From e73da5e27bd5cda6131618ce8a115e6c630fd607 Mon Sep 17 00:00:00 2001
From: Varun Chawla <34209028+veeceey@users.noreply.github.com>
Date: Wed, 25 Feb 2026 02:03:32 -0800
Subject: [PATCH] fix(lockfile): respect lockfile-include-tarball-url=false for
 non-standard URLs (#10621)

When lockfile-include-tarball-url is explicitly set to false, tarball URLs
are now always excluded from the lockfile. Previously, packages hosted under
non-standard tarball URLs would still have their tarball field written to the
lockfile even when the setting was false, causing flaky and inconsistent
behavior across environments.

The fix makes the option tri-state internally:
- true: always include tarball URLs
- false: never include tarball URLs
- undefined (not set): use the existing heuristic that includes tarball URLs
  only for packages with non-standard registry URLs

close #6667
---
 .../fix-lockfile-include-tarball-url.md       |  6 +++++
 .../core/src/install/extendInstallOptions.ts  |  3 +--
 pkg-manager/core/test/lockfile.ts             | 22 +++++++++++++++++++
 .../src/updateLockfile.ts                     |  5 +++++
 4 files changed, 34 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/fix-lockfile-include-tarball-url.md

diff --git a/.changeset/fix-lockfile-include-tarball-url.md b/.changeset/fix-lockfile-include-tarball-url.md
new file mode 100644
index 0000000000..fcdce145ce
--- /dev/null
+++ b/.changeset/fix-lockfile-include-tarball-url.md
@@ -0,0 +1,6 @@
+---
+"@pnpm/resolve-dependencies": patch
+"pnpm": patch
+---
+
+When `lockfile-include-tarball-url` is set to `false`, tarball URLs are now always excluded from the lockfile. Previously, tarball URLs could still appear for packages hosted under non-standard URLs, making the behavior flaky and inconsistent [#6667](https://github.com/pnpm/pnpm/issues/6667).
diff --git a/pkg-manager/core/src/install/extendInstallOptions.ts b/pkg-manager/core/src/install/extendInstallOptions.ts
index 285f18077a..4d94fbc7c9 100644
--- a/pkg-manager/core/src/install/extendInstallOptions.ts
+++ b/pkg-manager/core/src/install/extendInstallOptions.ts
@@ -60,7 +60,7 @@ export interface StrictInstallOptions {
   preferFrozenLockfile: boolean
   saveWorkspaceProtocol: boolean | 'rolling'
   lockfileCheck?: (prev: LockfileObject, next: LockfileObject) => void
-  lockfileIncludeTarballUrl: boolean
+  lockfileIncludeTarballUrl?: boolean
   preferWorkspacePackages: boolean
   preserveWorkspaceProtocol: boolean
   saveCatalogName?: string
@@ -240,7 +240,6 @@ const defaults = (opts: InstallOptions): StrictInstallOptions => {
     registries: DEFAULT_REGISTRIES,
     resolutionMode: 'lowest-direct',
     saveWorkspaceProtocol: 'rolling',
-    lockfileIncludeTarballUrl: false,
     scriptsPrependNodePath: false,
     shamefullyHoist: false,
     shellEmulator: false,
diff --git a/pkg-manager/core/test/lockfile.ts b/pkg-manager/core/test/lockfile.ts
index 969a29be02..d9e1464f51 100644
--- a/pkg-manager/core/test/lockfile.ts
+++ b/pkg-manager/core/test/lockfile.ts
@@ -1446,6 +1446,28 @@ test('include tarball URL', async () => {
     .toBe(`http://localhost:${REGISTRY_MOCK_PORT}/@pnpm.e2e/pkg-with-1-dep/-/pkg-with-1-dep-100.0.0.tgz`)
 })
 
+test('exclude tarball URL when lockfileIncludeTarballUrl is false', async () => {
+  const project = prepareEmpty()
+
+  const opts = testDefaults({ fastUnpack: false, lockfileIncludeTarballUrl: false })
+  await addDependenciesToPackage({}, ['@pnpm.e2e/pkg-with-1-dep@100.0.0'], opts)
+
+  const lockfile = project.readLockfile()
+  expect((lockfile.packages['@pnpm.e2e/pkg-with-1-dep@100.0.0'].resolution as TarballResolution).tarball)
+    .toBeUndefined()
+})
+
+test('exclude non-standard tarball URL when lockfileIncludeTarballUrl is false', async () => {
+  const project = prepareEmpty()
+
+  await addDependenciesToPackage({}, ['esprima-fb@3001.1.0-dev-harmony-fb'], testDefaults({ fastUnpack: false, lockfileIncludeTarballUrl: false }))
+
+  const lockfile = project.readLockfile()
+
+  expect((lockfile.packages['esprima-fb@3001.1.0-dev-harmony-fb'].resolution as TarballResolution).tarball)
+    .toBeUndefined()
+})
+
 test('lockfile v6', async () => {
   prepareEmpty()
 
diff --git a/pkg-manager/resolve-dependencies/src/updateLockfile.ts b/pkg-manager/resolve-dependencies/src/updateLockfile.ts
index d9b9f19d89..81b7a3edea 100644
--- a/pkg-manager/resolve-dependencies/src/updateLockfile.ts
+++ b/pkg-manager/resolve-dependencies/src/updateLockfile.ts
@@ -196,6 +196,11 @@ function toLockfileResolution (
       tarball: resolution['tarball'],
     }
   }
+  if (lockfileIncludeTarballUrl === false) {
+    return {
+      integrity: resolution['integrity'],
+    }
+  }
   // Sometimes packages are hosted under non-standard tarball URLs.
   // For instance, when they are hosted on npm Enterprise. See https://github.com/pnpm/pnpm/issues/867
   // Or in other weird cases, like https://github.com/pnpm/pnpm/issues/1072