fix: Skip peer-only deps in npm lockfile resolve_package for workspace entries

anthonyshew · anthonyshew · commit a454c8d664dd · 2026-02-27T16:19:53.000-07:00
When a workspace package has a peer-only dependency (declared in peerDependencies but not in dependencies/devDependencies/optionalDependencies), NpmLockfile::resolve_package now returns None for that dep. This prevents the transitive closure from resolving peer deps from the workspace package's path context, which picks the wrong version when multiple versions are hoisted differently. The consumer app already includes the correct version of the peer dep in its own transitive closure, so skipping it for intermediate workspace packages produces a valid pruned lockfile. Closes #10985
diff --git a/crates/turborepo-lockfiles/src/npm.rs b/crates/turborepo-lockfiles/src/npm.rs
@@ -53,8 +53,26 @@ impl Lockfile for NpmLockfile {
         name: &str,
         _version: &str,
     ) -> Result<Option<Package>, Error> {
-        if !self.packages.contains_key(workspace_path) {
-            return Err(Error::MissingWorkspace(workspace_path.to_string()));
+        let workspace_pkg = self
+            .packages
+            .get(workspace_path)
+            .ok_or_else(|| Error::MissingWorkspace(workspace_path.to_string()))?;
+
+        // For workspace packages with a peer-only dependency (in
+        // peerDependencies but not dependencies/devDependencies/
+        // optionalDependencies): skip resolution when multiple versions of
+        // the package exist in the lockfile. The workspace would resolve to
+        // the hoisted version, but the consumer may need a different one.
+        // When only one version exists, resolving is safe.
+        // See https://github.com/vercel/turborepo/issues/10985
+        if Self::is_workspace_entry(workspace_path)
+            && workspace_pkg.peer_dependencies.contains_key(name)
+            && !workspace_pkg.dependencies.contains_key(name)
+            && !workspace_pkg.dev_dependencies.contains_key(name)
+            && !workspace_pkg.optional_dependencies.contains_key(name)
+            && self.has_multiple_versions(name)
+        {
+            return Ok(None);
         }
 
         let possible_keys = [
@@ -192,6 +210,34 @@ impl NpmLockfile {
             .ok_or_else(|| Error::MissingPackage(pkg_str.to_string()))
     }
 
+    /// Returns true if the key refers to a workspace package entry
+    /// (e.g. "packages/components", "apps/web") rather than a node_modules
+    /// entry or the root.
+    fn is_workspace_entry(key: &str) -> bool {
+        !key.is_empty() && !key.contains("node_modules/")
+    }
+
+    /// Returns true if the lockfile contains more than one version of a
+    /// package. For example, both `node_modules/next` (v14) and
+    /// `apps/app-two/node_modules/next` (v15).
+    fn has_multiple_versions(&self, name: &str) -> bool {
+        let suffix = format!("node_modules/{name}");
+        self.packages
+            .keys()
+            .filter(|key| {
+                // Match `node_modules/{name}` or `*/node_modules/{name}` but
+                // not `node_modules/{name}/node_modules/...` (nested deps of
+                // the package itself).
+                if let Some(before) = key.strip_suffix(suffix.as_str()) {
+                    before.is_empty() || before.ends_with('/')
+                } else {
+                    false
+                }
+            })
+            .count()
+            > 1
+    }
+
     fn possible_npm_deps(key: &str, dep: &str) -> Vec<String> {
         let mut possible_deps = vec![format!("{key}/node_modules/{dep}")];
 
@@ -315,6 +361,215 @@ mod test {
         }
     }
 
+    #[test]
+    fn test_peer_dep_single_version_still_resolves() {
+        // When only one version of a peer dep exists, resolve_package should
+        // still return it — even for workspace entries with peer-only deps.
+        // This is the npm-peer-dep scenario.
+        let lockfile_json = r#"{
+            "lockfileVersion": 3,
+            "packages": {
+                "": { "name": "monorepo", "workspaces": ["apps/*", "packages/*"] },
+                "apps/web": {
+                    "version": "1.0.0",
+                    "dependencies": { "@repo/ui": "*", "react": "^18.0.0" }
+                },
+                "packages/ui": {
+                    "name": "@repo/ui",
+                    "version": "0.1.0",
+                    "peerDependencies": { "react": "^18.0.0" }
+                },
+                "node_modules/@repo/ui": { "resolved": "packages/ui", "link": true },
+                "node_modules/react": { "version": "18.3.1" }
+            }
+        }"#;
+        let lockfile = NpmLockfile::load(lockfile_json.as_bytes()).unwrap();
+
+        // packages/ui's peer dep react should resolve because there's only
+        // one version in the lockfile.
+        let result = lockfile
+            .resolve_package("packages/ui", "react", "^18.0.0")
+            .unwrap();
+        assert!(
+            result.is_some(),
+            "single-version peer dep should resolve normally"
+        );
+        assert_eq!(result.unwrap().key, "node_modules/react");
+    }
+
+    #[test]
+    fn test_issue_10985_peer_dep_multi_version() {
+        // Reproduces https://github.com/vercel/turborepo/issues/10985
+        // When two apps depend on different versions of a package and a shared
+        // workspace package has a peerDependency satisfying both, pruning should
+        // not include the wrong version in the subgraph.
+        let lockfile_json = r#"{
+            "lockfileVersion": 3,
+            "requires": true,
+            "packages": {
+                "": {
+                    "name": "monorepo",
+                    "workspaces": ["apps/*", "packages/*"]
+                },
+                "apps/app-one": {
+                    "version": "0.0.0",
+                    "dependencies": {
+                        "@repo/components": "*",
+                        "next": "^14.0.0"
+                    }
+                },
+                "apps/app-two": {
+                    "version": "0.0.0",
+                    "dependencies": {
+                        "@repo/components": "*",
+                        "next": "^15.0.0"
+                    }
+                },
+                "apps/app-two/node_modules/next": {
+                    "version": "15.0.0",
+                    "resolved": "https://registry.npmjs.org/next/-/next-15.0.0.tgz",
+                    "dependencies": { "next-dep": "2.0.0" }
+                },
+                "apps/app-two/node_modules/next/node_modules/next-dep": {
+                    "version": "2.0.0"
+                },
+                "node_modules/@repo/components": {
+                    "resolved": "packages/components",
+                    "link": true
+                },
+                "node_modules/app-one": {
+                    "resolved": "apps/app-one",
+                    "link": true
+                },
+                "node_modules/app-two": {
+                    "resolved": "apps/app-two",
+                    "link": true
+                },
+                "node_modules/next": {
+                    "version": "14.2.5",
+                    "resolved": "https://registry.npmjs.org/next/-/next-14.2.5.tgz",
+                    "dependencies": { "next-dep": "1.0.0" }
+                },
+                "node_modules/next/node_modules/next-dep": {
+                    "version": "1.0.0"
+                },
+                "node_modules/next-dep": {
+                    "version": "2.0.0"
+                },
+                "packages/components": {
+                    "name": "@repo/components",
+                    "version": "0.0.0",
+                    "peerDependencies": { "next": "^14 || ^15" }
+                }
+            }
+        }"#;
+
+        let lockfile = NpmLockfile::load(lockfile_json.as_bytes()).unwrap();
+
+        // Compute transitive closure for app-one.
+        // app-one depends on next@^14 and @repo/components.
+        let app_one_deps = vec![
+            ("next".to_string(), "^14.0.0".to_string()),
+            ("@repo/components".to_string(), "*".to_string()),
+        ]
+        .into_iter()
+        .collect::<HashMap<_, _>>();
+        let app_one_closure =
+            crate::transitive_closure(&lockfile, "apps/app-one", app_one_deps, false).unwrap();
+        let app_one_keys: std::collections::HashSet<_> =
+            app_one_closure.iter().map(|p| p.key.as_str()).collect();
+
+        // app-one should get node_modules/next (v14) and its deps
+        assert!(
+            app_one_keys.contains("node_modules/next"),
+            "app-one should include hoisted next@14"
+        );
+        assert!(
+            app_one_keys.contains("node_modules/next/node_modules/next-dep"),
+            "app-one should include next@14's nested dep"
+        );
+        // app-one should NOT get apps/app-two/node_modules/next (v15)
+        assert!(
+            !app_one_keys.contains("apps/app-two/node_modules/next"),
+            "app-one should NOT include next@15"
+        );
+
+        // Compute transitive closure for app-two.
+        // app-two depends on next@^15 and @repo/components.
+        let app_two_deps = vec![
+            ("next".to_string(), "^15.0.0".to_string()),
+            ("@repo/components".to_string(), "*".to_string()),
+        ]
+        .into_iter()
+        .collect::<HashMap<_, _>>();
+        let app_two_closure =
+            crate::transitive_closure(&lockfile, "apps/app-two", app_two_deps, false).unwrap();
+        let app_two_keys: std::collections::HashSet<_> =
+            app_two_closure.iter().map(|p| p.key.as_str()).collect();
+
+        // app-two should get apps/app-two/node_modules/next (v15) and its deps
+        assert!(
+            app_two_keys.contains("apps/app-two/node_modules/next"),
+            "app-two should include nested next@15"
+        );
+        assert!(
+            app_two_keys.contains("apps/app-two/node_modules/next/node_modules/next-dep"),
+            "app-two should include next@15's nested dep"
+        );
+
+        // packages/components has peerDependencies: { next: "^14 || ^15" }.
+        // resolve_package now skips peer-only deps for workspace entries,
+        // so the transitive closure is empty even when the peer dep is
+        // passed as an unresolved dep.
+        let components_deps = vec![("next".to_string(), "^14 || ^15".to_string())]
+            .into_iter()
+            .collect::<HashMap<_, _>>();
+        let components_closure =
+            crate::transitive_closure(&lockfile, "packages/components", components_deps, false)
+                .unwrap();
+        let components_keys: std::collections::HashSet<_> =
+            components_closure.iter().map(|p| p.key.as_str()).collect();
+        assert!(
+            components_keys.is_empty(),
+            "components peer-only deps should not resolve during transitive closure"
+        );
+
+        // Simulate pruning for app-two: collect external deps from app-two + components
+        let pruned_keys: std::collections::HashSet<_> =
+            app_two_keys.union(&components_keys).cloned().collect();
+        let pruned_key_strings: Vec<String> = pruned_keys.iter().map(|s| s.to_string()).collect();
+
+        // Create the subgraph for app-two
+        let subgraph = lockfile
+            .subgraph(
+                &[
+                    "apps/app-two".to_string(),
+                    "packages/components".to_string(),
+                ],
+                &pruned_key_strings,
+            )
+            .unwrap();
+
+        // The pruned lockfile should NOT contain node_modules/next (v14)
+        // because app-two doesn't need it. Only app-one (which was pruned away) needs
+        // v14. Including v14 causes npm ci to fail because the lockfile tree is
+        // inconsistent.
+        let encoded = subgraph.encode().unwrap();
+        let pruned: serde_json::Value = serde_json::from_slice(&encoded).unwrap();
+        let pruned_packages = pruned["packages"].as_object().unwrap();
+        assert!(
+            !pruned_packages.contains_key("node_modules/next"),
+            "pruned lockfile for app-two should NOT contain node_modules/next (v14). The \
+             @repo/components peer dep should not pull in the wrong version. Keys in subgraph: \
+             {:?}",
+            pruned_packages.keys().collect::<Vec<_>>()
+        );
+        assert!(
+            !pruned_packages.contains_key("node_modules/next/node_modules/next-dep"),
+            "pruned lockfile for app-two should NOT contain next@14's nested deps"
+        );
+    }
+
     #[test]
     fn test_turbo_version_rejects_non_semver() {
         // Malicious version strings that could be used for RCE via npx should be
