Fix pnpm compatibility

[CvX]

@npmcli/arborist (incorrectly?) returns dependencies with no package info when looking in /node_modules/.pnpm directory.

It does also return correct data from deeper nested dirs like for example /node_modules/.pnpm/tmp@0.2.1/node_modules/tmp so we can just ignore the invalid entries.

[ljharb]

Is this still the case with arborist 6, which will be in v10 of licensee?

[CvX]

Sorry, missed that comment!

I just checked using "@npmcli/arborist": "^6.2.7" and the behavior seems the same, it does return those empty/invalid packages:

{
  "name": "licensee-playground",
  "version": "1.0.0",
  "description": "",
  "main": "index.js",
  "scripts": {
    "test": "echo \"Error: no test specified\" && exit 1"
  },
  "author": "",
  "license": "ISC",
  "dependencies": {
    "@npmcli/arborist": "^6.2.7",
    "mit-licensed": "^1.0.0"
  }
}

const Arborist = require('@npmcli/arborist');
const arborist = new Arborist();
arborist.loadActual({ forceActual: true }).then((tree) => {
  const dependencies = Array.from(tree.inventory.values()).filter(
    (dependency) => !dependency.package.name
  );
  console.log(dependencies.length); // 108
});

[ljharb]

Hmm - thinking about this more, the node_modules/.pnpm directory shouldn't be looked at at all anyways. If licensee were to skip folders that start with a dot, would this fix be needed?

[kemitchell]

Is licensee even choosing directory targets? Isn't it just calling Arborist in CWD?

Ideally we shouldn't care about npm versus yarn versus pnpm or any other thing-that-populates-node_modules. We should fire Arborist off at node_modules and go from there.

We'd have to reconsider Arborist, or using Arborist alone, if Arborist decided to support just the way npm does node_modules, but not other ways that Node.js says it can be done. I haven't seen any sign of that yet.

[ljharb]

That's a good point, and I agree - this may be a bug in arborist, in which case that's where it should be fixed.