Fix aliases for npm overrides

jdalton · jdalton · commit 642f2b894df4 · 2025-02-07T16:44:48.000-05:00
diff --git a/.dep-stats.json b/.dep-stats.json
@@ -10,7 +10,7 @@
     "@socketregistry/is-unicode-supported": "^1.0.0",
     "@socketregistry/packageurl-js": "^1.0.2",
     "@socketsecurity/config": "^2.1.3",
-    "@socketsecurity/registry": "^1.0.83",
+    "@socketsecurity/registry": "^1.0.84",
     "@socketsecurity/sdk": "^1.4.5",
     "blessed": "^0.1.81",
     "blessed-contrib": "^4.11.0",
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -171,7 +171,7 @@
     "has-proto": "npm:@socketregistry/has-proto@^1",
     "has-symbols": "npm:@socketregistry/has-symbols@^1",
     "hasown": "npm:@socketregistry/hasown@^1",
-    "indent-string": "npm:@socketregistry/indent-string@^1",
+    "indent-string": "$@socketregistry/indent-string",
     "is-core-module": "npm:@socketregistry/is-core-module@^1",
     "isarray": "npm:@socketregistry/isarray@^1",
     "npm-package-arg": "$npm-package-arg",
diff --git a/src/commands/optimize.ts b/src/commands/optimize.ts
@@ -676,35 +676,35 @@ async function addOverrides(
   if (spinner) {
     spinner.text = `Adding overrides${workspaceName ? ` to ${workspaceName}` : ''}...`
   }
-  const depAliasMap = new Map<string, { id: string; version: string }>()
+  const depAliasMap = new Map<string, string>()
   // Chunk package names to process them in parallel 3 at a time.
   await pEach(manifestEntries, 3, async ({ 1: data }) => {
-    const { name: regPkgName, package: origPkgName, version } = data
+    const { name: sockRegPkgName, package: origPkgName, version } = data
     const major = semver.major(version)
     for (const { 1: depObj } of depEntries) {
-      let pkgSpec = depObj[origPkgName]
-      if (pkgSpec) {
-        let thisVersion = version
-        // Add package aliases for direct dependencies to avoid npm EOVERRIDE errors.
-        // https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases
-        const regSpecStartsLike = `npm:${regPkgName}@`
-        const existingVersion = pkgSpec.startsWith(regSpecStartsLike)
-          ? (semver.coerce(npa(pkgSpec).rawSpec)?.version ?? '')
-          : ''
-        if (existingVersion) {
-          thisVersion = existingVersion
-        } else {
-          pkgSpec = `${regSpecStartsLike}^${version}`
-          depObj[origPkgName] = pkgSpec
-          state.added.add(regPkgName)
-          if (workspaceName) {
-            state.addedInWorkspaces.add(workspaceName)
+      for (const pkgName of [sockRegPkgName, origPkgName]) {
+        const pkgSpec = depObj[pkgName]
+        if (pkgSpec) {
+          let thisSpec = pkgSpec
+          // Add package aliases for direct dependencies to avoid npm EOVERRIDE errors.
+          // https://docs.npmjs.com/cli/v8/using-npm/package-spec#aliases
+          const sockRegSpecStartsLike = `npm:${sockRegPkgName}@`
+          if (
+            pkgName !== sockRegPkgName &&
+            !(
+              thisSpec.startsWith(sockRegSpecStartsLike) &&
+              semver.coerce(npa(thisSpec).rawSpec)?.version
+            )
+          ) {
+            thisSpec = `${sockRegSpecStartsLike}${pin ? version : `^${semver.major(version)}`}`
+            depObj[pkgName] = thisSpec
+            state.added.add(sockRegPkgName)
+            if (workspaceName) {
+              state.addedInWorkspaces.add(workspaceName)
+            }
           }
+          depAliasMap.set(pkgName, thisSpec)
         }
-        depAliasMap.set(origPkgName, {
-          id: pkgSpec,
-          version: thisVersion
-        })
       }
     }
     if (isRoot) {
@@ -716,22 +716,24 @@ async function addOverrides(
           thingScanner(thingToScan, origPkgName, lockBasename)
         ) {
           const oldSpec = overrideExists ? overrides[origPkgName] : undefined
-          const depAlias = depAliasMap.get(origPkgName)
-          const regSpecStartsLike = `${NPM}:${regPkgName}@`
+          const origDepAlias = depAliasMap.get(origPkgName)
+          const sockRegDepAlias = depAliasMap.get(sockRegPkgName)
+          const depAlias = sockRegDepAlias ?? origDepAlias
+          const regSpecStartsLike = `${NPM}:${sockRegPkgName}@`
           let newSpec = `${regSpecStartsLike}${pin ? version : `^${major}`}`
           let thisVersion = version
-          if (depAlias && type === NPM) {
+          if (type === NPM && depAlias) {
             // With npm one may not set an override for a package that one directly
             // depends on unless both the dependency and the override itself share
             // the exact same spec. To make this limitation easier to deal with,
             // overrides may also be defined as a reference to a spec for a direct
             // dependency by prefixing the name of the package to match the version
             // of with a $.
             // https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
-            newSpec = `$${origPkgName}`
+            newSpec = `$${sockRegDepAlias ? sockRegPkgName : origPkgName}`
           } else if (overrideExists) {
             const thisSpec = oldSpec.startsWith('$')
-              ? (depAlias?.id ?? newSpec)
+              ? (depAlias ?? newSpec)
               : (oldSpec ?? newSpec)
             if (thisSpec.startsWith(regSpecStartsLike)) {
               if (pin) {
@@ -751,7 +753,7 @@ async function addOverrides(
           if (newSpec !== oldSpec) {
             overrides[origPkgName] = newSpec
             const addedOrUpdated = overrideExists ? 'updated' : 'added'
-            state[addedOrUpdated].add(regPkgName)
+            state[addedOrUpdated].add(sockRegPkgName)
           }
         }
       })
