fix: always use package key-value refs when reading from dependency list instead of required package name (#9583)

Author: mmaietta

.changeset/thick-cases-refuse.md

@@ -0,0 +1,5 @@
+---
+"app-builder-lib": patch
+---
+
+fix: use package key when reading from dependency list instead of package `from` to not mislabel package-version strings

packages/app-builder-lib/src/node-module-collector/nodeModulesCollector.ts

@@ -186,8 +186,10 @@ export abstract class NodeModulesCollector<ProdDepType extends Dependency<ProdDe
     return `${pkg.name}::${pkg.version}::${rel ?? "."}`
   }
 
-  protected packageVersionString(pkg: Pick<ProdDepType, "name" | "version">): string {
-    return `${pkg.name}@${pkg.version}`
+  // We use the key (alias name) instead of value.name for npm aliased packages
+  // e.g., { "foo": { name: "@scope/bar", ... } } should be stored as "foo@version"
+  protected normalizePackageVersion(key: string, pkg: ProdDepType) {
+    return { id: `${key}@${pkg.version}`, pkgOverride: { ...pkg, name: key } }
   }
 
   /**

packages/app-builder-lib/src/node-module-collector/npmNodeModulesCollector.ts

@@ -14,15 +14,22 @@ export class NpmNodeModulesCollector extends NodeModulesCollector<NpmDependency,
 
   protected async collectAllDependencies(tree: NpmDependency) {
     for (const [key, value] of Object.entries(tree.dependencies || {})) {
+      const { id: childDependencyId, pkgOverride } = this.normalizePackageVersion(key, value)
+
+      // Only skip if this exact version is already collected AND it's a duplicate reference
+      // We need to collect nested versions even if a different version exists at top level
       if (this.isDuplicatedNpmDependency(value)) {
+        // This is a reference to a package already defined elsewhere in the tree
+        // Still add it to allDependencies if we haven't seen this exact version yet
+        if (!this.allDependencies.has(childDependencyId)) {
+          this.allDependencies.set(childDependencyId, pkgOverride)
+        }
         continue
       }
-      // Use the key (alias name) instead of value.name for npm aliased packages
-      // e.g., { "foo": { name: "@scope/bar", ... } } should be stored as "foo@version"
-      // This ensures aliased packages are copied to the correct location in node_modules
-      const normalizedDep: NpmDependency = key !== value.name ? { ...value, name: key } : value
-      this.allDependencies.set(this.packageVersionString(normalizedDep), normalizedDep)
-      await this.collectAllDependencies(value)
+
+      // Always store this dependency and recurse into its children
+      this.allDependencies.set(childDependencyId, pkgOverride)
+      await this.collectAllDependencies(pkgOverride)
     }
   }
 
@@ -51,8 +58,8 @@ export class NpmNodeModulesCollector extends NodeModulesCollector<NpmDependency,
         if (Object.keys(dependency).length === 0) {
           continue
         }
-        const childDependencyId = this.packageVersionString({ name: packageName, version: dependency.version })
-        await this.extractProductionDependencyGraph(dependency, childDependencyId)
+        const { id: childDependencyId, pkgOverride } = this.normalizePackageVersion(packageName, dependency)
+        await this.extractProductionDependencyGraph(pkgOverride, childDependencyId)
         collectedDependencies.push(childDependencyId)
       }
     }

packages/app-builder-lib/src/node-module-collector/pnpmNodeModulesCollector.ts

@@ -41,8 +41,8 @@ export class PnpmNodeModulesCollector extends NodeModulesCollector<PnpmDependenc
           return undefined
         }
       }
-      const childDependencyId = this.packageVersionString(dependency)
-      await this.extractProductionDependencyGraph(dependency, childDependencyId)
+      const { id: childDependencyId, pkgOverride } = this.normalizePackageVersion(packageName, dependency)
+      await this.extractProductionDependencyGraph(pkgOverride, childDependencyId)
       return childDependencyId
     })
 
@@ -72,11 +72,6 @@ export class PnpmNodeModulesCollector extends NodeModulesCollector<PnpmDependenc
     }
   }
 
-  protected packageVersionString(pkg: PnpmDependency): string {
-    // we use 'from' field because 'name' may be different in case of aliases
-    return `${pkg.from}@${pkg.version}`
-  }
-
   protected parseDependenciesTree(jsonBlob: string): PnpmDependency {
     // pnpm returns an array of dependency trees
     const dependencyTree: PnpmDependency[] = this.extractJsonFromPollutedOutput<PnpmDependency[]>(jsonBlob)

packages/app-builder-lib/src/node-module-collector/traversalNodeModulesCollector.ts

@@ -21,8 +21,9 @@ export class TraversalNodeModulesCollector extends NodeModulesCollector<Traverse
   }
 
   protected async collectAllDependencies(tree: TraversedDependency, appPackageName: string) {
-    for (const [, value] of Object.entries({ ...tree.dependencies, ...tree.optionalDependencies })) {
-      this.allDependencies.set(this.packageVersionString(value), value)
+    for (const [packageKey, value] of Object.entries({ ...tree.dependencies, ...tree.optionalDependencies })) {
+      const normalizedDep = this.normalizePackageVersion(packageKey, value)
+      this.allDependencies.set(normalizedDep.id, normalizedDep.pkgOverride)
       await this.collectAllDependencies(value, appPackageName)
     }
   }
@@ -39,8 +40,8 @@ export class TraversalNodeModulesCollector extends NodeModulesCollector<Traverse
     const collectedDependencies: string[] = []
     for (const packageName in prodDependencies) {
       const dependency = prodDependencies[packageName]
-      const childDependencyId = this.packageVersionString(dependency)
-      await this.extractProductionDependencyGraph(dependency, childDependencyId)
+      const { id: childDependencyId, pkgOverride } = this.normalizePackageVersion(packageName, dependency)
+      await this.extractProductionDependencyGraph(pkgOverride, childDependencyId)
       collectedDependencies.push(childDependencyId)
     }
     this.productionGraph[dependencyId] = { dependencies: collectedDependencies }