@pnpm/lockfile.utils 1100.0.11 → 1100.0.13
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/lib/index.d.ts +1 -1
- package/lib/index.js +1 -1
- package/lib/toLockfileResolution.js +36 -37
- package/package.json +8 -8
package/lib/index.d.ts
CHANGED
|
@@ -4,6 +4,6 @@ export { packageIdFromSnapshot } from './packageIdFromSnapshot.js';
|
|
|
4
4
|
export { packageIsIndependent } from './packageIsIndependent.js';
|
|
5
5
|
export { pkgSnapshotToResolution } from './pkgSnapshotToResolution.js';
|
|
6
6
|
export { refIsLocalDirectory, refIsLocalTarball } from './refIsLocalTarball.js';
|
|
7
|
-
export { toLockfileResolution } from './toLockfileResolution.js';
|
|
7
|
+
export { isGitHostedTarballUrl, toLockfileResolution } from './toLockfileResolution.js';
|
|
8
8
|
export * from '@pnpm/lockfile.types';
|
|
9
9
|
export declare const getPkgShortId: typeof refToRelative;
|
package/lib/index.js
CHANGED
|
@@ -4,7 +4,7 @@ export { packageIdFromSnapshot } from './packageIdFromSnapshot.js';
|
|
|
4
4
|
export { packageIsIndependent } from './packageIsIndependent.js';
|
|
5
5
|
export { pkgSnapshotToResolution } from './pkgSnapshotToResolution.js';
|
|
6
6
|
export { refIsLocalDirectory, refIsLocalTarball } from './refIsLocalTarball.js';
|
|
7
|
-
export { toLockfileResolution } from './toLockfileResolution.js';
|
|
7
|
+
export { isGitHostedTarballUrl, toLockfileResolution } from './toLockfileResolution.js';
|
|
8
8
|
export * from '@pnpm/lockfile.types';
|
|
9
9
|
// for backward compatibility
|
|
10
10
|
export const getPkgShortId = refToRelative;
|
|
@@ -15,53 +15,52 @@ export function toLockfileResolution(pkg, resolution, registry, lockfileIncludeT
|
|
|
15
15
|
// legacy lockfiles read by callers that don't enrich the field).
|
|
16
16
|
const gitHosted = resolution.gitHosted === true ||
|
|
17
17
|
isGitHostedTarballUrl(tarball);
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
21
|
-
|
|
22
|
-
|
|
23
|
-
|
|
24
|
-
//
|
|
25
|
-
|
|
26
|
-
|
|
27
|
-
|
|
28
|
-
|
|
29
|
-
return
|
|
30
|
-
integrity: resolution['integrity'],
|
|
31
|
-
tarball,
|
|
32
|
-
}, gitHosted);
|
|
33
|
-
}
|
|
34
|
-
// Sometimes packages are hosted under non-standard tarball URLs.
|
|
35
|
-
// For instance, when they are hosted on npm Enterprise. See https://github.com/pnpm/pnpm/issues/867
|
|
36
|
-
// Or in other weird cases, like https://github.com/pnpm/pnpm/issues/1072.
|
|
37
|
-
// Even when the user explicitly sets `lockfileIncludeTarballUrl: false`, we
|
|
38
|
-
// must preserve such URLs — otherwise the package cannot be re-fetched on a
|
|
39
|
-
// frozen-lockfile install (e.g. GitHub Packages tarballs at
|
|
40
|
-
// `https://npm.pkg.github.com/download/<scope>/<name>/<version>/<hash>`).
|
|
41
|
-
// `lockfileIncludeTarballUrl` only controls whether URLs that *can* be
|
|
42
|
-
// derived from name+version+registry are written.
|
|
43
|
-
const expectedTarball = getNpmTarballUrl(pkg.name, pkg.version, { registry });
|
|
44
|
-
const actualTarball = tarball.replaceAll('%2f', '/');
|
|
45
|
-
if (removeProtocol(expectedTarball) !== removeProtocol(actualTarball)) {
|
|
46
|
-
return preservingGitHosted({
|
|
47
|
-
integrity: resolution['integrity'],
|
|
48
|
-
tarball,
|
|
49
|
-
}, gitHosted);
|
|
18
|
+
// A standard registry tarball whose URL can be rebuilt from the package name,
|
|
19
|
+
// version, and registry is written as just `{ integrity }` — pnpm derives the
|
|
20
|
+
// URL on demand. Every other tarball must keep its URL or it can no longer be
|
|
21
|
+
// re-fetched on a frozen-lockfile install: `file:` tarballs, git-provider
|
|
22
|
+
// tarballs (GitHub/GitLab/Bitbucket), and non-standard registry URLs such as
|
|
23
|
+
// npm Enterprise (https://github.com/pnpm/pnpm/issues/867) or GitHub Packages
|
|
24
|
+
// `/download/` URLs. `lockfileIncludeTarballUrl` forces the URL to be kept.
|
|
25
|
+
if (!lockfileIncludeTarballUrl &&
|
|
26
|
+
!gitHosted &&
|
|
27
|
+
!tarball.startsWith('file:') &&
|
|
28
|
+
isCanonicalRegistryTarballUrl(tarball, pkg, registry)) {
|
|
29
|
+
return { integrity: resolution['integrity'] };
|
|
50
30
|
}
|
|
31
|
+
// The kept-URL form carries the `gitHosted` marker and the subdirectory `path`
|
|
32
|
+
// (`repo#commit&path:/sub/dir`, only ever set on git-hosted tarballs) so a
|
|
33
|
+
// git-hosted monorepo tarball still unpacks the right subfolder.
|
|
34
|
+
// See https://github.com/pnpm/pnpm/issues/12304.
|
|
35
|
+
const { path } = resolution;
|
|
51
36
|
return {
|
|
52
37
|
integrity: resolution['integrity'],
|
|
38
|
+
tarball,
|
|
39
|
+
...(gitHosted ? { gitHosted: true } : {}),
|
|
40
|
+
...(path == null ? {} : { path }),
|
|
53
41
|
};
|
|
54
42
|
}
|
|
55
|
-
|
|
56
|
-
|
|
43
|
+
// Whether `tarball` is the canonical npm registry URL derived from the package
|
|
44
|
+
// name, version, and registry — i.e. it can be dropped from the lockfile and
|
|
45
|
+
// rebuilt on demand. The `%2f` unescape matches the URLs npm produces for
|
|
46
|
+
// scoped packages.
|
|
47
|
+
function isCanonicalRegistryTarballUrl(tarball, pkg, registry) {
|
|
48
|
+
const expectedTarball = getNpmTarballUrl(pkg.name, pkg.version, { registry });
|
|
49
|
+
const actualTarball = tarball.replaceAll('%2f', '/');
|
|
50
|
+
return removeProtocol(expectedTarball) === removeProtocol(actualTarball);
|
|
57
51
|
}
|
|
58
52
|
// Inlined to avoid pulling @pnpm/fetching.pick-fetcher into the lockfile-utils
|
|
59
53
|
// dep graph. Used as a fallback when callers haven't pre-set the
|
|
60
54
|
// `gitHosted` field on TarballResolution.
|
|
61
55
|
export function isGitHostedTarballUrl(url) {
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
56
|
+
// Schemes and hostnames are case-insensitive, so match against a lowercased
|
|
57
|
+
// copy: a tampered `https://CODELOAD.GITHUB.COM/...` must not slip past as a
|
|
58
|
+
// non-git-hosted (and therefore registry-trusted) tarball. Only the
|
|
59
|
+
// lowercased copy is inspected; the original URL is never rewritten.
|
|
60
|
+
const lowerUrl = url.toLowerCase();
|
|
61
|
+
return (lowerUrl.startsWith('https://codeload.github.com/') ||
|
|
62
|
+
lowerUrl.startsWith('https://bitbucket.org/') ||
|
|
63
|
+
lowerUrl.startsWith('https://gitlab.com/')) && lowerUrl.includes('tar.gz');
|
|
65
64
|
}
|
|
66
65
|
function removeProtocol(url) {
|
|
67
66
|
return url.split('://')[1];
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@pnpm/lockfile.utils",
|
|
3
|
-
"version": "1100.0.
|
|
3
|
+
"version": "1100.0.13",
|
|
4
4
|
"description": "Utils for dealing with pnpm-lock.yaml",
|
|
5
5
|
"keywords": [
|
|
6
6
|
"pnpm",
|
|
@@ -31,20 +31,20 @@
|
|
|
31
31
|
"dependencies": {
|
|
32
32
|
"get-npm-tarball-url": "^2.1.0",
|
|
33
33
|
"ramda": "npm:@pnpm/ramda@0.28.1",
|
|
34
|
-
"@pnpm/
|
|
35
|
-
"@pnpm/
|
|
36
|
-
"@pnpm/resolving.resolver-base": "1100.4.
|
|
37
|
-
"@pnpm/
|
|
34
|
+
"@pnpm/lockfile.types": "1100.0.11",
|
|
35
|
+
"@pnpm/types": "1101.3.2",
|
|
36
|
+
"@pnpm/resolving.resolver-base": "1100.4.2",
|
|
37
|
+
"@pnpm/hooks.types": "1100.0.12",
|
|
38
38
|
"@pnpm/error": "1100.0.0",
|
|
39
|
-
"@pnpm/
|
|
39
|
+
"@pnpm/deps.path": "1100.0.8"
|
|
40
40
|
},
|
|
41
41
|
"devDependencies": {
|
|
42
|
-
"@jest/globals": "30.
|
|
42
|
+
"@jest/globals": "30.4.1",
|
|
43
43
|
"@types/ramda": "0.31.1",
|
|
44
44
|
"tempy": "3.0.0",
|
|
45
45
|
"write-yaml-file": "^6.0.0",
|
|
46
46
|
"yaml-tag": "1.1.0",
|
|
47
|
-
"@pnpm/lockfile.utils": "1100.0.
|
|
47
|
+
"@pnpm/lockfile.utils": "1100.0.13"
|
|
48
48
|
},
|
|
49
49
|
"engines": {
|
|
50
50
|
"node": ">=22.13"
|