diff --git a/.changeset/fix-lockfile-include-tarball-url.md b/.changeset/fix-lockfile-include-tarball-url.md new file mode 100644 index 0000000000..fcdce145ce --- /dev/null +++ b/.changeset/fix-lockfile-include-tarball-url.md @@ -0,0 +1,6 @@ +--- +"@pnpm/resolve-dependencies": patch +"pnpm": patch +--- + +When `lockfile-include-tarball-url` is set to `false`, tarball URLs are now always excluded from the lockfile. Previously, tarball URLs could still appear for packages hosted under non-standard URLs, making the behavior flaky and inconsistent [#6667](https://github.com/pnpm/pnpm/issues/6667). diff --git a/pkg-manager/core/src/install/extendInstallOptions.ts b/pkg-manager/core/src/install/extendInstallOptions.ts index 285f18077a..4d94fbc7c9 100644 --- a/pkg-manager/core/src/install/extendInstallOptions.ts +++ b/pkg-manager/core/src/install/extendInstallOptions.ts @@ -60,7 +60,7 @@ export interface StrictInstallOptions { preferFrozenLockfile: boolean saveWorkspaceProtocol: boolean | 'rolling' lockfileCheck?: (prev: LockfileObject, next: LockfileObject) => void - lockfileIncludeTarballUrl: boolean + lockfileIncludeTarballUrl?: boolean preferWorkspacePackages: boolean preserveWorkspaceProtocol: boolean saveCatalogName?: string @@ -240,7 +240,6 @@ const defaults = (opts: InstallOptions): StrictInstallOptions => { registries: DEFAULT_REGISTRIES, resolutionMode: 'lowest-direct', saveWorkspaceProtocol: 'rolling', - lockfileIncludeTarballUrl: false, scriptsPrependNodePath: false, shamefullyHoist: false, shellEmulator: false, diff --git a/pkg-manager/core/test/lockfile.ts b/pkg-manager/core/test/lockfile.ts index 969a29be02..d9e1464f51 100644 --- a/pkg-manager/core/test/lockfile.ts +++ b/pkg-manager/core/test/lockfile.ts @@ -1446,6 +1446,28 @@ test('include tarball URL', async () => { .toBe(`http://localhost:${REGISTRY_MOCK_PORT}/@pnpm.e2e/pkg-with-1-dep/-/pkg-with-1-dep-100.0.0.tgz`) }) +test('exclude tarball URL when lockfileIncludeTarballUrl is false', async () => { + const project = prepareEmpty() + + const opts = testDefaults({ fastUnpack: false, lockfileIncludeTarballUrl: false }) + await addDependenciesToPackage({}, ['@pnpm.e2e/pkg-with-1-dep@100.0.0'], opts) + + const lockfile = project.readLockfile() + expect((lockfile.packages['@pnpm.e2e/pkg-with-1-dep@100.0.0'].resolution as TarballResolution).tarball) + .toBeUndefined() +}) + +test('exclude non-standard tarball URL when lockfileIncludeTarballUrl is false', async () => { + const project = prepareEmpty() + + await addDependenciesToPackage({}, ['esprima-fb@3001.1.0-dev-harmony-fb'], testDefaults({ fastUnpack: false, lockfileIncludeTarballUrl: false })) + + const lockfile = project.readLockfile() + + expect((lockfile.packages['esprima-fb@3001.1.0-dev-harmony-fb'].resolution as TarballResolution).tarball) + .toBeUndefined() +}) + test('lockfile v6', async () => { prepareEmpty() diff --git a/pkg-manager/resolve-dependencies/src/updateLockfile.ts b/pkg-manager/resolve-dependencies/src/updateLockfile.ts index d9b9f19d89..81b7a3edea 100644 --- a/pkg-manager/resolve-dependencies/src/updateLockfile.ts +++ b/pkg-manager/resolve-dependencies/src/updateLockfile.ts @@ -196,6 +196,11 @@ function toLockfileResolution ( tarball: resolution['tarball'], } } + if (lockfileIncludeTarballUrl === false) { + return { + integrity: resolution['integrity'], + } + } // Sometimes packages are hosted under non-standard tarball URLs. // For instance, when they are hosted on npm Enterprise. See https://github.com/pnpm/pnpm/issues/867 // Or in other weird cases, like https://github.com/pnpm/pnpm/issues/1072