages): ^14.17.0 || ^16.13.0 || >=18.0.0. [2]
  • Install flag deprecations / behavior changes:
    • Boolean install-style flags deprecated in favor of --install-strategy
    • --global-style deprecated; --global now implies --install-strategy=shallow
    • --legacy-bundling deprecated; now implies --install-strategy=nested [3]
  • No automatic file ownership changes: arborist “no longer attempts to change file ownership automatically”. [3]

Migration checklist

  • Ensure your runtime Node version satisfies the new engine range. [2]
  • Replace any reliance on --global-style / --legacy-bundling with explicit --install-strategy={hoisted|nested|shallow} and revalidate install layout expectations. [3]
  • If you depended on npm/arborist “fixing” ownership (eg, root installs), update your environment/process (permissions, container user, CI images). [3]

v7 (2023-10-06)

  • No explicit breaking changes were called out in the published 7.0.0 release notes I could access (they only show the release being triggered). Still, treat it as a semver-major: upgrade and run your test suite against real installs/lockfiles. [4]

v8 (2024-10-03)

Breaking changes

  • Node engine range change: ^18.17.0 || >=20.5.0. [5]

Migration checklist

  • Upgrade Node to a supported version (notably: Node 18 must be ≥18.17.0). [5]

v9 (2024-11 pre-releases; 2024-12 GA)

Breaking changes (from v9.0.0-pre.0)

  • --ignore-scripts now applies to all lifecycle scripts, including prepare. [6]
  • npm no longer falls back to the old audit endpoint if the bulk advisory request fails. [6]
  • Node engine range change: ^20.17.0 || >=22.9.0. [6]

Breaking changes (from v9.0.0-pre.1)

  • Publishing behavior: to apply the default latest dist-tag, the publish flow retrieves prior versions and requires the version being published to be above the latest semver version in the registry (excluding prereleases). [7]

Migration checklist

  • Upgrade Node (Node 20 must be ≥20.17.0, or use Node ≥22.9.0). [6]
  • If you used --ignore-scripts expecting prepare to still run, adjust pipelines (eg, run build steps explicitly). [6]
  • If you have tooling that depends on audit’s old fallback behavior, handle audit failures explicitly. [6]
  • For publish automation, ensure your versioning strategy won’t try to publish a version lower/equal to the registry’s latest stable semver (and be aware of the additional registry lookups). [7]

Quick “one-shot” upgrade advice (v5 → v9)

  1. Upgrade Node first to meet v9’s minimums (^20.17.0 || >=22.9.0). [6]
  2. Update install-related usage to prefer --install-strategy (and stop relying on deprecated flags). [3]
  3. Re-check any workflows using --ignore-scripts and any publish automation/versioning assumptions. [6][7]

Sources: [1] [2] [3] [4] [5] [6] [7]

Note the pinning strategy change and ensure the upgrade is tested before merge.

The version jump from 5.6.3 to ^9.2.0 includes a change in pinning strategy: the old version was exactly pinned while the new one allows automatic minor/patch updates within 9.x. While the specific Arborist APIs actually used in the generator (constructor and reify() method) don't show breaking changes across major versions, the 4-version jump should be validated in testing before merge. The Node requirement for v9 (^20.17.0 || >=22.9.0) is satisfied by the upgrade to >=24.11.

🤖 Prompt for AI Agents 
In `@apps/generator/package.json` at line 57, Dependency "@npmcli/arborist" was
changed from an exact pin to a caret range (^9.2.0) which alters pinning
strategy; update package.json or CI steps to either revert to an exact pin or
explicitly test the new ^9.2.0 release before merging, then run the generator's
full test suite and integration checks (covering constructor usage and reify()
calls in the generator code) on Node >=24.11 to validate behavior and confirm no
regressions; if any API or runtime issues are found, lock the version back to
the previously exact version or adjust code to be compatible and re-run tests.

"@npmcli/config": "^8.0.2",
"ajv": "^8.12.0",
"commander": "^6.1.0",
Expand All @@ -81,7 +81,7 @@
"eslint-plugin-react": "^7.34.1",
"eslint-plugin-sonarjs": "^0.5.0",
"fs-extra": "11.2.0",
"jest": "^27.3.1",
"jest": "^28.1.3",
"jsdoc-to-markdown": "^7.1.1",
"markdown-toc": "^1.2.0",
"rimraf": "^3.0.2",
Expand Down
2 changes: 1 addition & 1 deletion apps/hooks/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,7 +33,7 @@
"devDependencies": {
"eslint": "^6.8.0",
"eslint-plugin-sonarjs": "^0.5.0",
"jest": "^27.3.1",
"jest": "^28.1.3",
"jsdoc-to-markdown": "^7.1.1",
"rimraf": "^3.0.2"
}
Expand Down
4 changes: 2 additions & 2 deletions apps/keeper/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -33,12 +33,12 @@
"@babel/core": "^7.26.0",
"@babel/preset-env": "^7.26.0",
"babel-jest": "^27.3.1",
"jest": "^27.3.1",
"jest": "^28.1.3",
"jest-esm-transformer": "^1.0.0"
},
"babel": {
"presets": [
"@babel/preset-env"
]
}
}
}
2 changes: 1 addition & 1 deletion apps/react-sdk/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -48,7 +48,7 @@
"eslint-plugin-react": "^7.33.1",
"eslint-plugin-security": "^1.7.1",
"eslint-plugin-sonarjs": "^0.20.0",
"jest": "^26.6.3",
"jest": "^28.1.3",
"jsdoc-to-markdown": "^8.0.0",
"ts-jest": "^26.4.4",
"typescript": "^4.1.2"
Expand Down
Loading
Loading