@pnpm/worker 1100.1.7 → 1100.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/lib/index.js +7 -4
  2. package/package.json +13 -13
package/lib/index.js CHANGED
@@ -98,11 +98,14 @@ export class TarballIntegrityError extends PnpmError {
98
98
  constructor(opts) {
99
99
  super('TARBALL_INTEGRITY', `Got unexpected checksum for "${opts.url}". Wanted "${opts.expected}". Got "${opts.found}".`, {
100
100
  attempts: opts.attempts,
101
- hint: `This error may happen when a package is republished to the registry with the same version.
102
- In this case, the metadata in the local pnpm cache will contain the old integrity checksum.
101
+ hint: `The downloaded tarball does not match the integrity recorded in the lockfile. pnpm will not silently overwrite the locked integrity — that would defeat the lockfile's protection if a registry or proxy is serving tampered content.
103
102
 
104
- If you think that this is the case, then run "pnpm store prune" and rerun the command that failed.
105
- "pnpm store prune" will remove your local metadata cache.`,
103
+ If you trust the new content (legitimate republish, or stale local metadata cache):
104
+
105
+ - Run "pnpm store prune" and retry, in case only the metadata cache is out of date.
106
+ - Run "pnpm install --update-checksums" to refresh the locked integrity from the registry.
107
+
108
+ If you did not expect this package to change, treat it as a potential supply-chain issue and verify the new content before re-running with --update-checksums.`,
106
109
  });
107
110
  this.found = opts.found;
108
111
  this.expected = opts.expected;
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pnpm/worker",
3
- "version": "1100.1.7",
3
+ "version": "1100.1.8",
4
4
  "description": "A worker for extracting package tarballs to the store",
5
5
  "keywords": [
6
6
  "pnpm",
@@ -28,29 +28,29 @@
28
28
  "dependencies": {
29
29
  "@rushstack/worker-pool": "0.7.7",
30
30
  "is-windows": "^1.0.2",
31
- "p-limit": "^7.1.0",
32
- "semver": "^7.7.2",
33
- "@pnpm/building.pkg-requires-build": "1100.0.4",
31
+ "p-limit": "^7.3.0",
32
+ "semver": "^7.8.1",
33
+ "@pnpm/crypto.integrity": "1100.0.0",
34
+ "@pnpm/building.pkg-requires-build": "1100.0.5",
35
+ "@pnpm/error": "1100.0.0",
34
36
  "@pnpm/fs.graceful-fs": "1100.1.0",
35
37
  "@pnpm/fs.hard-link-dir": "1100.0.1",
36
- "@pnpm/fs.symlink-dependency": "1100.0.5",
37
- "@pnpm/store.cafs": "1100.1.6",
38
+ "@pnpm/fs.symlink-dependency": "1100.0.6",
39
+ "@pnpm/store.cafs": "1100.1.7",
38
40
  "@pnpm/store.cafs-types": "1100.0.1",
39
- "@pnpm/store.create-cafs-store": "1100.0.9",
40
- "@pnpm/error": "1100.0.0",
41
- "@pnpm/store.index": "1100.1.0",
42
- "@pnpm/crypto.integrity": "1100.0.0"
41
+ "@pnpm/store.create-cafs-store": "1100.0.10",
42
+ "@pnpm/store.index": "1100.1.0"
43
43
  },
44
44
  "peerDependencies": {
45
- "@pnpm/logger": ">=1001.0.0 <1002.0.0"
45
+ "@pnpm/logger": "^1001.0.1"
46
46
  },
47
47
  "devDependencies": {
48
48
  "@jest/globals": "30.3.0",
49
49
  "@types/is-windows": "^1.0.2",
50
50
  "@types/semver": "7.7.1",
51
- "@pnpm/types": "1101.1.1",
52
51
  "@pnpm/logger": "1100.0.0",
53
- "@pnpm/worker": "1100.1.7"
52
+ "@pnpm/worker": "1100.1.8",
53
+ "@pnpm/types": "1101.2.0"
54
54
  },
55
55
  "engines": {
56
56
  "node": ">=22.13"