From 579d8941e94318a2676bcbdd4d40059e8507368d Mon Sep 17 00:00:00 2001
From: Tim Keir <tkeir@atlassian.com>
Date: Wed, 23 Oct 2024 16:53:42 +1100
Subject: [PATCH] Disallow self referencing deps

---
 .yarn/versions/f1299379.yml                   | 34 +++++++++++++++++++
 .../sources/commands/add.test.ts              |  5 ++-
 packages/yarnpkg-core/sources/Manifest.ts     |  9 +++++
 packages/yarnpkg-core/tests/Manifest.test.ts  | 18 ++++++++++
 4 files changed, 63 insertions(+), 3 deletions(-)
 create mode 100644 .yarn/versions/f1299379.yml

diff --git a/.yarn/versions/f1299379.yml b/.yarn/versions/f1299379.yml
new file mode 100644
index 000000000000..2d6a48f178d8
--- /dev/null
+++ b/.yarn/versions/f1299379.yml
@@ -0,0 +1,34 @@
+releases:
+  "@yarnpkg/cli": patch
+  "@yarnpkg/core": patch
+
+declined:
+  - "@yarnpkg/plugin-compat"
+  - "@yarnpkg/plugin-constraints"
+  - "@yarnpkg/plugin-dlx"
+  - "@yarnpkg/plugin-essentials"
+  - "@yarnpkg/plugin-exec"
+  - "@yarnpkg/plugin-file"
+  - "@yarnpkg/plugin-git"
+  - "@yarnpkg/plugin-github"
+  - "@yarnpkg/plugin-http"
+  - "@yarnpkg/plugin-init"
+  - "@yarnpkg/plugin-interactive-tools"
+  - "@yarnpkg/plugin-link"
+  - "@yarnpkg/plugin-nm"
+  - "@yarnpkg/plugin-npm"
+  - "@yarnpkg/plugin-npm-cli"
+  - "@yarnpkg/plugin-pack"
+  - "@yarnpkg/plugin-patch"
+  - "@yarnpkg/plugin-pnp"
+  - "@yarnpkg/plugin-pnpm"
+  - "@yarnpkg/plugin-stage"
+  - "@yarnpkg/plugin-typescript"
+  - "@yarnpkg/plugin-version"
+  - "@yarnpkg/plugin-workspace-tools"
+  - "@yarnpkg/builder"
+  - "@yarnpkg/doctor"
+  - "@yarnpkg/extensions"
+  - "@yarnpkg/nm"
+  - "@yarnpkg/pnpify"
+  - "@yarnpkg/sdks"
diff --git a/packages/acceptance-tests/pkg-tests-specs/sources/commands/add.test.ts b/packages/acceptance-tests/pkg-tests-specs/sources/commands/add.test.ts
index 445503515f8d..ccdc8ec83a5e 100644
--- a/packages/acceptance-tests/pkg-tests-specs/sources/commands/add.test.ts
+++ b/packages/acceptance-tests/pkg-tests-specs/sources/commands/add.test.ts
@@ -549,9 +549,8 @@ describe(`Commands`, () => {
         await run(`add`, `no-deps`);
 
         await expect(xfs.readJsonPromise(ppath.join(path, Filename.manifest))).resolves.toMatchObject({
-          dependencies: {
-            [`no-deps`]: `^2.0.0`,
-          },
+          // Note that Manifest.exportTo disallows depending on self
+          dependencies: {},
         });
       }),
     );
diff --git a/packages/yarnpkg-core/sources/Manifest.ts b/packages/yarnpkg-core/sources/Manifest.ts
index fd70bb8333bf..e4c0814dcdea 100644
--- a/packages/yarnpkg-core/sources/Manifest.ts
+++ b/packages/yarnpkg-core/sources/Manifest.ts
@@ -871,6 +871,9 @@ export class Manifest {
       data.dependencies = Object.assign({}, ...structUtils.sortDescriptors(regularDependencies).map(dependency => {
         return {[structUtils.stringifyIdent(dependency)]: dependency.range};
       }));
+      if (data.name && data.dependencies[data.name]) {
+        delete data.dependencies[data.name];
+      }
     } else {
       delete data.dependencies;
     }
@@ -887,6 +890,9 @@ export class Manifest {
       data.devDependencies = Object.assign({}, ...structUtils.sortDescriptors(this.devDependencies.values()).map(dependency => {
         return {[structUtils.stringifyIdent(dependency)]: dependency.range};
       }));
+      if (data.name && data.devDependencies[data.name]) {
+        delete data.devDependencies[data.name];
+      }
     } else {
       delete data.devDependencies;
     }
@@ -895,6 +901,9 @@ export class Manifest {
       data.peerDependencies = Object.assign({}, ...structUtils.sortDescriptors(this.peerDependencies.values()).map(dependency => {
         return {[structUtils.stringifyIdent(dependency)]: dependency.range};
       }));
+      if (data.name && data.peerDependencies[data.name]) {
+        delete data.peerDependencies[data.name];
+      }
     } else {
       delete data.peerDependencies;
     }
diff --git a/packages/yarnpkg-core/tests/Manifest.test.ts b/packages/yarnpkg-core/tests/Manifest.test.ts
index 9b4141bef3fa..69f2a520f15e 100644
--- a/packages/yarnpkg-core/tests/Manifest.test.ts
+++ b/packages/yarnpkg-core/tests/Manifest.test.ts
@@ -54,5 +54,23 @@ describe(`Manifest`, () => {
       const manifest = Manifest.fromText(`{ "name": "name", "bin": { "bin1": " ", "bin2": "./bin2.js" } }`);
       expect(manifest.exportTo({}).bin).toEqual({bin2: `./bin2.js`});
     });
+
+    it(`should remove dependency if referencing itself`, () => {
+      const deps = `{ "no-dep": "^1.0.0", "dep": "^1.2.0" }`;
+      const manifest = Manifest.fromText(`
+        { "name": "no-dep", "dependencies": ${deps}, "devDependencies": ${deps}, "peerDependencies": ${deps} }
+      `);
+      expect(manifest.exportTo({})).toMatchObject({
+        dependencies: {
+          dep: `^1.2.0`,
+        },
+        devDependencies: {
+          dep: `^1.2.0`,
+        },
+        peerDependencies: {
+          dep: `^1.2.0`,
+        },
+      });
+    });
   });
 });