@pnpm/lockfile.utils 1004.0.4 → 1004.0.5
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -5,12 +5,31 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
|
|
|
5
5
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
6
6
|
exports.pkgSnapshotToResolution = pkgSnapshotToResolution;
|
|
7
7
|
const url_1 = __importDefault(require("url"));
|
|
8
|
+
const error_1 = require("@pnpm/error");
|
|
8
9
|
const get_npm_tarball_url_1 = __importDefault(require("get-npm-tarball-url"));
|
|
9
10
|
const nameVerFromPkgSnapshot_js_1 = require("./nameVerFromPkgSnapshot.js");
|
|
10
11
|
function pkgSnapshotToResolution(depPath, pkgSnapshot, registries) {
|
|
11
|
-
|
|
12
|
-
|
|
13
|
-
|
|
12
|
+
const resolution = pkgSnapshot.resolution;
|
|
13
|
+
// Tarball-shaped resolutions (no `type` field) must carry `integrity`,
|
|
14
|
+
// except where the URL itself anchors the bytes:
|
|
15
|
+
// - `file:` tarballs (local file on the user's machine; integrity
|
|
16
|
+
// adds nothing the user doesn't already control).
|
|
17
|
+
// - Git-hosted tarballs (URL contains the commit SHA; git's content-
|
|
18
|
+
// addressed model binds the bytes to the commit). The `gitHosted`
|
|
19
|
+
// flag may be absent on legacy lockfiles, so fall back to a URL
|
|
20
|
+
// match against the known git-host download endpoints.
|
|
21
|
+
// For any other tarball entry a missing integrity is what a tampered
|
|
22
|
+
// lockfile looks like: the worker would mint a fresh integrity from
|
|
23
|
+
// whatever bytes the URL returned, so we fail closed here.
|
|
24
|
+
if (resolution.type == null &&
|
|
25
|
+
resolution.integrity == null &&
|
|
26
|
+
!resolution.tarball?.startsWith('file:') &&
|
|
27
|
+
!(resolution.gitHosted === true || (resolution.tarball != null && isGitHostedTarballUrl(resolution.tarball)))) {
|
|
28
|
+
throw new error_1.PnpmError('MISSING_TARBALL_INTEGRITY', `Cannot install package "${depPath}": its lockfile entry has no "integrity" field, so pnpm cannot verify the downloaded tarball.`, { hint: 'The lockfile may be corrupted or have been tampered with. Restore it from a trusted source, or delete it and re-run installation without --frozen-lockfile to regenerate.' });
|
|
29
|
+
}
|
|
30
|
+
if (Boolean(resolution.type) ||
|
|
31
|
+
resolution.tarball?.startsWith('file:') ||
|
|
32
|
+
resolution.gitHosted === true) {
|
|
14
33
|
return pkgSnapshot.resolution;
|
|
15
34
|
}
|
|
16
35
|
const { name, version } = (0, nameVerFromPkgSnapshot_js_1.nameVerFromPkgSnapshot)(depPath, pkgSnapshot);
|
|
@@ -41,4 +60,13 @@ function pkgSnapshotToResolution(depPath, pkgSnapshot, registries) {
|
|
|
41
60
|
return (0, get_npm_tarball_url_1.default)(name, version, { registry });
|
|
42
61
|
}
|
|
43
62
|
}
|
|
63
|
+
// Fallback for legacy lockfile entries whose tarball resolution lacks the
|
|
64
|
+
// `gitHosted` flag. Matches the known git-host download endpoints so a URL
|
|
65
|
+
// rewritten by pnpm's git resolver is still recognized as content-addressed
|
|
66
|
+
// and exempt from the integrity requirement.
|
|
67
|
+
function isGitHostedTarballUrl(url) {
|
|
68
|
+
return (url.startsWith('https://codeload.github.com/') ||
|
|
69
|
+
url.startsWith('https://bitbucket.org/') ||
|
|
70
|
+
url.startsWith('https://gitlab.com/'));
|
|
71
|
+
}
|
|
44
72
|
//# sourceMappingURL=pkgSnapshotToResolution.js.map
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"pkgSnapshotToResolution.js","sourceRoot":"","sources":["../src/pkgSnapshotToResolution.ts"],"names":[],"mappings":";;;;;
|
|
1
|
+
{"version":3,"file":"pkgSnapshotToResolution.js","sourceRoot":"","sources":["../src/pkgSnapshotToResolution.ts"],"names":[],"mappings":";;;;;AAQA,0DAgEC;AAxED,8CAAqB;AACrB,uCAAuC;AAIvC,8EAAkD;AAClD,2EAAoE;AAEpE,SAAgB,uBAAuB,CACrC,OAAe,EACf,WAA4B,EAC5B,UAAsB;IAEtB,MAAM,UAAU,GAAG,WAAW,CAAC,UAA+B,CAAA;IAC9D,uEAAuE;IACvE,iDAAiD;IACjD,oEAAoE;IACpE,sDAAsD;IACtD,uEAAuE;IACvE,sEAAsE;IACtE,oEAAoE;IACpE,2DAA2D;IAC3D,qEAAqE;IACrE,oEAAoE;IACpE,2DAA2D;IAC3D,IACE,UAAU,CAAC,IAAI,IAAI,IAAI;QACvB,UAAU,CAAC,SAAS,IAAI,IAAI;QAC5B,CAAC,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;QACxC,CAAC,CAAC,UAAU,CAAC,SAAS,KAAK,IAAI,IAAI,CAAC,UAAU,CAAC,OAAO,IAAI,IAAI,IAAI,qBAAqB,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC,CAAC,EAC7G,CAAC;QACD,MAAM,IAAI,iBAAS,CAAC,2BAA2B,EAC7C,2BAA2B,OAAO,+FAA+F,EACjI,EAAE,IAAI,EAAE,2KAA2K,EAAE,CACtL,CAAA;IACH,CAAC;IACD,IACE,OAAO,CAAC,UAAU,CAAC,IAAI,CAAC;QACxB,UAAU,CAAC,OAAO,EAAE,UAAU,CAAC,OAAO,CAAC;QACvC,UAAU,CAAC,SAAS,KAAK,IAAI,EAC7B,CAAC;QACD,OAAO,WAAW,CAAC,UAAwB,CAAA;IAC7C,CAAC;IACD,MAAM,EAAE,IAAI,EAAE,OAAO,EAAE,GAAG,IAAA,kDAAsB,EAAC,OAAO,EAAE,WAAW,CAAC,CAAA;IACtE,IAAI,QAAQ,GAAW,EAAE,CAAA;IACzB,IAAI,IAAI,IAAI,IAAI,EAAE,CAAC;QACjB,IAAI,IAAI,CAAC,CAAC,CAAC,KAAK,GAAG,EAAE,CAAC;YACpB,QAAQ,GAAG,UAAU,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,CAAC,CAAA;QAC3C,CAAC;IACH,CAAC;IACD,IAAI,CAAC,QAAQ,EAAE,CAAC;QACd,QAAQ,GAAG,UAAU,CAAC,OAAO,CAAA;IAC/B,CAAC;IACD,IAAI,OAAgB,CAAA;IACpB,IAAI,CAAE,WAAW,CAAC,UAAgC,CAAC,OAAO,EAAE,CAAC;QAC3D,OAAO,GAAG,UAAU,CAAC,QAAQ,CAAC,CAAA;IAChC,CAAC;SAAM,CAAC;QACN,OAAO,GAAG,IAAI,aAAG,CAAC,GAAG,CAAE,WAAW,CAAC,UAAgC,CAAC,OAAO,EACzE,QAAQ,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,GAAG,QAAQ,GAAG,CACnD,CAAC,QAAQ,EAAE,CAAA;IACd,CAAC;IACD,OAAO;QACL,GAAG,WAAW,CAAC,UAAU;QACzB,OAAO;KACM,CAAA;IAEf,SAAS,UAAU,CAAE,QAAgB;QACnC,IAAI,CAAC,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC;YACtB,MAAM,IAAI,KAAK,CAAC,iDAAiD,OAAO,EAAE,CAAC,CAAA;QAC7E,CAAC;QACD,OAAO,IAAA,6BAAgB,EAAC,IAAI,EAAE,OAAO,EAAE,EAAE,QAAQ,EAAE,CAAC,CAAA;IACtD,CAAC;AACH,CAAC;AAED,0EAA0E;AAC1E,2EAA2E;AAC3E,4EAA4E;AAC5E,6CAA6C;AAC7C,SAAS,qBAAqB,CAAE,GAAW;IACzC,OAAO,CACL,GAAG,CAAC,UAAU,CAAC,8BAA8B,CAAC;QAC9C,GAAG,CAAC,UAAU,CAAC,wBAAwB,CAAC;QACxC,GAAG,CAAC,UAAU,CAAC,qBAAqB,CAAC,CACtC,CAAA;AACH,CAAC"}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@pnpm/lockfile.utils",
|
|
3
|
-
"version": "1004.0.
|
|
3
|
+
"version": "1004.0.5",
|
|
4
4
|
"description": "Utils for dealing with pnpm-lock.yaml",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"pnpm",
|
|
@@ -29,8 +29,9 @@
|
|
|
29
29
|
"get-npm-tarball-url": "^2.1.0",
|
|
30
30
|
"ramda": "npm:@pnpm/ramda@0.28.1",
|
|
31
31
|
"@pnpm/dependency-path": "1001.1.10",
|
|
32
|
-
"@pnpm/lockfile.types": "1002.1.1",
|
|
33
32
|
"@pnpm/resolver-base": "1005.4.2",
|
|
33
|
+
"@pnpm/error": "1000.1.0",
|
|
34
|
+
"@pnpm/lockfile.types": "1002.1.1",
|
|
34
35
|
"@pnpm/types": "1001.3.0"
|
|
35
36
|
},
|
|
36
37
|
"devDependencies": {
|
|
@@ -38,7 +39,7 @@
|
|
|
38
39
|
"tempy": "^1.0.1",
|
|
39
40
|
"write-yaml-file": "^5.0.0",
|
|
40
41
|
"yaml-tag": "1.1.0",
|
|
41
|
-
"@pnpm/lockfile.utils": "1004.0.
|
|
42
|
+
"@pnpm/lockfile.utils": "1004.0.5"
|
|
42
43
|
},
|
|
43
44
|
"engines": {
|
|
44
45
|
"node": ">=18.12"
|