mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-03-31 13:32:18 -04:00
Code Issues Packages Projects Releases Wiki Activity

fix(npm-resolver): ignore broken shasum in metadata (#3666)

Browse Source 
close #3663
This commit is contained in:
Zoltan Kochan
2021-08-13 11:08:10 +03:00
committed by GitHub
parent c3d2746ace
commit a4fed27983
4 changed files with 97 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.changeset/forty-horses-push.md Normal file
View File

@@ -0,0 +1,7 @@
---
"@pnpm/npm-resolver": patch
---
Do not fail if a package has no shasum in the metadata.
Fail if a package has broken shasum in the metadata.

9
packages/npm-resolver/src/index.ts
View File

@@ -314,5 +314,12 @@ function getIntegrity (dist: {
if (dist.integrity) {
return dist.integrity
}
return ssri.fromHex(dist.shasum, 'sha1').toString()
if (!dist.shasum) {
return undefined
}
const integrity = ssri.fromHex(dist.shasum, 'sha1')
if (!integrity) {
throw new PnpmError('INVALID_TARBALL_INTEGRITY', `Tarball "${dist.tarball}" has invalid shasum specified in its metadata: ${dist.shasum}`)
}
return integrity.toString()
}

41
packages/npm-resolver/test/index.ts
View File

@@ -18,6 +18,7 @@ const isPositiveMetaFull = loadJsonFile.sync<any>(path.join(__dirname, 'meta', '
const isPositiveBrokenMeta = loadJsonFile.sync<any>(path.join(__dirname, 'meta', 'is-positive-broken.json'))
const sindresorhusIsMeta = loadJsonFile.sync<any>(path.join(__dirname, 'meta', 'sindresorhus-is.json'))
const jsonMeta = loadJsonFile.sync<any>(path.join(__dirname, 'meta', 'JSON.json'))
const brokenIntegrity = loadJsonFile.sync<any>(path.join(__dirname, 'meta', 'broken-integrity.json'))
/* eslint-enable @typescript-eslint/no-explicit-any */
const registry = 'https://registry.npmjs.org/'
@@ -1648,3 +1649,43 @@ test('resolve workspace:~', async () => {
expect(resolveResult!.manifest!.name).toBe('is-positive')
expect(resolveResult!.manifest!.version).toBe('1.0.0')
})
test('resolveFromNpm() does not fail if the meta file contains no integrity information', async () => {
nock(registry)
.get('/is-positive')
.reply(200, brokenIntegrity)
const cacheDir = tempy.directory()
const resolve = createResolveFromNpm({
cacheDir,
})
const resolveResult = await resolve({ alias: 'is-positive', pref: '2.0.0' }, {
registry,
})
expect(resolveResult!.resolvedVia).toBe('npm-registry')
expect(resolveResult!.id).toBe('registry.npmjs.org/is-positive/2.0.0')
expect(resolveResult!.latest!.split('.').length).toBe(3)
expect(resolveResult!.resolution).toStrictEqual({
integrity: undefined,
registry,
tarball: 'https://registry.npmjs.org/is-positive/-/is-positive-2.0.0.tgz',
})
expect(resolveResult!.manifest).toBeTruthy()
expect(resolveResult!.manifest!.name).toBe('is-positive')
expect(resolveResult!.manifest!.version).toBe('2.0.0')
})
test('resolveFromNpm() fails if the meta file contains invalid shasum', async () => {
nock(registry)
.get('/is-positive')
.reply(200, brokenIntegrity)
const cacheDir = tempy.directory()
const resolve = createResolveFromNpm({
cacheDir,
})
await expect(
resolve({ alias: 'is-positive', pref: '1.0.0' }, { registry })
).rejects.toThrow('Tarball "https://registry.npmjs.org/is-positive/-/is-positive-1.0.0.tgz" has invalid shasum specified in its metadata: a')
})

41
packages/npm-resolver/test/meta/broken-integrity.json Normal file
View File

@@ -0,0 +1,41 @@
{
"versions": {
"1.0.0": {
"name": "is-positive",
"version": "1.0.0",
"devDependencies": {
"ava": "^0.0.4"
},
"_hasShrinkwrap": false,
"directories": {},
"dist": {
"shasum": "a",
"tarball": "https://registry.npmjs.org/is-positive/-/is-positive-1.0.0.tgz"
},
"engines": {
"node": ">=0.10.0"
}
},
"2.0.0": {
"name": "is-positive",
"version": "2.0.0",
"devDependencies": {
"ava": "^0.0.4"
},
"_hasShrinkwrap": false,
"directories": {},
"dist": {
"shasum": "",
"tarball": "https://registry.npmjs.org/is-positive/-/is-positive-2.0.0.tgz"
},
"engines": {
"node": ">=0.10.0"
}
}
},
"name": "is-positive",
"dist-tags": {
"latest": "1.0.0"
},
"modified": "2017-08-17T19:26:00.508Z"
}