fix(arborist): apply registry-tarball allow-remote exemption in linked strategy#9500
Merged
Conversation
…d strategy (#9495) In continuation of our exploration of using `install-strategy=linked` in the [Gutenberg monorepo](WordPress/gutenberg#75814), which powers the WordPress Block Editor. Under `install-strategy=linked`, a fresh install fails with `EALLOWREMOTE` on ordinary registry dependencies whose lockfile `resolved` is a full registry tarball URL, even though `allow-remote=none` is meant to permit registry-mediated tarballs. The standard (hoisted) reifier installs the same dependency fine; only the linked strategy rejects it. ``` npm error code EALLOWREMOTE npm error Fetching packages of type "remote" have been disabled npm error Refusing to fetch "minimatch@https://registry.npmjs.org/minimatch/-/minimatch-3.1.5.tgz" ``` ## Why Both strategies extract through the same `pacote.extract` in `reify.js`, which exempts registry tarballs from the allow-remote gate via `#isRegistryResolvedTarball`. That check first requires `node.isRegistryDependency`. In the linked strategy, store nodes are `IsolatedNode` instances — a standalone class that emulates `lib/node.js` but has no `isRegistryDependency` getter and no edges to recompute it from. So `node.isRegistryDependency` was `undefined`, the exemption short-circuited to `false`, the `allowRemote: 'all'` override was never applied, and pacote rejected the same-origin registry tarball. This is the second half of the allow-remote registry-tarball handling: the URL-matching half was hardened previously (origin + registry-path-prefix); this fixes the `isRegistryDependency` half for the linked path. The origin/path security check still runs unchanged on the linked path — a tampered lockfile pointing at a foreign host is still blocked. ## How Carry the registry-dependency flag from the source tree node onto the store node, rather than weakening the guard: 1. `IsolatedNode` gains an `isRegistryDependency` field (default `false`), settable from constructor options. 2. `#externalProxy` copies `node.isRegistryDependency` from the real tree node onto the proxy. 3. `#generateChild` passes it through to the store `IsolatedNode`. This preserves exact parity with the hoisted reifier: registry deps are exempt, user-pinned off-registry URLs are not. It also makes the linked strategy's `isScriptAllowed` matching more accurate — store nodes now carry the trustworthy edge-based flag instead of falling back to guessing registry-ness from the resolved URL. ## References Fixes #9494 (cherry picked from commit 4bcba54)
owlstronaut
approved these changes
Jun 5, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Backport of #9495 to
release/v11.