@pnpm/installing.deps-installer 1101.3.1 → 1101.5.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -32,6 +32,7 @@ export interface StrictInstallOptions {
|
|
|
32
32
|
lockfileOnly: boolean;
|
|
33
33
|
forceFullResolution: boolean;
|
|
34
34
|
fixLockfile: boolean;
|
|
35
|
+
updateChecksums: boolean;
|
|
35
36
|
dedupe: boolean;
|
|
36
37
|
ignoreCompatibilityDb: boolean;
|
|
37
38
|
ignorePackageManifest: boolean;
|
|
@@ -184,6 +185,23 @@ export interface StrictInstallOptions {
|
|
|
184
185
|
trustPolicy?: TrustPolicy;
|
|
185
186
|
trustPolicyExclude?: string[];
|
|
186
187
|
trustPolicyIgnoreAfter?: number;
|
|
188
|
+
/**
|
|
189
|
+
* Skip the lockfile supply-chain verification pass entirely. When
|
|
190
|
+
* true, `verifyLockfileResolutions` is not called even if
|
|
191
|
+
* `resolutionVerifiers` is non-empty — the install trusts the
|
|
192
|
+
* lockfile as-is. Trade-off: a poisoned lockfile (e.g. one a
|
|
193
|
+
* contributor authored under a weaker policy than CI enforces) can
|
|
194
|
+
* slip through. Use only in environments where the lockfile is
|
|
195
|
+
* effectively part of the trusted base — closed-source projects
|
|
196
|
+
* where every commit comes from a trusted author, fully reproducible
|
|
197
|
+
* CI runs against an already-verified lockfile, etc.
|
|
198
|
+
*
|
|
199
|
+
* Added for #11860: on workspaces with thousands of locked entries,
|
|
200
|
+
* the verification pass holds the per-package registry metadata
|
|
201
|
+
* needed for the trust check resident in memory and can OOM CI
|
|
202
|
+
* runners with a 2GB heap cap.
|
|
203
|
+
*/
|
|
204
|
+
trustLockfile?: boolean;
|
|
187
205
|
packageVulnerabilityAudit?: PackageVulnerabilityAudit;
|
|
188
206
|
blockExoticSubdeps?: boolean;
|
|
189
207
|
/**
|
package/lib/install/index.js
CHANGED
|
@@ -193,7 +193,7 @@ export async function mutateModules(projects, maybeOpts) {
|
|
|
193
193
|
!ctx.lockfileHadConflicts &&
|
|
194
194
|
ctx.existsNonEmptyWantedLockfile &&
|
|
195
195
|
(opts.frozenLockfile === true || opts.frozenLockfileIfExists === true);
|
|
196
|
-
if (!willDelegateToPacquet) {
|
|
196
|
+
if (!willDelegateToPacquet && !opts.trustLockfile) {
|
|
197
197
|
const cacheActive = opts.cacheDir != null && opts.resolutionVerifiers.length > 0;
|
|
198
198
|
const wantedLockfilePath = cacheActive
|
|
199
199
|
? path.resolve(ctx.lockfileDir, await getWantedLockfileName({
|
|
@@ -370,6 +370,7 @@ export async function mutateModules(projects, maybeOpts) {
|
|
|
370
370
|
const upToDateLockfileMajorVersion = ctx.wantedLockfile.lockfileVersion.toString().startsWith(`${LOCKFILE_MAJOR_VERSION}.`);
|
|
371
371
|
let needsFullResolution = outdatedLockfileSettings ||
|
|
372
372
|
opts.fixLockfile ||
|
|
373
|
+
opts.updateChecksums ||
|
|
373
374
|
!upToDateLockfileMajorVersion ||
|
|
374
375
|
opts.forceFullResolution ||
|
|
375
376
|
forceResolutionFromHook;
|
|
@@ -760,18 +761,13 @@ Note that in CI environments, this setting is enabled by default.`,
|
|
|
760
761
|
};
|
|
761
762
|
}
|
|
762
763
|
catch (error) { // eslint-disable-line
|
|
764
|
+
const isIntegrityError = BROKEN_LOCKFILE_INTEGRITY_ERRORS.has(error.code);
|
|
763
765
|
if (frozenLockfile ||
|
|
764
766
|
(error.code !== 'ERR_PNPM_LOCKFILE_MISSING_DEPENDENCY' &&
|
|
765
|
-
!
|
|
766
|
-
(!ctx.existsNonEmptyWantedLockfile && !ctx.existsCurrentLockfile)
|
|
767
|
+
!isIntegrityError) ||
|
|
768
|
+
(!ctx.existsNonEmptyWantedLockfile && !ctx.existsCurrentLockfile) ||
|
|
769
|
+
(isIntegrityError && !opts.updateChecksums))
|
|
767
770
|
throw error;
|
|
768
|
-
if (BROKEN_LOCKFILE_INTEGRITY_ERRORS.has(error.code)) {
|
|
769
|
-
needsFullResolution = true;
|
|
770
|
-
// Ideally, we would not update but currently there is no other way to redownload the integrity of the package
|
|
771
|
-
for (const project of projects) {
|
|
772
|
-
project.update = true;
|
|
773
|
-
}
|
|
774
|
-
}
|
|
775
771
|
// A broken lockfile may be caused by a badly resolved Git conflict
|
|
776
772
|
logger.warn({
|
|
777
773
|
error,
|
|
@@ -1014,6 +1010,7 @@ const _installInContext = async (projects, ctx, opts) => {
|
|
|
1014
1010
|
excludeLinksFromLockfile: opts.excludeLinksFromLockfile,
|
|
1015
1011
|
force: opts.force,
|
|
1016
1012
|
forceFullResolution,
|
|
1013
|
+
updateChecksums: opts.updateChecksums,
|
|
1017
1014
|
ignoreScripts: opts.ignoreScripts,
|
|
1018
1015
|
hooks: {
|
|
1019
1016
|
readPackage: opts.readPackageHook,
|
|
@@ -1529,19 +1526,16 @@ const installInContext = async (projects, ctx, opts) => {
|
|
|
1529
1526
|
}
|
|
1530
1527
|
catch (error) { // eslint-disable-line
|
|
1531
1528
|
if (!BROKEN_LOCKFILE_INTEGRITY_ERRORS.has(error.code) ||
|
|
1532
|
-
(!ctx.existsNonEmptyWantedLockfile && !ctx.existsCurrentLockfile)
|
|
1529
|
+
(!ctx.existsNonEmptyWantedLockfile && !ctx.existsCurrentLockfile) ||
|
|
1530
|
+
!opts.updateChecksums)
|
|
1533
1531
|
throw error;
|
|
1534
1532
|
opts.needsFullResolution = true;
|
|
1535
|
-
// Ideally, we would not update but currently there is no other way to redownload the integrity of the package
|
|
1536
|
-
for (const project of projects) {
|
|
1537
|
-
project.update = true;
|
|
1538
|
-
}
|
|
1539
1533
|
logger.warn({
|
|
1540
1534
|
error,
|
|
1541
1535
|
message: error.message,
|
|
1542
1536
|
prefix: ctx.lockfileDir,
|
|
1543
1537
|
});
|
|
1544
|
-
logger.error(new PnpmError(error.code, '
|
|
1538
|
+
logger.error(new PnpmError(error.code, 'Refreshing the locked integrity from the registry as requested by --update-checksums. A full installation will be performed.'));
|
|
1545
1539
|
return _installInContext(projects, ctx, opts);
|
|
1546
1540
|
}
|
|
1547
1541
|
finally {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@pnpm/installing.deps-installer",
|
|
3
|
-
"version": "1101.
|
|
3
|
+
"version": "1101.5.0",
|
|
4
4
|
"description": "Fast, disk space efficient installation engine",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"pnpm",
|
|
@@ -56,66 +56,66 @@
|
|
|
56
56
|
"load-json-file": "^7.0.1",
|
|
57
57
|
"normalize-path": "^3.0.0",
|
|
58
58
|
"p-filter": "^4.1.0",
|
|
59
|
-
"p-limit": "^7.
|
|
59
|
+
"p-limit": "^7.3.0",
|
|
60
60
|
"path-absolute": "^2.0.0",
|
|
61
61
|
"path-exists": "^5.0.0",
|
|
62
62
|
"ramda": "npm:@pnpm/ramda@0.28.1",
|
|
63
63
|
"run-groups": "^5.0.0",
|
|
64
|
-
"semver": "^7.
|
|
65
|
-
"@pnpm/
|
|
66
|
-
"@pnpm/
|
|
67
|
-
"@pnpm/
|
|
68
|
-
"@pnpm/
|
|
69
|
-
"@pnpm/building.policy": "1100.0.6",
|
|
70
|
-
"@pnpm/building.during-install": "1101.0.12",
|
|
71
|
-
"@pnpm/catalogs.resolver": "1100.0.0",
|
|
64
|
+
"semver": "^7.8.1",
|
|
65
|
+
"@pnpm/agent.client": "1.0.8",
|
|
66
|
+
"@pnpm/building.after-install": "1101.0.17",
|
|
67
|
+
"@pnpm/building.policy": "1100.0.7",
|
|
68
|
+
"@pnpm/bins.remover": "1100.0.6",
|
|
72
69
|
"@pnpm/catalogs.protocol-parser": "1100.0.0",
|
|
70
|
+
"@pnpm/building.during-install": "1101.0.14",
|
|
73
71
|
"@pnpm/catalogs.types": "1100.0.0",
|
|
74
72
|
"@pnpm/config.matcher": "1100.0.1",
|
|
75
|
-
"@pnpm/config.normalize-registries": "1100.0.
|
|
73
|
+
"@pnpm/config.normalize-registries": "1100.0.5",
|
|
74
|
+
"@pnpm/catalogs.resolver": "1100.0.0",
|
|
76
75
|
"@pnpm/config.parse-overrides": "1100.0.1",
|
|
77
|
-
"@pnpm/core-loggers": "1100.1.1",
|
|
78
76
|
"@pnpm/constants": "1100.0.0",
|
|
77
|
+
"@pnpm/core-loggers": "1100.1.2",
|
|
79
78
|
"@pnpm/crypto.hash": "1100.0.1",
|
|
79
|
+
"@pnpm/deps.graph-hasher": "1100.2.2",
|
|
80
80
|
"@pnpm/crypto.object-hasher": "1100.0.0",
|
|
81
|
-
"@pnpm/deps.graph-hasher": "1100.2.1",
|
|
82
81
|
"@pnpm/deps.graph-sequencer": "1100.0.0",
|
|
83
82
|
"@pnpm/error": "1100.0.0",
|
|
84
|
-
"@pnpm/deps.path": "1100.0.
|
|
85
|
-
"@pnpm/exec.lifecycle": "1100.0.
|
|
83
|
+
"@pnpm/deps.path": "1100.0.5",
|
|
84
|
+
"@pnpm/exec.lifecycle": "1100.0.14",
|
|
86
85
|
"@pnpm/fs.read-modules-dir": "1100.0.1",
|
|
87
|
-
"@pnpm/
|
|
88
|
-
"@pnpm/
|
|
89
|
-
"@pnpm/hooks.types": "1100.0.
|
|
90
|
-
"@pnpm/installing.
|
|
91
|
-
"@pnpm/installing.
|
|
92
|
-
"@pnpm/installing.
|
|
93
|
-
"@pnpm/installing.
|
|
94
|
-
"@pnpm/installing.linking.
|
|
95
|
-
"@pnpm/installing.linking.
|
|
96
|
-
"@pnpm/installing.
|
|
97
|
-
"@pnpm/installing.
|
|
98
|
-
"@pnpm/lockfile.filtering": "1100.1.
|
|
99
|
-
"@pnpm/lockfile.
|
|
100
|
-
"@pnpm/lockfile.
|
|
101
|
-
"@pnpm/lockfile.
|
|
102
|
-
"@pnpm/lockfile.
|
|
103
|
-
"@pnpm/lockfile.to-pnp": "1100.0.
|
|
104
|
-
"@pnpm/lockfile.
|
|
105
|
-
"@pnpm/
|
|
106
|
-
"@pnpm/
|
|
107
|
-
"@pnpm/
|
|
108
|
-
"@pnpm/pkg-manifest.utils": "1100.2.
|
|
109
|
-
"@pnpm/
|
|
110
|
-
"@pnpm/
|
|
111
|
-
"@pnpm/
|
|
86
|
+
"@pnpm/fs.symlink-dependency": "1100.0.6",
|
|
87
|
+
"@pnpm/hooks.read-package-hook": "1100.0.5",
|
|
88
|
+
"@pnpm/hooks.types": "1100.0.9",
|
|
89
|
+
"@pnpm/installing.deps-resolver": "1100.1.4",
|
|
90
|
+
"@pnpm/installing.context": "1100.0.13",
|
|
91
|
+
"@pnpm/installing.linking.direct-dep-linker": "1100.0.6",
|
|
92
|
+
"@pnpm/installing.deps-restorer": "1101.1.6",
|
|
93
|
+
"@pnpm/installing.linking.hoist": "1100.0.10",
|
|
94
|
+
"@pnpm/installing.linking.modules-cleaner": "1100.1.4",
|
|
95
|
+
"@pnpm/installing.package-requester": "1101.0.9",
|
|
96
|
+
"@pnpm/installing.modules-yaml": "1100.0.6",
|
|
97
|
+
"@pnpm/lockfile.filtering": "1100.1.3",
|
|
98
|
+
"@pnpm/lockfile.fs": "1100.1.2",
|
|
99
|
+
"@pnpm/lockfile.settings-checker": "1100.0.13",
|
|
100
|
+
"@pnpm/lockfile.preferred-versions": "1100.0.12",
|
|
101
|
+
"@pnpm/lockfile.pruner": "1100.0.8",
|
|
102
|
+
"@pnpm/lockfile.to-pnp": "1100.0.11",
|
|
103
|
+
"@pnpm/lockfile.walker": "1100.0.8",
|
|
104
|
+
"@pnpm/bins.linker": "1100.0.10",
|
|
105
|
+
"@pnpm/patching.config": "1100.0.5",
|
|
106
|
+
"@pnpm/resolving.resolver-base": "1100.3.1",
|
|
107
|
+
"@pnpm/pkg-manifest.utils": "1100.2.1",
|
|
108
|
+
"@pnpm/store.controller-types": "1100.1.2",
|
|
109
|
+
"@pnpm/types": "1101.2.0",
|
|
110
|
+
"@pnpm/workspace.project-manifest-reader": "1100.0.9",
|
|
112
111
|
"@pnpm/store.index": "1100.1.0",
|
|
113
|
-
"@pnpm/
|
|
114
|
-
"@pnpm/
|
|
112
|
+
"@pnpm/lockfile.verification": "1100.0.13",
|
|
113
|
+
"@pnpm/resolving.parse-wanted-dependency": "1100.0.1",
|
|
114
|
+
"@pnpm/lockfile.utils": "1100.0.10"
|
|
115
115
|
},
|
|
116
116
|
"peerDependencies": {
|
|
117
|
-
"@pnpm/logger": "
|
|
118
|
-
"@pnpm/worker": "^1100.1.
|
|
117
|
+
"@pnpm/logger": "^1001.0.1",
|
|
118
|
+
"@pnpm/worker": "^1100.1.8"
|
|
119
119
|
},
|
|
120
120
|
"devDependencies": {
|
|
121
121
|
"@jest/globals": "30.3.0",
|
|
@@ -126,7 +126,7 @@
|
|
|
126
126
|
"@types/ramda": "0.31.1",
|
|
127
127
|
"@types/semver": "7.7.1",
|
|
128
128
|
"@yarnpkg/core": "4.5.0",
|
|
129
|
-
"ci-info": "^4.
|
|
129
|
+
"ci-info": "^4.4.0",
|
|
130
130
|
"deep-require-cwd": "1.0.0",
|
|
131
131
|
"execa": "npm:safe-execa@0.3.0",
|
|
132
132
|
"exists-link": "2.0.0",
|
|
@@ -138,21 +138,22 @@
|
|
|
138
138
|
"symlink-dir": "^10.0.1",
|
|
139
139
|
"write-json-file": "^7.0.0",
|
|
140
140
|
"write-yaml-file": "^6.0.0",
|
|
141
|
-
"@pnpm/assert-project": "1100.0.
|
|
142
|
-
"@pnpm/
|
|
143
|
-
"@pnpm/
|
|
141
|
+
"@pnpm/assert-project": "1100.0.11",
|
|
142
|
+
"@pnpm/installing.deps-installer": "1101.5.0",
|
|
143
|
+
"@pnpm/assert-store": "1100.0.11",
|
|
144
|
+
"@pnpm/lockfile.types": "1100.0.8",
|
|
144
145
|
"@pnpm/logger": "1100.0.0",
|
|
145
146
|
"@pnpm/network.git-utils": "1100.0.1",
|
|
146
|
-
"@pnpm/
|
|
147
|
-
"@pnpm/
|
|
148
|
-
"@pnpm/
|
|
149
|
-
"@pnpm/
|
|
150
|
-
"@pnpm/store.cafs": "1100.1.6",
|
|
147
|
+
"@pnpm/pkg-manifest.reader": "1100.0.5",
|
|
148
|
+
"@pnpm/prepare": "1100.0.11",
|
|
149
|
+
"@pnpm/resolving.registry.types": "1100.0.5",
|
|
150
|
+
"@pnpm/store.cafs": "1100.1.7",
|
|
151
151
|
"@pnpm/store.path": "1100.0.1",
|
|
152
152
|
"@pnpm/test-fixtures": "1100.0.0",
|
|
153
|
-
"@pnpm/testing.mock-agent": "1100.0.
|
|
153
|
+
"@pnpm/testing.mock-agent": "1100.0.7",
|
|
154
154
|
"@pnpm/test-ipc-server": "1100.0.0",
|
|
155
|
-
"@pnpm/testing.temp-store": "1100.1.
|
|
155
|
+
"@pnpm/testing.temp-store": "1100.1.4",
|
|
156
|
+
"@pnpm/testing.registry-mock": "1100.0.1"
|
|
156
157
|
},
|
|
157
158
|
"engines": {
|
|
158
159
|
"node": ">=22.13"
|