@pnpm/lockfile.utils 1100.0.4 → 1100.0.5

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -1,12 +1,11 @@
1
1
  import url from 'node:url';
2
2
  import * as dp from '@pnpm/deps.path';
3
- import { isGitHostedPkgUrl } from '@pnpm/fetching.pick-fetcher';
4
3
  import getNpmTarballUrl from 'get-npm-tarball-url';
5
4
  import { nameVerFromPkgSnapshot } from './nameVerFromPkgSnapshot.js';
6
5
  export function pkgSnapshotToResolution(depPath, pkgSnapshot, registries) {
7
6
  if (Boolean(pkgSnapshot.resolution.type) ||
8
7
  pkgSnapshot.resolution.tarball?.startsWith('file:') ||
9
- isGitHostedPkgUrl(pkgSnapshot.resolution.tarball ?? '')) {
8
+ pkgSnapshot.resolution.gitHosted === true) {
10
9
  return pkgSnapshot.resolution;
11
10
  }
12
11
  // Recover the tarball field for `file:` snapshots whose resolution lost
@@ -1,25 +1,29 @@
1
- import { isGitHostedPkgUrl } from '@pnpm/fetching.pick-fetcher';
2
1
  import getNpmTarballUrl from 'get-npm-tarball-url';
3
2
  export function toLockfileResolution(pkg, resolution, registry, lockfileIncludeTarballUrl) {
4
3
  if (resolution.type !== undefined || !resolution['integrity']) {
5
4
  return resolution;
6
5
  }
7
6
  const tarball = resolution['tarball'];
7
+ // Honor the resolver-supplied flag, with a URL fallback for resolutions
8
+ // that didn't go through the git resolver (e.g. config-dep migrations or
9
+ // legacy lockfiles read by callers that don't enrich the field).
10
+ const gitHosted = resolution.gitHosted === true ||
11
+ (tarball != null && isGitHostedTarballUrl(tarball));
8
12
  if (lockfileIncludeTarballUrl) {
9
- return {
13
+ return preservingGitHosted({
10
14
  integrity: resolution['integrity'],
11
15
  tarball,
12
- };
16
+ }, gitHosted);
13
17
  }
14
18
  // Tarball URLs that cannot be reconstructed from the package name, version,
15
19
  // and registry must always stay in the lockfile, otherwise the package can
16
20
  // no longer be re-fetched. This covers local `file:` tarballs and tarballs
17
21
  // served by git providers (GitHub, GitLab, Bitbucket).
18
- if (tarball != null && (tarball.startsWith('file:') || isGitHostedPkgUrl(tarball))) {
19
- return {
22
+ if (tarball != null && (tarball.startsWith('file:') || gitHosted)) {
23
+ return preservingGitHosted({
20
24
  integrity: resolution['integrity'],
21
25
  tarball,
22
- };
26
+ }, gitHosted);
23
27
  }
24
28
  if (lockfileIncludeTarballUrl === false) {
25
29
  return {
@@ -32,15 +36,26 @@ export function toLockfileResolution(pkg, resolution, registry, lockfileIncludeT
32
36
  const expectedTarball = getNpmTarballUrl(pkg.name, pkg.version, { registry });
33
37
  const actualTarball = tarball.replaceAll('%2f', '/');
34
38
  if (removeProtocol(expectedTarball) !== removeProtocol(actualTarball)) {
35
- return {
39
+ return preservingGitHosted({
36
40
  integrity: resolution['integrity'],
37
41
  tarball,
38
- };
42
+ }, gitHosted);
39
43
  }
40
44
  return {
41
45
  integrity: resolution['integrity'],
42
46
  };
43
47
  }
48
+ function preservingGitHosted(resolution, gitHosted) {
49
+ return gitHosted ? { ...resolution, gitHosted: true } : resolution;
50
+ }
51
+ // Inlined to avoid pulling @pnpm/fetching.pick-fetcher into the lockfile-utils
52
+ // dep graph. Used as a fallback when callers haven't pre-set the
53
+ // `gitHosted` field on TarballResolution.
54
+ function isGitHostedTarballUrl(url) {
55
+ return (url.startsWith('https://codeload.github.com/') ||
56
+ url.startsWith('https://bitbucket.org/') ||
57
+ url.startsWith('https://gitlab.com/')) && url.includes('tar.gz');
58
+ }
44
59
  function removeProtocol(url) {
45
60
  return url.split('://')[1];
46
61
  }
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pnpm/lockfile.utils",
3
- "version": "1100.0.4",
3
+ "version": "1100.0.5",
4
4
  "description": "Utils for dealing with pnpm-lock.yaml",
5
5
  "keywords": [
6
6
  "pnpm",
@@ -28,12 +28,11 @@
28
28
  "dependencies": {
29
29
  "get-npm-tarball-url": "^2.1.0",
30
30
  "ramda": "npm:@pnpm/ramda@0.28.1",
31
- "@pnpm/deps.path": "1100.0.2",
32
31
  "@pnpm/error": "1100.0.0",
33
- "@pnpm/fetching.pick-fetcher": "1100.0.4",
34
- "@pnpm/lockfile.types": "1100.0.3",
35
- "@pnpm/resolving.resolver-base": "1100.1.1",
36
- "@pnpm/hooks.types": "1100.0.4",
32
+ "@pnpm/hooks.types": "1100.0.5",
33
+ "@pnpm/lockfile.types": "1100.0.4",
34
+ "@pnpm/deps.path": "1100.0.2",
35
+ "@pnpm/resolving.resolver-base": "1100.1.2",
37
36
  "@pnpm/types": "1101.0.0"
38
37
  },
39
38
  "devDependencies": {
@@ -42,7 +41,7 @@
42
41
  "tempy": "3.0.0",
43
42
  "write-yaml-file": "^6.0.0",
44
43
  "yaml-tag": "1.1.0",
45
- "@pnpm/lockfile.utils": "1100.0.4"
44
+ "@pnpm/lockfile.utils": "1100.0.5"
46
45
  },
47
46
  "engines": {
48
47
  "node": ">=22.13"