NodeSecure · fraxken · Nov 30, 2025 · Nov 28, 2025
diff --git a/.changeset/yummy-knives-grab.md b/.changeset/yummy-knives-grab.md
@@ -0,0 +1,5 @@
+---
+"@nodesecure/tree-walker": minor
+---
+
+Re-abstract tree loading with NPM arborist
diff --git a/workspaces/tree-walker/src/npm/LocalDependencyTreeLoader.ts b/workspaces/tree-walker/src/npm/LocalDependencyTreeLoader.ts
@@ -6,20 +6,30 @@ import fs from "node:fs/promises";
 import Arborist from "@npmcli/arborist";
 
 // Import Internal Dependencies
+import {
+  TreeDependencies,
+  type TreeDependenciesOptions
+} from "./TreeDependencies.js";
 import * as utils from "../utils/index.js";
 
 export interface LocalDependencyTreeLoaderProvider {
   load(
     location: string,
-    registry?: string
-  ): Promise<Arborist.Node>;
+    options?: LocalDependencyTreeLoaderOptions
+  ): Promise<TreeDependencies>;
+}
+
+export interface LocalDependencyTreeLoaderOptions extends TreeDependenciesOptions {
+  registry?: string;
 }
 
 export class LocalDependencyTreeLoader implements LocalDependencyTreeLoaderProvider {
   async load(
     location: string,
-    registry?: string
-  ): Promise<Arborist.Node> {
+    options: LocalDependencyTreeLoaderOptions = {}
+  ): Promise<TreeDependencies> {
+    const { registry, ...treeDepOptions } = options;
+
     const arb = new Arborist({
       ...utils.NPM_TOKEN,
       path: location,
@@ -33,10 +43,14 @@ export class LocalDependencyTreeLoader implements LocalDependencyTreeLoaderProvi
 
       await arb.loadActual();
 
-      return arb.buildIdealTree();
+      const treeNode = await arb.buildIdealTree();
+
+      return TreeDependencies.fromArboristNode(treeNode, treeDepOptions);
     }
     catch {
-      return arb.loadVirtual();
+      const treeNode = await arb.loadVirtual();
+
+      return TreeDependencies.fromArboristNode(treeNode, treeDepOptions);
     }
   }
 }
diff --git a/workspaces/tree-walker/src/npm/TreeDependencies.ts b/workspaces/tree-walker/src/npm/TreeDependencies.ts
@@ -0,0 +1,49 @@
+/* eslint-disable func-style */
+// Import Third-party Dependencies
+import Arborist from "@npmcli/arborist";
+import * as iter from "itertools";
+
+type EdgeOut = [string, Arborist.Edge];
+
+export interface TreeDependenciesOptions {
+  includeDevDeps?: boolean;
+}
+
+export class TreeDependencies {
+  dependencies: Map<string, Arborist.Node>;
+
+  static fromArboristNode(
+    node: Arborist.Node,
+    options: TreeDependenciesOptions = {}
+  ): TreeDependencies {
+    const { includeDevDeps = false } = options;
+
+    const shouldIncludeEdge = ([packageName, edge]: EdgeOut) => {
+      const { to } = edge;
+      if (to === null) {
+        return [];
+      }
+
+      const shouldInclude = includeDevDeps || to.dev === false || to.isWorkspace;
+      if (!shouldInclude) {
+        return [];
+      }
+
+      const targetNode = to.isWorkspace ? to.target : to;
+
+      return [[packageName, targetNode] as const];
+    };
+
+    const dependencies = new Map(
+      iter.flatmap(node.edgesOut.entries(), shouldIncludeEdge)
+    );
+
+    return new TreeDependencies(dependencies);
+  }
+
+  constructor(
+    dependencies: Map<string, Arborist.Node>
+  ) {
+    this.dependencies = dependencies;
+  }
+}
diff --git a/workspaces/tree-walker/src/npm/walker.ts b/workspaces/tree-walker/src/npm/walker.ts
@@ -22,6 +22,9 @@ import {
   type DependencyJSON,
   type NpmSpec
 } from "../Dependency.class.js";
+import {
+  TreeDependencies
+} from "./TreeDependencies.js";
 
 interface BaseWalkOptions {
   parent: Dependency;
@@ -337,39 +340,33 @@ export class TreeWalker {
     scanWithArborist: if (packageLock !== null) {
       const { location, ...packageLockOptions } = packageLock;
 
-      let arboristNode: Arborist.Node;
+      let tree: TreeDependencies;
       try {
-        arboristNode = await this.providers.localTreeLoader.load(
+        tree = await this.providers.localTreeLoader.load(
           location,
-          this.registry
+          {
+            includeDevDeps,
+            registry: this.registry
+          }
         );
       }
       catch {
         break scanWithArborist;
       }
-      const { edgesOut } = arboristNode;
-
-      const iterators = [
-        ...iter
-          .filter(edgesOut.entries(), ([, { to }]) => to !== null && (includeDevDeps ? true : (!to.dev || to.isWorkspace)))
-          .map(([packageName, { to }]) => [packageName, to!.isWorkspace ? to!.target : to] as const)
-          .map(([packageName, to]) => this.walkLocalDependency(packageName, to!, {
-            maxDepth,
-            parent: rootDependency,
-            includeDevDeps,
-            ...packageLockOptions
-          }))
-      ];
+
+      const iterators = iter
+        .map(tree.dependencies.entries(), ([packageName, to]) => this.walkLocalDependency(packageName, to, {
+          maxDepth,
+          parent: rootDependency,
+          includeDevDeps,
+          ...packageLockOptions
+        }));
 
       for await (const dep of combineAsyncIterators({}, ...iterators)) {
         yield dep.exportAsPlainObject();
       }
 
-      for (const [packageName, { to: toNode }] of edgesOut) {
-        if (toNode === null || (!includeDevDeps && toNode.dev)) {
-          continue;
-        }
-
+      for (const [packageName, toNode] of tree.dependencies) {
         this.addTreeRelation(
           `${packageName}@${toNode.package.version}`,
           rootDependency.spec

diff --git a/workspaces/tree-walker/test/fixtures/tree-loader-virtual/package-lock.json b/workspaces/tree-walker/test/fixtures/tree-loader-virtual/package-lock.json
diff --git a/workspaces/tree-walker/test/fixtures/tree-loader-virtual/package.json b/workspaces/tree-walker/test/fixtures/tree-loader-virtual/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "tree-loader-virtual",
+  "version": "1.0.0",
+  "description": "",
+  "main": "index.js",
+  "scripts": {
+    "test": "echo \"Error: no test specified\" && exit 1"
+  },
+  "keywords": [],
+  "type": "commonjs",
+  "dependencies": {
+    "@types/node": "^24.10.1"
+  }
+}
diff --git a/workspaces/tree-walker/test/npm/LocalDependencyTreeLoader.spec.ts b/workspaces/tree-walker/test/npm/LocalDependencyTreeLoader.spec.ts
@@ -0,0 +1,105 @@
+// Import Node.js Dependencies
+import { afterEach, beforeEach, describe, it } from "node:test";
+import path from "node:path";
+import fs from "node:fs";
+import os from "node:os";
+import assert from "node:assert";
+import { spawnSync } from "node:child_process";
+import { fileURLToPath } from "node:url";
+
+// Import Internal Dependencies
+import {
+  LocalDependencyTreeLoader
+} from "../../src/npm/LocalDependencyTreeLoader.js";
+
+// CONSTANTS
+const __dirname = path.dirname(fileURLToPath(import.meta.url));
+const kFixturesDir = path.join(__dirname, "..", "fixtures");
+
+describe("LocalDependencyTreeLoader", () => {
+  describe("arborist.loadVirtual()", () => {
+    it("should load a simple dependency tree using package-lock.json", async() => {
+      const treeLoader = new LocalDependencyTreeLoader();
+
+      const { dependencies } = await treeLoader.load(
+        path.join(kFixturesDir, "tree-loader-virtual")
+      );
+
+      const dependenciesName = Array.from(dependencies.keys());
+      assert.deepEqual(
+        dependenciesName,
+        ["@types/node"]
+      );
+    });
+  });
+
+  describe("arborist.loadActual()", () => {
+    let npmLocalProjectCloneLocation: string;
+
+    beforeEach(() => {
+      npmLocalProjectCloneLocation = fs.mkdtempSync(
+        path.join(os.tmpdir(), "local-dep-tree-loader-")
+      );
+    });
+
+    afterEach(() => {
+      fs.rmSync(npmLocalProjectCloneLocation, { recursive: true, force: true });
+    });
+
+    it("should load a simple dependency tree using node_modules", async() => {
+      copyAndInstall(
+        path.join(kFixturesDir, "tree-loader-virtual"),
+        npmLocalProjectCloneLocation
+      );
+      const treeLoader = new LocalDependencyTreeLoader();
+
+      const { dependencies } = await treeLoader.load(npmLocalProjectCloneLocation);
+
+      const dependenciesName = Array.from(dependencies.keys());
+      assert.deepEqual(
+        dependenciesName,
+        ["@types/node"]
+      );
+    });
+  });
+});
+
+interface CopyAndInstallOptions {
+  /**
+   * @default true
+   */
+  removePackageLock?: boolean;
+}
+
+function copyAndInstall(
+  source: string,
+  destination: string,
+  options: CopyAndInstallOptions = {}
+) {
+  const { removePackageLock = true } = options;
+
+  fs.copyFileSync(
+    path.join(source, "package.json"),
+    path.join(destination, "package.json")
+  );
+
+  spawnSync(
+    [
+      `npm${process.platform === "win32" ? ".cmd" : ""}`,
+      "install",
+      "--prefer-offline",
+      "--no-audit"
+    ].join(" "),
+    {
+      cwd: destination,
+      shell: true
+    }
+  );
+
+  if (removePackageLock) {
+    fs.rmSync(
+      path.join(destination, "package-lock.json"),
+      { force: true }
+    );
+  }
+}