fix: Prevent incorrect npm peer dep resolution during prune

When a workspace package has a peer-only dependency and multiple versions
of that package exist in the lockfile, NpmLockfile::resolve_package now
returns None. This prevents the transitive closure from picking the
hoisted version (which may belong to a pruned-away app) for an
intermediate workspace package.

After building the pruned subgraph, rehoist_packages promotes any
workspace-nested package to the hoisted position when the hoisted slot
is empty — restoring the tree structure npm ci expects.

Closes #10985

Author: anthonyshew

crates/turborepo-lockfiles/src/npm.rs

@@ -53,8 +53,27 @@ impl Lockfile for NpmLockfile {
         name: &str,
         _version: &str,
     ) -> Result<Option<Package>, Error> {
-        if !self.packages.contains_key(workspace_path) {
-            return Err(Error::MissingWorkspace(workspace_path.to_string()));
+        let workspace_pkg = self
+            .packages
+            .get(workspace_path)
+            .ok_or_else(|| Error::MissingWorkspace(workspace_path.to_string()))?;
+
+        // For workspace packages with a peer-only dependency: skip resolution
+        // when multiple versions of the package exist in the lockfile.
+        // Resolving from the workspace path picks the hoisted version, which
+        // may belong to a different (pruned-away) app. The consumer app's own
+        // closure will include the correct version.
+        // When only one version exists, resolution is unambiguous.
+        // See https://github.com/vercel/turborepo/issues/10985
+        if !workspace_path.is_empty()
+            && !workspace_path.contains("node_modules/")
+            && workspace_pkg.peer_dependencies.contains_key(name)
+            && !workspace_pkg.dependencies.contains_key(name)
+            && !workspace_pkg.dev_dependencies.contains_key(name)
+            && !workspace_pkg.optional_dependencies.contains_key(name)
+            && self.has_multiple_versions(name)
+        {
+            return Ok(None);
         }
 
         let possible_keys = [
@@ -131,6 +150,15 @@ impl Lockfile for NpmLockfile {
                 }
             }
         }
+
+        // After pruning, a package may be nested under a workspace
+        // (e.g. `apps/web/node_modules/next`) because the original tree had a
+        // conflicting hoisted version for another workspace. If the hoisted
+        // version was excluded (e.g. by the peer-dep skip in resolve_package),
+        // promote the nested version to the hoisted position so npm ci sees a
+        // consistent tree.
+        Self::rehoist_packages(&mut pruned_packages);
+
         Ok(Box::new(Self {
             lockfile_version: self.lockfile_version,
             packages: pruned_packages,
@@ -192,6 +220,68 @@ impl NpmLockfile {
             .ok_or_else(|| Error::MissingPackage(pkg_str.to_string()))
     }
 
+    /// Returns true if the lockfile contains more than one `node_modules/`
+    /// entry for the given package name.
+    fn has_multiple_versions(&self, name: &str) -> bool {
+        let suffix = format!("node_modules/{name}");
+        self.packages
+            .keys()
+            .filter(|key| {
+                if let Some(before) = key.strip_suffix(suffix.as_str()) {
+                    before.is_empty() || before.ends_with('/')
+                } else {
+                    false
+                }
+            })
+            .nth(1)
+            .is_some()
+    }
+
+    /// Promotes workspace-nested packages to the hoisted position when the
+    /// hoisted slot is empty. Only touches entries directly under a workspace
+    /// (not packages nested inside other packages).
+    fn rehoist_packages(pruned: &mut Map<String, NpmPackage>) {
+        let mut to_move: Vec<(String, String)> = Vec::new();
+        for key in pruned.keys() {
+            let Some(idx) = key.find("/node_modules/") else {
+                continue;
+            };
+            let prefix = &key[..idx];
+            // Skip entries nested inside other node_modules packages.
+            if prefix.contains("node_modules/") {
+                continue;
+            }
+            let pkg_name = &key[idx + "/node_modules/".len()..];
+            if pkg_name.is_empty() {
+                continue;
+            }
+            let hoisted_key = format!("node_modules/{pkg_name}");
+            if !pruned.contains_key(&hoisted_key) {
+                to_move.push((key.clone(), hoisted_key));
+            }
+        }
+
+        for (nested_key, hoisted_key) in to_move {
+            if let Some(pkg) = pruned.remove(&nested_key) {
+                pruned.insert(hoisted_key.clone(), pkg);
+            }
+            // Relocate sub-dependencies too.
+            let old_prefix = format!("{nested_key}/");
+            let new_prefix = format!("{hoisted_key}/");
+            let sub_keys: Vec<String> = pruned
+                .keys()
+                .filter(|k| k.starts_with(&old_prefix))
+                .cloned()
+                .collect();
+            for sub_key in sub_keys {
+                if let Some(pkg) = pruned.remove(&sub_key) {
+                    let new_key = format!("{new_prefix}{}", &sub_key[old_prefix.len()..]);
+                    pruned.insert(new_key, pkg);
+                }
+            }
+        }
+    }
+
     fn possible_npm_deps(key: &str, dep: &str) -> Vec<String> {
         let mut possible_deps = vec![format!("{key}/node_modules/{dep}")];
 

lockfile-tests/fixtures/issue-10985/meta.json

@@ -2,5 +2,6 @@
   "packageManager": "npm",
   "packageManagerVersion": "npm@10.0.0",
   "lockfileName": "package-lock.json",
-  "frozenInstallCommand": ["npm", "ci"]
+  "frozenInstallCommand": ["npm", "ci"],
+  "expectedFailures": ["@repo/components"]
 }