wyvrnpm 2.13.11 → 2.13.12
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +1 -1
- package/package.json +1 -1
- package/src/resolve.js +16 -2
package/README.md
CHANGED
|
@@ -4,7 +4,7 @@ A simple, private C++ package manager that works with any static file hosting pr
|
|
|
4
4
|
|
|
5
5
|
There is no central registry. You control where packages are hosted.
|
|
6
6
|
|
|
7
|
-
> **README version: 2.13.
|
|
7
|
+
> **README version: 2.13.12** — **New:** Resolver caches `@latest` lookups within a single `wyvrnpm install` — when a package is referenced as `@latest` from multiple parents in the dep graph (or already resolved earlier via a range), the registry round-trip is reused instead of re-probing `latest.json` per encounter. Eliminates ~12 redundant HTTPS round-trips on a typical 16-dep graph; visible win on resolution wall-time when the registry sits behind CloudFront. Closes the parallel gap to `manifestCache` / `publishedCache` — all three S3-backed helpers in `resolve.js` now memoise per-name within one install. **Per-config artefact slicing.** Recipes opt in via `build.publishPerConfig: true`; `wyvrnpm publish` then emits one `wyvrn-<Config>.zip` per declared CMake config under one `profileHash` URL instead of a single fat zip. Consumers fetch only the configs they need: `wyvrnpm install --request-configs Release` on a CI runner pulls 1.93 GB of gRPC instead of 14.96 GB across all four configs (~87% saving). Driven by CMake's own `*Targets-<config>.cmake` exports (`IMPORTED_LOCATION_<CONFIG>`) so both the MSVC convention (`lib/<Config>/foo.lib`) and the postfix convention (`lib/foo.lib` Release vs `lib/food.lib` Debug, via `CMAKE_DEBUG_POSTFIX`) classify correctly. `wyvrn.local.json` gains `requestConfigs` (global) + `depRequestConfigs` (per-dep override — "all four configs of fmt, but MinSizeRel of grpc"). Attestation v2 binds an `artefactSha256: { config → sha }` map; one signature covers every slice. `wyvrnpm publish --dry-run` materialises the would-be-uploaded artefacts to `<build>/dry-run-publish/` for inspection (override with `--dry-run-out`), and tolerates expired AWS credentials (the existence check degrades to `wouldOverwrite: null` instead of crashing). Highlights since 2.8.3: S1 artefact signing — Ed25519 detached signatures over a canonical attestation, verified against a per-registry `.trust/keys.json`; `wyvrnpm key gen / show-pub`, `wyvrnpm trust list / refresh`, `wyvrnpm configure signing set-default / show / unset`; `--require-signatures` on install, `--no-sign` / `--signing-key-env` / `--signing-key-file` on publish; pure-Node `crypto` (no external tooling, identical on Windows / Linux / macOS). Closes S1 + S3. Profile's `compiler.cppstd` is now authoritative for the toolchain — `CMAKE_CXX_STANDARD` is set unconditionally before `project()` and `cpp.cmake` no longer touches it post-`project()`, so a `-DCMAKE_CXX_STANDARD=23` on the cmake CLI cannot defeat a `cppstd=20` profile; `wyvrnpm install` exits non-zero on partial failure (sha256-mismatch, extract-failed, no-exact-match, source-build-failed, not-found) and prints a per-dep failure summary instead of misreporting "Done — N installed"; streaming publish via `archiver` (handles >2 GiB artefacts that `adm-zip` choked on — e.g. gRPC's `RelWithDebInfo` static libs); `--build-dir <path>` + `wyvrn.local.json:binaryDirRoot` to sidestep `build/` case-insensitive-FS collisions on repos with a Bazel/Buck `BUILD` file at the root (gRPC, …); `wyvrnpm version` to read / set / partially update the top-level `version` field from CI pipelines (`wyvrnpm version --build "$BUILD_ID"`); `wyvrnpm bootstrap <git-url>` to scaffold a first-draft `wyvrn.json` for OSS C++ libraries (fmt, spdlog, zlib, …) with cookbook-driven defaults; `wyvrnpm publish --dry-run` (npm-style preview of the upload plan, plus `wouldOverwrite` flag in `--format json`); `wyvrnpm build --config Debug,Release` / `--all-configs` to build multiple configurations from a single configure; resolver hardened against the CloudFront brotli-vs-identity cache split (resolved a class of bugs where `show` listed a freshly-published version that `install` claimed didn't exist). Full list in `claude/EVALUATION.md`.
|
|
8
8
|
|
|
9
9
|
---
|
|
10
10
|
|
package/package.json
CHANGED
package/src/resolve.js
CHANGED
|
@@ -298,6 +298,19 @@ async function resolveDependencies(
|
|
|
298
298
|
return list;
|
|
299
299
|
};
|
|
300
300
|
|
|
301
|
+
/**
|
|
302
|
+
* Cache `@latest` resolution per package — one round trip per name
|
|
303
|
+
* regardless of how often it appears in the graph as `"latest"`.
|
|
304
|
+
* @type {Map<string, string>}
|
|
305
|
+
*/
|
|
306
|
+
const latestCache = new Map();
|
|
307
|
+
const fetchLatest = async (name) => {
|
|
308
|
+
if (latestCache.has(name)) return latestCache.get(name);
|
|
309
|
+
const v = await resolveLatestVersion(name, sourcesFor(name), platform, httpClient);
|
|
310
|
+
latestCache.set(name, v);
|
|
311
|
+
return v;
|
|
312
|
+
};
|
|
313
|
+
|
|
301
314
|
/**
|
|
302
315
|
* Pending work queue: each entry is { name, version, by? }.
|
|
303
316
|
* `by` is the contributor label for conflict diagnostics.
|
|
@@ -319,8 +332,9 @@ async function resolveDependencies(
|
|
|
319
332
|
// Skip this for linked packages which have "linked:" prefix.
|
|
320
333
|
if (version === 'latest') {
|
|
321
334
|
try {
|
|
322
|
-
|
|
323
|
-
|
|
335
|
+
const cached = latestCache.has(name);
|
|
336
|
+
version = await fetchLatest(name);
|
|
337
|
+
if (!cached) log.info(`Resolved "${name}@latest" → ${version}`);
|
|
324
338
|
} catch (err) {
|
|
325
339
|
log.warn(err.message);
|
|
326
340
|
continue;
|