fix: don't include external links in lockfile, when they resolve peers (#6507)

ref https://github.com/teambit/bit/pull/7176

.changeset/smart-waves-lie.md

@@ -0,0 +1,5 @@
+---
+"@pnpm/resolve-dependencies": patch
+---
+
+Do not include external links in the lockfile, when they are used to resolve peers.

pkg-manager/core/test/install/excludeLinksFromLockfile.ts

@@ -10,10 +10,12 @@ import {
 } from '@pnpm/core'
 import { type Lockfile, type LockfileV6 } from '@pnpm/lockfile-types'
 import { prepareEmpty, preparePackages, tempDir } from '@pnpm/prepare'
+import { addDistTag } from '@pnpm/registry-mock'
 import { fixtures } from '@pnpm/test-fixtures'
 import rimraf from '@zkochan/rimraf'
 import normalizePath from 'normalize-path'
 import readYamlFile from 'read-yaml-file'
+import { sync as writeJsonFile } from 'write-json-file'
 import { testDefaults } from '../utils'
 
 const f = fixtures(__dirname)
@@ -214,3 +216,24 @@ test('update the lockfile when a new project is added to the workspace but do no
   expect(Object.keys(lockfile.importers)).toStrictEqual(['project-1', 'project-2'])
   expect(Object.keys(lockfile.importers['project-1'].dependencies ?? {})).toStrictEqual(['is-positive'])
 })
+
+test('path to external link is not added to the lockfile, when it resolves a peer dependency', async () => {
+  await addDistTag({ package: '@pnpm.e2e/peer-b', version: '1.0.0', distTag: 'latest' })
+  await addDistTag({ package: '@pnpm.e2e/peer-c', version: '1.0.0', distTag: 'latest' })
+  const externalPkg = tempDir(false)
+  writeJsonFile(path.join(externalPkg, 'package.json'), {
+    name: '@pnpm.e2e/peer-a',
+    version: '1.0.0',
+  })
+  const project = prepareEmpty()
+
+  await addDependenciesToPackage({},
+    ['@pnpm.e2e/abc@1.0.0', `link:${externalPkg}`],
+    await testDefaults({ excludeLinksFromLockfile: true })
+  )
+
+  const lockfile = await project.readLockfile()
+  const key = '/@pnpm.e2e/abc@1.0.0(@pnpm.e2e/peer-a@node_modules+@pnpm.e2e+peer-a)(@pnpm.e2e/peer-b@1.0.0)(@pnpm.e2e/peer-c@1.0.0)'
+  expect(lockfile.packages[key]).toBeTruthy()
+  expect(lockfile.packages[key].dependencies?.['@pnpm.e2e/peer-a']).toBe('link:node_modules/@pnpm.e2e/peer-a')
+})

pkg-manager/resolve-dependencies/src/index.ts

@@ -25,6 +25,7 @@ import {
 import promiseShare from 'promise-share'
 import difference from 'ramda/src/difference'
 import zipWith from 'ramda/src/zipWith'
+import isSubdir from 'is-subdir'
 import { getWantedDependencies, type WantedDependency } from './getWantedDependencies'
 import { depPathToRef } from './depPathToRef'
 import { createNodeIdForLinkedLocalPkg, type UpdateMatchingFunction } from './resolveDependencies'
@@ -185,10 +186,16 @@ export async function resolveDependencies (
       )
       : []
     resolvedImporter.linkedDependencies.forEach((linkedDependency) => {
+      // The location of the external link may vary on different machines, so it is better not to include it in the lockfile.
+      // As a workaround, we symlink to the root of node_modules, which is a symlink to the actual location of the external link.
+      const target = !opts.excludeLinksFromLockfile || isSubdir(opts.lockfileDir, linkedDependency.resolution.directory)
+        ? linkedDependency.resolution.directory
+        : path.join(project.modulesDir, linkedDependency.alias)
+      const linkedDir = createNodeIdForLinkedLocalPkg(opts.lockfileDir, target)
       topParents.push({
         name: linkedDependency.alias,
         version: linkedDependency.version,
-        linkedDir: createNodeIdForLinkedLocalPkg(opts.lockfileDir, linkedDependency.resolution.directory),
+        linkedDir,
       })
     })