fix: installing tarballs from registry origin via non-standard URLs

close #2549
PR #2620

.changeset/great-chairs-look.md

@@ -0,0 +1,5 @@
+---
+"dependency-path": major
+---
+
+relative() should always remove the registry from the IDs start.

.changeset/lucky-oranges-wonder.md

@@ -0,0 +1,6 @@
+---
+"@pnpm/default-resolver": major
+"@pnpm/tarball-resolver": major
+---
+
+The direct tarball dependency ID starts with a @ and the tarball extension is not removed.

.changeset/nasty-wasps-rest.md

@@ -0,0 +1,8 @@
+---
+"supi": minor
+---
+
+It should be possible to install a tarball through a non-standard URL endpoint served via the registry domain.
+
+For instance, the configured registry is `https://registry.npm.taobao.org/`.
+It should be possible to run `pnpm add https://registry.npm.taobao.org/vue/download/vue-2.0.0.tgz`

.changeset/swift-glasses-impress.md

@@ -0,0 +1,5 @@
+---
+"@pnpm/resolve-dependencies": major
+---
+
+Expects direct tarball IDs to start with @.

packages/dependency-path/src/index.ts

@@ -65,7 +65,7 @@ export function relative (
 ) {
   const registryName = encodeRegistry(getRegistryByPackageName(registries, packageName))
 
-  if (absoluteResolutionLoc.startsWith(`${registryName}/`) && !absoluteResolutionLoc.includes('/-/')) {
+  if (absoluteResolutionLoc.startsWith(`${registryName}/`)) {
     return absoluteResolutionLoc.substr(absoluteResolutionLoc.indexOf('/'))
   }
   return absoluteResolutionLoc

packages/dependency-path/test/index.ts

@@ -109,7 +109,6 @@ test('relative()', t => {
   t.equal(relative(registries, 'foo', 'registry.npmjs.org/foo/1.0.0'), '/foo/1.0.0')
   t.equal(relative(registries, '@foo/foo', 'localhost+4873/@foo/foo/1.0.0'), '/@foo/foo/1.0.0')
   t.equal(relative(registries, 'foo', 'registry.npmjs.org/foo/1.0.0/PeLdniYiO858gXNY39o5wISKyw'), '/foo/1.0.0/PeLdniYiO858gXNY39o5wISKyw')
-  t.equal(relative(registries, 'foo', 'registry.npmjs.org/foo/-/foo-1.0.0'), 'registry.npmjs.org/foo/-/foo-1.0.0', 'a tarball ID should remain absolute')
   t.end()
 })
 

packages/supi/src/install/lockfile.ts

@@ -15,7 +15,7 @@ export function depPathToRef (
   if (opts.resolution.type) return depPath
 
   const registryName = encodeRegistry(getRegistryByPackageName(opts.registries, opts.realName))
-  if (depPath.startsWith(`${registryName}/`) && !depPath.includes('/-/')) {
+  if (depPath.startsWith(`${registryName}/`)) {
     depPath = depPath.replace(`${registryName}/`, '/')
   }
   if (depPath[0] === '/' && opts.alias === opts.realName) {

packages/supi/test/lockfile.ts

@@ -800,7 +800,7 @@ test('packages installed via tarball URL from the default registry are normalize
 
   t.deepEqual(lockfile, {
     dependencies: {
-      'is-positive': 'registry.npmjs.org/is-positive/-/is-positive-1.0.0',
+      'is-positive': '@registry.npmjs.org/is-positive/-/is-positive-1.0.0.tgz',
       'pkg-with-tarball-dep-from-registry': '1.0.0',
     },
     lockfileVersion: LOCKFILE_VERSION,
@@ -820,7 +820,7 @@ test('packages installed via tarball URL from the default registry are normalize
           integrity: getIntegrity('pkg-with-tarball-dep-from-registry', '1.0.0'),
         },
       },
-      'registry.npmjs.org/is-positive/-/is-positive-1.0.0': {
+      '@registry.npmjs.org/is-positive/-/is-positive-1.0.0.tgz': {
         dev: false,
         engines: { node: '>=0.10.0' },
         name: 'is-positive',
@@ -1185,3 +1185,47 @@ test('tarball domain differs from registry domain', async (t: tape.Test) => {
     specifiers: { 'is-positive': '^3.1.0' },
   })
 })
+
+test('tarball installed through non-standard URL endpoint from the registry domain', async (t: tape.Test) => {
+  nock('https://registry.npmjs.org', { allowUnmocked: true })
+    .get('/is-positive/download/is-positive-3.1.0.tgz')
+    .replyWithFile(200, tarballPath)
+
+  const project = prepareEmpty(t)
+
+  await addDependenciesToPackage({},
+    [
+      'https://registry.npmjs.org/is-positive/download/is-positive-3.1.0.tgz',
+    ], await testDefaults({
+      fastUnpack: false,
+      lockfileOnly: true,
+      registries: {
+        default: 'https://registry.npmjs.org/',
+      },
+      save: true,
+    })
+  )
+
+  const lockfile = await project.readLockfile()
+
+  t.deepEqual(lockfile, {
+    dependencies: {
+      'is-positive': '@registry.npmjs.org/is-positive/download/is-positive-3.1.0.tgz',
+    },
+    lockfileVersion: LOCKFILE_VERSION,
+    packages: {
+      '@registry.npmjs.org/is-positive/download/is-positive-3.1.0.tgz': {
+        dev: false,
+        engines: { node: '>=0.10.0' },
+        name: 'is-positive',
+        resolution: {
+          tarball: 'https://registry.npmjs.org/is-positive/download/is-positive-3.1.0.tgz',
+        },
+        version: '3.1.0',
+      },
+    },
+    specifiers: {
+      'is-positive': 'https://registry.npmjs.org/is-positive/download/is-positive-3.1.0.tgz',
+    },
+  })
+})

packages/tarball-resolver/src/index.ts

@@ -8,12 +8,7 @@ export default async function resolveTarball (
   }
 
   return {
-    id: wantedDependency.pref
-      .replace(/^.*:\/\/(git@)?/, '')
-      .replace(/\.tgz$/, ''),
-      // TODO BREAKING CHANGE: uncomment the following: (or never remove extensions)
-      // .replace(/\.tar.gz$/, ''),
-      // .replace(/\.tar$/, ''),
+    id: `@${wantedDependency.pref.replace(/^.*:\/\/(git@)?/, '')}`,
     normalizedPref: wantedDependency.pref,
     resolution: {
       tarball: wantedDependency.pref,

packages/tarball-resolver/test/index.ts

@@ -6,7 +6,7 @@ test('tarball from npm registry', async t => {
   const resolutionResult = await resolveFromTarball({ pref: 'http://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz' })
 
   t.deepEqual(resolutionResult, {
-    id: 'registry.npmjs.org/is-array/-/is-array-1.0.1',
+    id: '@registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
     normalizedPref: 'http://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
     resolution: {
       tarball: 'http://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
@@ -21,7 +21,7 @@ test('tarball not from npm registry', async t => {
   const resolutionResult = await resolveFromTarball({ pref: 'https://github.com/hegemonic/taffydb/tarball/master' })
 
   t.deepEqual(resolutionResult, {
-    id: 'github.com/hegemonic/taffydb/tarball/master',
+    id: '@github.com/hegemonic/taffydb/tarball/master',
     normalizedPref: 'https://github.com/hegemonic/taffydb/tarball/master',
     resolution: {
       tarball: 'https://github.com/hegemonic/taffydb/tarball/master',
@@ -36,7 +36,7 @@ test('tarballs from GitHub (is-negative)', async t => {
   const resolutionResult = await resolveFromTarball({ pref: 'https://github.com/kevva/is-negative/archive/1d7e288222b53a0cab90a331f1865220ec29560c.tar.gz' })
 
   t.deepEqual(resolutionResult, {
-    id: 'github.com/kevva/is-negative/archive/1d7e288222b53a0cab90a331f1865220ec29560c.tar.gz',
+    id: '@github.com/kevva/is-negative/archive/1d7e288222b53a0cab90a331f1865220ec29560c.tar.gz',
     normalizedPref: 'https://github.com/kevva/is-negative/archive/1d7e288222b53a0cab90a331f1865220ec29560c.tar.gz',
     resolution: {
       tarball: 'https://github.com/kevva/is-negative/archive/1d7e288222b53a0cab90a331f1865220ec29560c.tar.gz',