fix: npm compat on installing redirecting tarballs (#10197)

close #9802 --------- Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-04-28 11:01:30 -04:00 · 2025-12-11 05:55:02 -05:00
parent 3585d9a372
commit e0f0a7d85f
3 changed files with 50 additions and 6 deletions
--- a/.changeset/tired-fans-invent.md
+++ b/.changeset/tired-fans-invent.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/tarball-resolver": patch
+"pnpm": patch
+---
+
+When a dependency is installed via a direct URL that redirects to another URL and is immutable, the original URL is normalized and saved to `package.json` [#10197](https://github.com/pnpm/pnpm/pull/10197).
--- a/resolving/tarball-resolver/src/index.ts
+++ b/resolving/tarball-resolver/src/index.ts
@@ -17,19 +17,21 @@ export async function resolveFromTarball (

  if (isRepository(wantedDependency.bareSpecifier)) return null

+  // The URL is normalized to remove the port if it is the default port of the protocol.
+  const normalizedBareSpecifier = new URL(wantedDependency.bareSpecifier).toString()
  let resolvedUrl: string

  // If there are redirects and the response is immutable, we want to get the final URL address
-  const response = await fetchFromRegistry(wantedDependency.bareSpecifier, { method: 'HEAD' })
+  const response = await fetchFromRegistry(normalizedBareSpecifier, { method: 'HEAD' })
  if (response?.headers?.get('cache-control')?.includes('immutable')) {
    resolvedUrl = response.url
  } else {
-    resolvedUrl = wantedDependency.bareSpecifier
+    resolvedUrl = normalizedBareSpecifier
  }

  return {
-    id: resolvedUrl as PkgResolutionId,
-    normalizedBareSpecifier: resolvedUrl,
+    id: normalizedBareSpecifier as PkgResolutionId,
+    normalizedBareSpecifier,
    resolution: {
      tarball: resolvedUrl,
    },
--- a/resolving/tarball-resolver/test/index.ts
+++ b/resolving/tarball-resolver/test/index.ts
@@ -7,7 +7,7 @@ const fetch = createFetchFromRegistry({})
 const resolveFromTarball = _resolveFromTarball.bind(null, fetch)

 test('tarball from npm registry (immutable)', async () => {
-  const resolutionResult = await resolveFromTarball({ bareSpecifier: 'http://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz' })
+  const resolutionResult = await resolveFromTarball({ bareSpecifier: 'https://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz' })

  expect(resolutionResult).toStrictEqual({
    id: 'https://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
@@ -19,7 +19,7 @@ test('tarball from npm registry (immutable)', async () => {
  })
 })
 test('tarball from npm.jsr.io registry (immutable)', async () => {
-  const resolutionResult = await resolveFromTarball({ bareSpecifier: 'http://npm.jsr.io/~/11/@jsr/luca__flag/1.0.1.tgz' })
+  const resolutionResult = await resolveFromTarball({ bareSpecifier: 'https://npm.jsr.io/~/11/@jsr/luca__flag/1.0.1.tgz' })

  expect(resolutionResult).toStrictEqual({
    id: 'https://npm.jsr.io/~/11/@jsr/luca__flag/1.0.1.tgz',
@@ -46,6 +46,42 @@ test('tarball from URL that contain port number', async () => {
  })
 })

+test('tarball from URL with redundant port', async () => {
+  const resolutionResult = await resolveFromTarball({ bareSpecifier: 'https://registry.npmjs.org:443/is-array/-/is-array-1.0.1.tgz' })
+
+  expect(resolutionResult).toStrictEqual({
+    id: 'https://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
+    normalizedBareSpecifier: 'https://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
+    resolution: {
+      tarball: 'https://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
+    },
+    resolvedVia: 'url',
+  })
+})
+
+test('tarball from URL that redirects to a different URL (immutable)', async () => {
+  // eslint-disable-next-line @typescript-eslint/no-explicit-any
+  const fetch: any = async (url: string) => {
+    if (url === 'http://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz') {
+      return {
+        url: 'https://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
+        headers: new Map([['cache-control', 'immutable']]),
+      }
+    }
+    return { url }
+  }
+  const resolutionResult = await _resolveFromTarball(fetch, { bareSpecifier: 'http://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz' })
+
+  expect(resolutionResult).toStrictEqual({
+    id: 'http://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
+    normalizedBareSpecifier: 'http://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
+    resolution: {
+      tarball: 'https://registry.npmjs.org/is-array/-/is-array-1.0.1.tgz',
+    },
+    resolvedVia: 'url',
+  })
+})
+
 test('tarball not from npm registry (mutable)', async () => {
  const resolutionResult = await resolveFromTarball({ bareSpecifier: 'https://github.com/hegemonic/taffydb/tarball/master' })