@pnpm/installing.deps-installer 1101.3.1 → 1101.5.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -32,6 +32,7 @@ export interface StrictInstallOptions {
32
32
  lockfileOnly: boolean;
33
33
  forceFullResolution: boolean;
34
34
  fixLockfile: boolean;
35
+ updateChecksums: boolean;
35
36
  dedupe: boolean;
36
37
  ignoreCompatibilityDb: boolean;
37
38
  ignorePackageManifest: boolean;
@@ -184,6 +185,23 @@ export interface StrictInstallOptions {
184
185
  trustPolicy?: TrustPolicy;
185
186
  trustPolicyExclude?: string[];
186
187
  trustPolicyIgnoreAfter?: number;
188
+ /**
189
+ * Skip the lockfile supply-chain verification pass entirely. When
190
+ * true, `verifyLockfileResolutions` is not called even if
191
+ * `resolutionVerifiers` is non-empty — the install trusts the
192
+ * lockfile as-is. Trade-off: a poisoned lockfile (e.g. one a
193
+ * contributor authored under a weaker policy than CI enforces) can
194
+ * slip through. Use only in environments where the lockfile is
195
+ * effectively part of the trusted base — closed-source projects
196
+ * where every commit comes from a trusted author, fully reproducible
197
+ * CI runs against an already-verified lockfile, etc.
198
+ *
199
+ * Added for #11860: on workspaces with thousands of locked entries,
200
+ * the verification pass holds the per-package registry metadata
201
+ * needed for the trust check resident in memory and can OOM CI
202
+ * runners with a 2GB heap cap.
203
+ */
204
+ trustLockfile?: boolean;
187
205
  packageVulnerabilityAudit?: PackageVulnerabilityAudit;
188
206
  blockExoticSubdeps?: boolean;
189
207
  /**
@@ -44,6 +44,7 @@ const defaults = (opts) => {
44
44
  },
45
45
  lockfileDir: opts.lockfileDir ?? opts.dir ?? process.cwd(),
46
46
  lockfileOnly: false,
47
+ updateChecksums: false,
47
48
  nodeVersion: opts.nodeVersion,
48
49
  nodeLinker: 'isolated',
49
50
  overrides: {},
@@ -193,7 +193,7 @@ export async function mutateModules(projects, maybeOpts) {
193
193
  !ctx.lockfileHadConflicts &&
194
194
  ctx.existsNonEmptyWantedLockfile &&
195
195
  (opts.frozenLockfile === true || opts.frozenLockfileIfExists === true);
196
- if (!willDelegateToPacquet) {
196
+ if (!willDelegateToPacquet && !opts.trustLockfile) {
197
197
  const cacheActive = opts.cacheDir != null && opts.resolutionVerifiers.length > 0;
198
198
  const wantedLockfilePath = cacheActive
199
199
  ? path.resolve(ctx.lockfileDir, await getWantedLockfileName({
@@ -370,6 +370,7 @@ export async function mutateModules(projects, maybeOpts) {
370
370
  const upToDateLockfileMajorVersion = ctx.wantedLockfile.lockfileVersion.toString().startsWith(`${LOCKFILE_MAJOR_VERSION}.`);
371
371
  let needsFullResolution = outdatedLockfileSettings ||
372
372
  opts.fixLockfile ||
373
+ opts.updateChecksums ||
373
374
  !upToDateLockfileMajorVersion ||
374
375
  opts.forceFullResolution ||
375
376
  forceResolutionFromHook;
@@ -760,18 +761,13 @@ Note that in CI environments, this setting is enabled by default.`,
760
761
  };
761
762
  }
762
763
  catch (error) { // eslint-disable-line
764
+ const isIntegrityError = BROKEN_LOCKFILE_INTEGRITY_ERRORS.has(error.code);
763
765
  if (frozenLockfile ||
764
766
  (error.code !== 'ERR_PNPM_LOCKFILE_MISSING_DEPENDENCY' &&
765
- !BROKEN_LOCKFILE_INTEGRITY_ERRORS.has(error.code)) ||
766
- (!ctx.existsNonEmptyWantedLockfile && !ctx.existsCurrentLockfile))
767
+ !isIntegrityError) ||
768
+ (!ctx.existsNonEmptyWantedLockfile && !ctx.existsCurrentLockfile) ||
769
+ (isIntegrityError && !opts.updateChecksums))
767
770
  throw error;
768
- if (BROKEN_LOCKFILE_INTEGRITY_ERRORS.has(error.code)) {
769
- needsFullResolution = true;
770
- // Ideally, we would not update but currently there is no other way to redownload the integrity of the package
771
- for (const project of projects) {
772
- project.update = true;
773
- }
774
- }
775
771
  // A broken lockfile may be caused by a badly resolved Git conflict
776
772
  logger.warn({
777
773
  error,
@@ -1014,6 +1010,7 @@ const _installInContext = async (projects, ctx, opts) => {
1014
1010
  excludeLinksFromLockfile: opts.excludeLinksFromLockfile,
1015
1011
  force: opts.force,
1016
1012
  forceFullResolution,
1013
+ updateChecksums: opts.updateChecksums,
1017
1014
  ignoreScripts: opts.ignoreScripts,
1018
1015
  hooks: {
1019
1016
  readPackage: opts.readPackageHook,
@@ -1529,19 +1526,16 @@ const installInContext = async (projects, ctx, opts) => {
1529
1526
  }
1530
1527
  catch (error) { // eslint-disable-line
1531
1528
  if (!BROKEN_LOCKFILE_INTEGRITY_ERRORS.has(error.code) ||
1532
- (!ctx.existsNonEmptyWantedLockfile && !ctx.existsCurrentLockfile))
1529
+ (!ctx.existsNonEmptyWantedLockfile && !ctx.existsCurrentLockfile) ||
1530
+ !opts.updateChecksums)
1533
1531
  throw error;
1534
1532
  opts.needsFullResolution = true;
1535
- // Ideally, we would not update but currently there is no other way to redownload the integrity of the package
1536
- for (const project of projects) {
1537
- project.update = true;
1538
- }
1539
1533
  logger.warn({
1540
1534
  error,
1541
1535
  message: error.message,
1542
1536
  prefix: ctx.lockfileDir,
1543
1537
  });
1544
- logger.error(new PnpmError(error.code, 'The lockfile is broken! A full installation will be performed in an attempt to fix it.'));
1538
+ logger.error(new PnpmError(error.code, 'Refreshing the locked integrity from the registry as requested by --update-checksums. A full installation will be performed.'));
1545
1539
  return _installInContext(projects, ctx, opts);
1546
1540
  }
1547
1541
  finally {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pnpm/installing.deps-installer",
3
- "version": "1101.3.1",
3
+ "version": "1101.5.0",
4
4
  "description": "Fast, disk space efficient installation engine",
5
5
  "keywords": [
6
6
  "pnpm",
@@ -56,66 +56,66 @@
56
56
  "load-json-file": "^7.0.1",
57
57
  "normalize-path": "^3.0.0",
58
58
  "p-filter": "^4.1.0",
59
- "p-limit": "^7.1.0",
59
+ "p-limit": "^7.3.0",
60
60
  "path-absolute": "^2.0.0",
61
61
  "path-exists": "^5.0.0",
62
62
  "ramda": "npm:@pnpm/ramda@0.28.1",
63
63
  "run-groups": "^5.0.0",
64
- "semver": "^7.7.2",
65
- "@pnpm/bins.linker": "1100.0.8",
66
- "@pnpm/agent.client": "1.0.7",
67
- "@pnpm/bins.remover": "1100.0.5",
68
- "@pnpm/building.after-install": "1101.0.15",
69
- "@pnpm/building.policy": "1100.0.6",
70
- "@pnpm/building.during-install": "1101.0.12",
71
- "@pnpm/catalogs.resolver": "1100.0.0",
64
+ "semver": "^7.8.1",
65
+ "@pnpm/agent.client": "1.0.8",
66
+ "@pnpm/building.after-install": "1101.0.17",
67
+ "@pnpm/building.policy": "1100.0.7",
68
+ "@pnpm/bins.remover": "1100.0.6",
72
69
  "@pnpm/catalogs.protocol-parser": "1100.0.0",
70
+ "@pnpm/building.during-install": "1101.0.14",
73
71
  "@pnpm/catalogs.types": "1100.0.0",
74
72
  "@pnpm/config.matcher": "1100.0.1",
75
- "@pnpm/config.normalize-registries": "1100.0.4",
73
+ "@pnpm/config.normalize-registries": "1100.0.5",
74
+ "@pnpm/catalogs.resolver": "1100.0.0",
76
75
  "@pnpm/config.parse-overrides": "1100.0.1",
77
- "@pnpm/core-loggers": "1100.1.1",
78
76
  "@pnpm/constants": "1100.0.0",
77
+ "@pnpm/core-loggers": "1100.1.2",
79
78
  "@pnpm/crypto.hash": "1100.0.1",
79
+ "@pnpm/deps.graph-hasher": "1100.2.2",
80
80
  "@pnpm/crypto.object-hasher": "1100.0.0",
81
- "@pnpm/deps.graph-hasher": "1100.2.1",
82
81
  "@pnpm/deps.graph-sequencer": "1100.0.0",
83
82
  "@pnpm/error": "1100.0.0",
84
- "@pnpm/deps.path": "1100.0.4",
85
- "@pnpm/exec.lifecycle": "1100.0.12",
83
+ "@pnpm/deps.path": "1100.0.5",
84
+ "@pnpm/exec.lifecycle": "1100.0.14",
86
85
  "@pnpm/fs.read-modules-dir": "1100.0.1",
87
- "@pnpm/hooks.read-package-hook": "1100.0.4",
88
- "@pnpm/fs.symlink-dependency": "1100.0.5",
89
- "@pnpm/hooks.types": "1100.0.8",
90
- "@pnpm/installing.context": "1100.0.12",
91
- "@pnpm/installing.deps-restorer": "1101.1.4",
92
- "@pnpm/installing.deps-resolver": "1100.1.2",
93
- "@pnpm/installing.linking.direct-dep-linker": "1100.0.5",
94
- "@pnpm/installing.linking.modules-cleaner": "1100.1.3",
95
- "@pnpm/installing.linking.hoist": "1100.0.8",
96
- "@pnpm/installing.modules-yaml": "1100.0.5",
97
- "@pnpm/installing.package-requester": "1101.0.8",
98
- "@pnpm/lockfile.filtering": "1100.1.2",
99
- "@pnpm/lockfile.preferred-versions": "1100.0.11",
100
- "@pnpm/lockfile.fs": "1100.1.1",
101
- "@pnpm/lockfile.pruner": "1100.0.7",
102
- "@pnpm/lockfile.settings-checker": "1100.0.12",
103
- "@pnpm/lockfile.to-pnp": "1100.0.10",
104
- "@pnpm/lockfile.utils": "1100.0.9",
105
- "@pnpm/lockfile.verification": "1100.0.12",
106
- "@pnpm/lockfile.walker": "1100.0.7",
107
- "@pnpm/patching.config": "1100.0.4",
108
- "@pnpm/pkg-manifest.utils": "1100.2.0",
109
- "@pnpm/resolving.parse-wanted-dependency": "1100.0.1",
110
- "@pnpm/resolving.resolver-base": "1100.3.0",
111
- "@pnpm/store.controller-types": "1100.1.1",
86
+ "@pnpm/fs.symlink-dependency": "1100.0.6",
87
+ "@pnpm/hooks.read-package-hook": "1100.0.5",
88
+ "@pnpm/hooks.types": "1100.0.9",
89
+ "@pnpm/installing.deps-resolver": "1100.1.4",
90
+ "@pnpm/installing.context": "1100.0.13",
91
+ "@pnpm/installing.linking.direct-dep-linker": "1100.0.6",
92
+ "@pnpm/installing.deps-restorer": "1101.1.6",
93
+ "@pnpm/installing.linking.hoist": "1100.0.10",
94
+ "@pnpm/installing.linking.modules-cleaner": "1100.1.4",
95
+ "@pnpm/installing.package-requester": "1101.0.9",
96
+ "@pnpm/installing.modules-yaml": "1100.0.6",
97
+ "@pnpm/lockfile.filtering": "1100.1.3",
98
+ "@pnpm/lockfile.fs": "1100.1.2",
99
+ "@pnpm/lockfile.settings-checker": "1100.0.13",
100
+ "@pnpm/lockfile.preferred-versions": "1100.0.12",
101
+ "@pnpm/lockfile.pruner": "1100.0.8",
102
+ "@pnpm/lockfile.to-pnp": "1100.0.11",
103
+ "@pnpm/lockfile.walker": "1100.0.8",
104
+ "@pnpm/bins.linker": "1100.0.10",
105
+ "@pnpm/patching.config": "1100.0.5",
106
+ "@pnpm/resolving.resolver-base": "1100.3.1",
107
+ "@pnpm/pkg-manifest.utils": "1100.2.1",
108
+ "@pnpm/store.controller-types": "1100.1.2",
109
+ "@pnpm/types": "1101.2.0",
110
+ "@pnpm/workspace.project-manifest-reader": "1100.0.9",
112
111
  "@pnpm/store.index": "1100.1.0",
113
- "@pnpm/types": "1101.1.1",
114
- "@pnpm/workspace.project-manifest-reader": "1100.0.7"
112
+ "@pnpm/lockfile.verification": "1100.0.13",
113
+ "@pnpm/resolving.parse-wanted-dependency": "1100.0.1",
114
+ "@pnpm/lockfile.utils": "1100.0.10"
115
115
  },
116
116
  "peerDependencies": {
117
- "@pnpm/logger": ">=1001.0.0 <1002.0.0",
118
- "@pnpm/worker": "^1100.1.7"
117
+ "@pnpm/logger": "^1001.0.1",
118
+ "@pnpm/worker": "^1100.1.8"
119
119
  },
120
120
  "devDependencies": {
121
121
  "@jest/globals": "30.3.0",
@@ -126,7 +126,7 @@
126
126
  "@types/ramda": "0.31.1",
127
127
  "@types/semver": "7.7.1",
128
128
  "@yarnpkg/core": "4.5.0",
129
- "ci-info": "^4.3.0",
129
+ "ci-info": "^4.4.0",
130
130
  "deep-require-cwd": "1.0.0",
131
131
  "execa": "npm:safe-execa@0.3.0",
132
132
  "exists-link": "2.0.0",
@@ -138,21 +138,22 @@
138
138
  "symlink-dir": "^10.0.1",
139
139
  "write-json-file": "^7.0.0",
140
140
  "write-yaml-file": "^6.0.0",
141
- "@pnpm/assert-project": "1100.0.10",
142
- "@pnpm/assert-store": "1100.0.10",
143
- "@pnpm/lockfile.types": "1100.0.7",
141
+ "@pnpm/assert-project": "1100.0.11",
142
+ "@pnpm/installing.deps-installer": "1101.5.0",
143
+ "@pnpm/assert-store": "1100.0.11",
144
+ "@pnpm/lockfile.types": "1100.0.8",
144
145
  "@pnpm/logger": "1100.0.0",
145
146
  "@pnpm/network.git-utils": "1100.0.1",
146
- "@pnpm/installing.deps-installer": "1101.3.1",
147
- "@pnpm/pkg-manifest.reader": "1100.0.4",
148
- "@pnpm/prepare": "1100.0.10",
149
- "@pnpm/resolving.registry.types": "1100.0.4",
150
- "@pnpm/store.cafs": "1100.1.6",
147
+ "@pnpm/pkg-manifest.reader": "1100.0.5",
148
+ "@pnpm/prepare": "1100.0.11",
149
+ "@pnpm/resolving.registry.types": "1100.0.5",
150
+ "@pnpm/store.cafs": "1100.1.7",
151
151
  "@pnpm/store.path": "1100.0.1",
152
152
  "@pnpm/test-fixtures": "1100.0.0",
153
- "@pnpm/testing.mock-agent": "1100.0.6",
153
+ "@pnpm/testing.mock-agent": "1100.0.7",
154
154
  "@pnpm/test-ipc-server": "1100.0.0",
155
- "@pnpm/testing.temp-store": "1100.1.2"
155
+ "@pnpm/testing.temp-store": "1100.1.4",
156
+ "@pnpm/testing.registry-mock": "1100.0.1"
156
157
  },
157
158
  "engines": {
158
159
  "node": ">=22.13"