Commit Graph

228 Commits

Author SHA1 Message Date
Zoltan Kochan
343441ca62 chore(release): 10.34.2 (#12311) 2026-06-10 15:40:37 +02:00
Zoltan Kochan
14bceb1e0b fix(security): harden build-approval artifact identities on v10 (#12306)
* fix(security): harden build-approval artifact identities on v10

Port of pnpm/pnpm#12294 (commit bf1b731ee6) to release/10.

Package-name entries in onlyBuiltDependencies (and allowBuilds) no longer
approve lifecycle scripts for artifacts whose identity a name cannot pin:
git, git-hosted tarball, direct tarball, and local directory dependencies.
To approve such an artifact explicitly, use its peer-suffix-free lockfile
depPath as the key — the GIT_DEP_PREPARE_NOT_ALLOWED hint, pnpm
ignored-builds, and pnpm approve-builds print exactly that key.

- AllowBuild policy functions identify packages by DepPath instead of
  caller-supplied name/version. Identity trust is derived from the depPath
  shape: a registry-style depPath (name@semver) is a trusted identity.
- The trust is sound because lockfile entries are structurally checked
  wherever they are materialized into fetchable resolutions
  (pkgSnapshotToResolution) and before rebuild runs scripts: a
  registry-style key backed by a git, directory, or git-hosted tarball
  resolution is rejected with ERR_PNPM_RESOLUTION_SHAPE_MISMATCH.
- preparePackage requires a pkgResolutionId and gates on the synthesized
  name@<resolution id> depPath; scp-style git URLs are normalized to
  ssh:// form in resolution ids and the git fetcher reuses
  createGitHostedPkgId from the resolver.
- isGitHostedTarballUrl matches case-insensitively and is shared from
  @pnpm/lockfile.utils; new removePeersSuffix() in @pnpm/dependency-path
  and allowBuildKeyFromIgnoredBuild() in @pnpm/builder.policy.
- pnpm rebuild and approve-builds accept depPath specs for selecting and
  approving artifact builds; installs rebuild ignored builds approved by
  depPath keys.
- shell-quote is overridden to 1.8.4 (GHSA-w7jw-789q-3m8p /
  CVE-2026-9277).

Differences from main: v10 has no lockfile resolution verifier, so the
structural pass lives in pkgSnapshotToResolution and the rebuild loop; the
AllowBuild policy keeps v10's boolean return; the revoked-approval
detection and global-virtual-store hash changes have no v10 counterpart.

* test: serve the direct-tarball fixture from an off-registry origin

The registry mock binds only localhost, so a hard-coded 127.0.0.1 URL is
refused in CI, and a tarball URL on the registry's own origin resolves as
a registry package, which defeats the direct-tarball identity the test
needs. An in-test HTTP server redirecting to the mock provides a separate
origin whose binding the test controls.

* test: approve the git-protocol licenses fixture by its depPath

A git-hosted artifact has an untrusted package identity, so the
ajv-keywords build has to be approved by its depPath. Pin the fixture to
the commit the depPath names.
2026-06-10 15:10:00 +02:00
Zoltan Kochan
1de167838c chore(release): 10.34.0 (#11988) 2026-05-27 14:58:46 +02:00
Zoltan Kochan
19f7df1461 fix(git-fetcher): reject non-SHA commit values before invoking git
The git fetcher passed the lockfile-controlled `resolution.commit` value
to `git fetch --depth 1 origin <commit>` and `git checkout <commit>`
without a `--` separator and without validating that the value is a
SHA. A malicious lockfile could smuggle a value such as
`--upload-pack=touch /tmp/pwned`, which `git` parses as an option. On
SSH and local-file transports `--upload-pack` runs the supplied
command. HTTPS ignores it, but the SSH/file paths are enough to
execute code as the user running `pnpm install`.

Validate `resolution.commit` against `/^[0-9a-f]{40}$/i` at the entry
of the fetcher and throw `INVALID_GIT_COMMIT` otherwise. The check is
strictly stronger than adding a `--` separator: a validated value
cannot start with `-` or contain shell-significant characters at all.

Backport of #11967 to release/10.

---
Written by an agent (Claude Code, claude-opus-4-7).
2026-05-27 14:13:35 +02:00
Zoltan Kochan
ff3304fcb3 chore(release): 10.33.4 2026-05-06 15:00:18 +02:00
Zoltan Kochan
edbe2a7c9b fix: pin integrity of git-hosted tarballs in lockfile (#11491)
Cherry-pick of #11481 from main, adapted to the v10 layout.

For git-hosted tarballs (codeload.github.com / gitlab.com / bitbucket.org)
the fetcher dropped the integrity it computed while downloading, so the
lockfile only stored the URL. A compromised git host or man-in-the-middle
could serve a substituted tarball on subsequent installs and pnpm would
install it without lockfile changes.

This pins the SHA-512 SRI of the raw tarball in the lockfile in the same
sha512-<base64> form npm-registry tarballs use; subsequent installs verify
the download against that integrity in the worker.

A new optional gitHosted: boolean field is recorded on TarballResolution
so every store-key consumer can route by a single typed read instead of
re-deriving the routing from the URL. Lockfiles written by older pnpm
versions are enriched on load (URL fallback) so the field can be relied
on uniformly.

🤖 Cherry-picked by Claude (claude-opus-4-7) on behalf of @zkochan
2026-05-06 14:28:42 +02:00
Zoltan Kochan
510a7ae500 test(tarball-fetcher): point "fetch a big repository" at an existing repo
Same reason as the sibling git-fetcher test: sveltejs/action-deploy-docs
was deleted/privated. Matches the repo used on v11.
2026-04-22 02:17:07 +02:00
Zoltan Kochan
98374b81b7 test(git-fetcher): point "fetch a big repository" at an existing repo
sveltejs/action-deploy-docs was deleted/privated, causing git clone to
prompt for credentials and fail in non-interactive CI. Matches the repo
already used on the v11 branch.
2026-04-22 01:54:05 +02:00
Zoltan Kochan
be07631710 chore(release): 10.33.0 2026-03-24 17:15:56 +01:00
Zoltan Kochan
2a56acc1b2 chore(release): 10.30.2 2026-02-24 00:36:58 +01:00
Zoltan Kochan
958ab703d1 chore(release): libs 2026-02-17 16:44:04 +01:00
Zoltan Kochan
89a2c4ec38 chore(release): 10.28.2 2026-01-26 15:17:27 +01:00
Zoltan Kochan
0b5a56aaec chore(release): 10.28.1 2026-01-19 12:12:58 +01:00
Zoltan Kochan
15e83b35a2 fix: reference @pnpm/fs.packlist from the workspace (#10477) 2026-01-17 14:47:54 +01:00
Zoltan Kochan
46309a0221 fix: linting issues 2026-01-16 23:39:49 +01:00
Zoltan Kochan
3ccb34bb10 test: fix 2026-01-16 22:32:20 +01:00
Zoltan Kochan
5c382f0ca3 fix: prevent path traversal vulnerabilities during ZIP extraction 2026-01-16 22:22:00 +01:00
Zoltan Kochan
6bdba72ad3 chore(release): 10.27.0 2025-12-30 21:49:41 +01:00
Zoltan Kochan
8ec7939657 chore(release): 10.26.2 2025-12-23 14:34:19 +01:00
Zoltan Kochan
914f2e5e3e fix: linking commands of engines (#10354)
close #10244
2025-12-23 12:31:42 +01:00
Zoltan Kochan
c70accc134 refactor: binary fetcher 2025-12-23 12:31:36 +01:00
Zoltan Kochan
cdd1fcd1fc fix(git-resolver): installing git-hosted dependency using annotated tags (#10349)
close #10335
2025-12-23 12:31:19 +01:00
Zoltan Kochan
97faa0b5e1 test: fix 2025-12-22 13:37:23 +01:00
Zoltan Kochan
4986c46b48 chore(release): 10.26.1 2025-12-19 01:48:40 +01:00
klassiker
aba18acafd fix(git-fetcher): ensure the specified commit is used after checkout (#10310)
* fix(git-fetcher): ensure the specified commit is used after checkout

* fix(git-resolver): always resolve to a full commit

* chore: add changeset heavy-dragons-start

* test: fix related test case

* test: fix some other test that gets stuck

* Update heavy-dragons-start.md with PR reference

Add reference to pull request #10310 for clarity.
2025-12-17 12:16:31 +01:00
Zoltan Kochan
244e33b4e9 chore(release): 10.26.0 2025-12-15 12:10:26 +01:00
Zoltan Kochan
585c82f568 test: fix 2025-12-10 01:08:59 +01:00
Oren
40775391d5 fix(git-fetcher): block git dependencies from running prepare scripts unless allowed (#10288)
* fix(git-fetcher): block git dependencies from running prepare scripts unless allowed

* Update exec/prepare-package/src/index.ts

Co-authored-by: Zoltan Kochan <z@kochan.io>

* Also implement in gitHostedTarballFetcher

* refactor: move allowBuild function creation to the store manager

* refactor: pass allowBuild function to fetch function directly

* refactor: revert not needed changes and update changesets

* test: fix

* fix: implemented CR suggestions

* test: fix

* test: fix

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2025-12-10 00:51:43 +01:00
Oren
b7d3ec65b1 fix(tarball-resolver): add integrity hash to HTTP tarball dependencies (#10287)
* fix(tarball-resolver): add integrity hash to HTTP tarball dependencies

* Refactor to download tarball just once

* Fix tests

* fix: only calc hash when it is not passed in to the fetcher

* docs: update changesets
2025-12-10 00:49:50 +01:00
Zoltan Kochan
b0cd2dea48 chore(release): 10.25.0 2025-12-08 15:33:42 +01:00
Zoltan Kochan
16d08d0cb0 chore(release): 10.24.0 2025-11-27 14:53:58 +01:00
Zoltan Kochan
603aedae0a chore(release): 10.23.0 2025-11-20 14:46:54 +01:00
Zoltan Kochan
1de6d19f59 chore(release): 10.22.0 2025-11-12 14:13:12 +01:00
Zoltan Kochan
2e2dc27d07 chore(release): 10.21.0 2025-11-09 23:45:04 +01:00
Zoltan Kochan
5847af412b feat: install js runtime as prod dependency (#10141) 2025-10-31 17:15:38 +01:00
Zoltan Kochan
0cde1287c8 chore: update repository fields 2025-10-23 11:57:12 +02:00
Zoltan Kochan
43d7b18c2f chore(release): 10.19.0 2025-10-21 15:30:20 +02:00
Zoltan Kochan
1bfc105da0 chore(release): 10.18.3 2025-10-14 11:27:45 +02:00
Zoltan Kochan
1b15e45ae9 chore(release): 10.18.2 2025-10-09 16:56:04 +02:00
Zoltan Kochan
6618431aee chore(release): libs 2025-09-29 11:56:00 +02:00
Zoltan Kochan
fb4da0c0ab feat: print a warning if network requests are slow (#10025)
* feat: print a warning if network requests are slow

* feat: print a warning if network requests are slow

add a new setting for fetch tarball speed

* feat: print a warning if network requests are slow

* fix: src/fetch.ts

* docs: add changeset
2025-09-28 11:19:10 +02:00
Zoltan Kochan
ea44ff979f chore(release): 10.16.1 2025-09-13 19:20:27 +02:00
Zoltan Kochan
a3c1498403 chore(release): 10.16.0 2025-09-12 14:24:30 +02:00
Zoltan Kochan
3d1711a439 chore(release): 10.15.1 2025-09-01 11:41:05 +02:00
Zoltan Kochan
facd7656e8 refactor: always use extensions in relative imports (#9878) 2025-08-19 15:25:11 +02:00
Zoltan Kochan
c89c93d59b test: use @jest/globals (#9877) 2025-08-19 00:16:25 +02:00
Zoltan Kochan
14c78e81d4 test: use jest.mocked (#9874) 2025-08-18 15:22:37 +02:00
Zoltan Kochan
dcfb186f21 chore(release): libs 2025-08-07 14:09:55 +02:00
Zoltan Kochan
2b0d35fa8d fix: @pnpm/worker should be a peer dependency 2025-08-01 10:34:34 +02:00
Zoltan Kochan
a4d654807c chore(release): 10.14.0 2025-07-31 15:00:26 +02:00