You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
install-strategy=linked (the isolated / RFC-0042 install mode) is experimental. We ran an exhaustive behavioral sweep of the linked strategy and compared every scenario against the hoisted strategy as the oracle — any divergence is treated as a defect. This is the umbrella issue for the discrepancies that sweep confirmed; each one is tracked in a sub-task (or an existing issue, where one already applies).
Note
Disclosure — AI-assisted: this sweep was performed with Claude and Codex working together. Claude drove the exploration, authored the test matrix, and ran the reproductions; Codex independently and adversarially reviewed the test plan (to surface missing cases and code paths) and helped verify findings against the source. The plan was iterated across multiple review rounds until coverage converged. Every finding was reproduced and compared against the hoisted strategy before being recorded.
Store integrity: .store keying/dedup, symlink correctness/repair, .bin shims, cleanup.
The three latest-branch features under isolated mode: supply-chain security (deny-by-default scripts, allow-remote=none, RFC-868 trusted-identity matching), packageExtensions, and the new .npm-extensiontransformManifest manifest-repair extension point.
Each sub-task is self-contained, with a minimal reproduction and a side-by-side hoisted comparison.
Overview
install-strategy=linked(the isolated / RFC-0042 install mode) is experimental. We ran an exhaustive behavioral sweep of the linked strategy and compared every scenario against the hoisted strategy as the oracle — any divergence is treated as a defect. This is the umbrella issue for the discrepancies that sweep confirmed; each one is tracked in a sub-task (or an existing issue, where one already applies).Note
Disclosure — AI-assisted: this sweep was performed with Claude and Codex working together. Claude drove the exploration, authored the test matrix, and ran the reproductions; Codex independently and adversarially reviewed the test plan (to surface missing cases and code paths) and helped verify findings against the source. The plan was iterated across multiple review rounds until coverage converged. Every finding was reproduced and compared against the hoisted strategy before being recorded.
Scope covered
file:/local, bundled, aliased, peer/optional, overrides.install,ci,uninstall,update,dedupe,prune,outdated,fund,rebuild,pkg,ls,query,explain,exec/npx,run,link,audit,sbom,patch.allow-scripts/allow-remote/allow-git,--strict-allow-scripts,--omit/--include, workspace filters (-w,--workspaces=false,--include-workspace-root),ignore-scripts, strategy switching, lockfile round-trips..storekeying/dedup, symlink correctness/repair,.binshims, cleanup.latest-branch features under isolated mode: supply-chain security (deny-by-default scripts,allow-remote=none, RFC-868 trusted-identity matching),packageExtensions, and the new.npm-extensiontransformManifestmanifest-repair extension point.Each sub-task is self-contained, with a minimal reproduction and a side-by-side hoisted comparison.
Sub-tasks
install-strategy=linked:npm install --auditreports "0 vulnerabilities" when a vulnerable package is installed #9609install-strategy=linked:npm sbomfails with ESBOMPROBLEMS (transitive devDependencies reported missing) #9610install-strategy=linked: install does not repair a wrong-but-existing symlink target (silently keeps the wrong version) #9611install-strategy=linked: hidden lockfile (node_modules/.package-lock.json) records the hoisted layout, not the linked layout #9612install-strategy=linked:.binshim left dangling afternpm uninstall#9613install-strategy=linked:--workspaces=falseand--include-workspace-rootfail withinvalid filterNode#9614install-strategy=linked:npm exec -w <ws>ignores a workspace-local bin and falls back to the registry #9616install-strategy=linked:napi-postinstallcannot resolve an installed optional native binding #9620install-strategy=linked:.storeand stale directories not cleaned up when switching install strategy #9615install-strategy=linked:npm query ':root > *'reports.storebacking paths instead of logical locations #9617install-strategy=linked: workspace-only / undeclared workspaces are invisible tonpm lsandnpm query#9618calcDepFlagsproduces incorrectdevflags due to multiple Links overwriting target #9100install-strategy=linked: an applied override is reportedinvalidbynpm ls(exit 1) #9619install-strategy=linked:npm link <path>(local path) fails with ENOENT in global node_modules #9621install-strategy=linked: extension-added optional dependency reportedUNMETbynpm lsthough installed #9622install-strategy=linked: a fresh install reports "up to date" instead of "added N" #9623install-strategy=linked: Installed transitive optional dependency is not materialized in the actual tree withinstall-strategy=linked#9627