Commit Graph

13 Commits

Author SHA1 Message Date
Zoltan Kochan
343441ca62 chore(release): 10.34.2 (#12311) 2026-06-10 15:40:37 +02:00
Zoltan Kochan
14bceb1e0b fix(security): harden build-approval artifact identities on v10 (#12306)
* fix(security): harden build-approval artifact identities on v10

Port of pnpm/pnpm#12294 (commit bf1b731ee6) to release/10.

Package-name entries in onlyBuiltDependencies (and allowBuilds) no longer
approve lifecycle scripts for artifacts whose identity a name cannot pin:
git, git-hosted tarball, direct tarball, and local directory dependencies.
To approve such an artifact explicitly, use its peer-suffix-free lockfile
depPath as the key — the GIT_DEP_PREPARE_NOT_ALLOWED hint, pnpm
ignored-builds, and pnpm approve-builds print exactly that key.

- AllowBuild policy functions identify packages by DepPath instead of
  caller-supplied name/version. Identity trust is derived from the depPath
  shape: a registry-style depPath (name@semver) is a trusted identity.
- The trust is sound because lockfile entries are structurally checked
  wherever they are materialized into fetchable resolutions
  (pkgSnapshotToResolution) and before rebuild runs scripts: a
  registry-style key backed by a git, directory, or git-hosted tarball
  resolution is rejected with ERR_PNPM_RESOLUTION_SHAPE_MISMATCH.
- preparePackage requires a pkgResolutionId and gates on the synthesized
  name@<resolution id> depPath; scp-style git URLs are normalized to
  ssh:// form in resolution ids and the git fetcher reuses
  createGitHostedPkgId from the resolver.
- isGitHostedTarballUrl matches case-insensitively and is shared from
  @pnpm/lockfile.utils; new removePeersSuffix() in @pnpm/dependency-path
  and allowBuildKeyFromIgnoredBuild() in @pnpm/builder.policy.
- pnpm rebuild and approve-builds accept depPath specs for selecting and
  approving artifact builds; installs rebuild ignored builds approved by
  depPath keys.
- shell-quote is overridden to 1.8.4 (GHSA-w7jw-789q-3m8p /
  CVE-2026-9277).

Differences from main: v10 has no lockfile resolution verifier, so the
structural pass lives in pkgSnapshotToResolution and the rebuild loop; the
AllowBuild policy keeps v10's boolean return; the revoked-approval
detection and global-virtual-store hash changes have no v10 counterpart.

* test: serve the direct-tarball fixture from an off-registry origin

The registry mock binds only localhost, so a hard-coded 127.0.0.1 URL is
refused in CI, and a tarball URL on the registry's own origin resolves as
a registry package, which defeats the direct-tarball identity the test
needs. An in-test HTTP server redirecting to the mock provides a separate
origin whose binding the test controls.

* test: approve the git-protocol licenses fixture by its depPath

A git-hosted artifact has an untrusted package identity, so the
ajv-keywords build has to be approved by its depPath. Pin the fixture to
the commit the depPath names.
2026-06-10 15:10:00 +02:00
Zoltan Kochan
be07631710 chore(release): 10.33.0 2026-03-24 17:15:56 +01:00
Zoltan Kochan
0b5a56aaec chore(release): 10.28.1 2026-01-19 12:12:58 +01:00
Zoltan Kochan
6bdba72ad3 chore(release): 10.27.0 2025-12-30 21:49:41 +01:00
Zoltan Kochan
512f18817d fix: git dependencies respect dangerouslyAllowAllBuilds (#10387)
close #10376
2025-12-30 19:02:47 +01:00
Zoltan Kochan
244e33b4e9 chore(release): 10.26.0 2025-12-15 12:10:26 +01:00
Zoltan Kochan
b0cd2dea48 chore(release): 10.25.0 2025-12-08 15:33:42 +01:00
Zoltan Kochan
603aedae0a chore(release): 10.23.0 2025-11-20 14:46:54 +01:00
Zoltan Kochan
2e2dc27d07 chore(release): 10.21.0 2025-11-09 23:45:04 +01:00
Zoltan Kochan
0cde1287c8 chore: update repository fields 2025-10-23 11:57:12 +02:00
Zoltan Kochan
43d7b18c2f chore(release): 10.19.0 2025-10-21 15:30:20 +02:00
Zoltan Kochan
dee39ecb8a feat: support allowing the build of specific versions of dependencies (#10104)
close #10076
2025-10-21 12:38:16 +02:00