Commit Graph

307 Commits

Author SHA1 Message Date
Zoltan Kochan
e5dce41eab chore(release): 10.34.5 (#12900) 2026-07-10 12:26:37 +02:00
Zoltan Kochan
e28b9cb47d chore(release): 10.34.4 (#12511) 2026-06-19 00:16:04 +02:00
Zoltan Kochan
c7c97c30df chore(release): 10.34.3 (#12332) 2026-06-11 18:45:16 +02:00
Zoltan Kochan
343441ca62 chore(release): 10.34.2 (#12311) 2026-06-10 15:40:37 +02:00
Zoltan Kochan
14bceb1e0b fix(security): harden build-approval artifact identities on v10 (#12306)
* fix(security): harden build-approval artifact identities on v10

Port of pnpm/pnpm#12294 (commit bf1b731ee6) to release/10.

Package-name entries in onlyBuiltDependencies (and allowBuilds) no longer
approve lifecycle scripts for artifacts whose identity a name cannot pin:
git, git-hosted tarball, direct tarball, and local directory dependencies.
To approve such an artifact explicitly, use its peer-suffix-free lockfile
depPath as the key — the GIT_DEP_PREPARE_NOT_ALLOWED hint, pnpm
ignored-builds, and pnpm approve-builds print exactly that key.

- AllowBuild policy functions identify packages by DepPath instead of
  caller-supplied name/version. Identity trust is derived from the depPath
  shape: a registry-style depPath (name@semver) is a trusted identity.
- The trust is sound because lockfile entries are structurally checked
  wherever they are materialized into fetchable resolutions
  (pkgSnapshotToResolution) and before rebuild runs scripts: a
  registry-style key backed by a git, directory, or git-hosted tarball
  resolution is rejected with ERR_PNPM_RESOLUTION_SHAPE_MISMATCH.
- preparePackage requires a pkgResolutionId and gates on the synthesized
  name@<resolution id> depPath; scp-style git URLs are normalized to
  ssh:// form in resolution ids and the git fetcher reuses
  createGitHostedPkgId from the resolver.
- isGitHostedTarballUrl matches case-insensitively and is shared from
  @pnpm/lockfile.utils; new removePeersSuffix() in @pnpm/dependency-path
  and allowBuildKeyFromIgnoredBuild() in @pnpm/builder.policy.
- pnpm rebuild and approve-builds accept depPath specs for selecting and
  approving artifact builds; installs rebuild ignored builds approved by
  depPath keys.
- shell-quote is overridden to 1.8.4 (GHSA-w7jw-789q-3m8p /
  CVE-2026-9277).

Differences from main: v10 has no lockfile resolution verifier, so the
structural pass lives in pkgSnapshotToResolution and the rebuild loop; the
AllowBuild policy keeps v10's boolean return; the revoked-approval
detection and global-virtual-store hash changes have no v10 counterpart.

* test: serve the direct-tarball fixture from an off-registry origin

The registry mock binds only localhost, so a hard-coded 127.0.0.1 URL is
refused in CI, and a tarball URL on the registry's own origin resolves as
a registry package, which defeats the direct-tarball identity the test
needs. An in-test HTTP server redirecting to the mock provides a separate
origin whose binding the test controls.

* test: approve the git-protocol licenses fixture by its depPath

A git-hosted artifact has an untrusted package identity, so the
ajv-keywords build has to be approved by its depPath. Pin the fixture to
the commit the depPath names.
2026-06-10 15:10:00 +02:00
Zoltan Kochan
1de167838c chore(release): 10.34.0 (#11988) 2026-05-27 14:58:46 +02:00
Zoltan Kochan
6c0f2940c3 fix: fail by default when a tarball does not match the locked integrity (#11985)
Backport of #11968 to release/10. Treats tarball-integrity mismatches
against the lockfile as a hard failure by default; `--update-checksums`
is the only opt-in. `--force` and `pnpm update` deliberately do not
bypass the integrity check.

🤖 Written by an agent (Claude Code, claude-opus-4-7).
2026-05-27 14:25:11 +02:00
Zoltan Kochan
4a04433833 fix(npm-resolver): minimumReleaseAge handling for cached abbreviated metadata (#11630)
Backport of #11622 to release/10. The npm registry returns abbreviated
package metadata (without per-version `time`) by default, which made the
maturity check throw ERR_PNPM_MISSING_TIME whenever cached abbreviated
metadata was reused under `publishedBy`/`minimumReleaseAge`. pnpm now
upgrades cached abbreviated metadata to the full document via a follow-up
fetch, persists the upgrade to the on-disk cache so subsequent installs
skip the extra fetch, and lets ERR_PNPM_MISSING_TIME from the cache fast
path fall through to the network fetch even under strict mode.

Adapted to release/10's simpler pickPackage shape (no 304/etag plumbing,
no `pickMatchingVersionFast`/`pickMatchingVersionFinal` split, no
`ignoreMissingTimeField`), so the unconditional helper triggers the
upgrade whenever the cached meta lacks `time`.
2026-05-14 16:04:35 +02:00
Zoltan Kochan
ff3304fcb3 chore(release): 10.33.4 2026-05-06 15:00:18 +02:00
Zoltan Kochan
edbe2a7c9b fix: pin integrity of git-hosted tarballs in lockfile (#11491)
Cherry-pick of #11481 from main, adapted to the v10 layout.

For git-hosted tarballs (codeload.github.com / gitlab.com / bitbucket.org)
the fetcher dropped the integrity it computed while downloading, so the
lockfile only stored the URL. A compromised git host or man-in-the-middle
could serve a substituted tarball on subsequent installs and pnpm would
install it without lockfile changes.

This pins the SHA-512 SRI of the raw tarball in the lockfile in the same
sha512-<base64> form npm-registry tarballs use; subsequent installs verify
the download against that integrity in the worker.

A new optional gitHosted: boolean field is recorded on TarballResolution
so every store-key consumer can route by a single typed read instead of
re-deriving the routing from the URL. Lockfiles written by older pnpm
versions are enriched on load (URL fallback) so the field can be relied
on uniformly.

🤖 Cherry-picked by Claude (claude-opus-4-7) on behalf of @zkochan
2026-05-06 14:28:42 +02:00
Zoltan Kochan
be07631710 chore(release): 10.33.0 2026-03-24 17:15:56 +01:00
Zoltan Kochan
8f33744697 fix: clearCache function in @pnpm/npm-resolver (#11050)
Cherry-picked from main (6557dc09f9).
Adapted for v10: use pMemoize.clear() (p-memoize v4 API) instead of
pMemoizeClear, and fix test imports for v10 package names.
2026-03-24 16:01:48 +01:00
Zoltan Kochan
523f8165f9 fix: propagate error cause when throwing PnpmError in @pnpm/npm-resolver (#10990)
Cherry-picked from main (831f574330).
2026-03-24 15:54:07 +01:00
Zoltan Kochan
9ab69a54d3 fix: clearCache function in @pnpm/npm-resolver (#11050)
Cherry-picked from main (6557dc09f9).
2026-03-24 15:53:45 +01:00
Zoltan Kochan
eaae772717 chore(release): 10.32.1 2026-03-11 02:25:40 +01:00
Zoltan Kochan
229c244e64 chore(release): 10.31.0 2026-03-08 00:30:23 +01:00
Zoltan Kochan
26cb5eac20 fix: adapt cherry-picked commits to v10 codebase
- Use Object.keys() instead of Map.keys() for Record<string, string> filenames
- Use tempy.directory() instead of temporaryDirectory() (v10 CJS style)
- Remove storeDir from ClientOptions (not in v10 API)
- Add missing WorkspaceState imports and mocks in test
- Fix lint: use commas in type literals, fix require import style
- Fix spellcheck in changeset

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 23:02:51 +01:00
roysandrew
1e28c9188a fix(npm-resolver): respect version constraints when falling back to workspace packages (#10704)
* fix(npm-resolver): respect version constraints when falling back to workspace packages

When link-workspace-packages=true, the fallback resolution paths (registry 404
and no matching registry version) pass update: Boolean(opts.update) to
tryResolveFromWorkspacePackages. On fresh installs without a lockfile entry,
opts.update is 'compatible' (truthy), which overrides the version spec to '*'
and matches any workspace package regardless of version.

Change both fallback call sites to pass update: false so version constraints
are always respected for non-workspace-protocol dependencies. The workspace:
protocol path returns before these blocks and correctly continues to use
opts.update.

Close #10173

* test: clarify npm-resolver test names for workspace version mismatch scenarios

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-03-07 23:02:51 +01:00
Brandon Cheng
d15ac84b9a fix: remove misleading maxAge argument to pMemoize (#10620) 2026-03-07 23:02:51 +01:00
Zoltan Kochan
2a56acc1b2 chore(release): 10.30.2 2026-02-24 00:36:58 +01:00
Zoltan Kochan
958ab703d1 chore(release): libs 2026-02-17 16:44:04 +01:00
Zoltan Kochan
ea870c786f chore(release): 10.29.2 2026-02-09 02:22:45 +01:00
Zoltan Kochan
11202fc1ed chore(release): 10.29.0 2026-02-07 17:51:43 +01:00
Shunta Takemoto
ed87c99359 feat: treat bare workspace: protocol as workspace:* (#10436)
* feat: treat bare `workspace:` protocol as `workspace:*`

* chore: add chageset

* test(exportable-manifest): add test for `workspace` with explicit versions

* test: add tests and update changesets

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-02-06 20:00:43 +01:00
Zoltan Kochan
89a2c4ec38 chore(release): 10.28.2 2026-01-26 15:17:27 +01:00
3w36zj6
a484cea3f2 fix(npm-resolver): request full metadata for optional dependencies (#10455)
close #9950

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-01-26 01:28:47 +01:00
Zoltan Kochan
0b5a56aaec chore(release): 10.28.1 2026-01-19 12:12:58 +01:00
Zoltan Kochan
3ccb34bb10 test: fix 2026-01-16 22:32:20 +01:00
Zoltan Kochan
f296d92035 fix: compile 2026-01-16 20:26:36 +01:00
Zoltan Kochan
93412308e2 feat: improve git URL detection to recognize plain HTTP/HTTPS URLs
Improve git URL detection to recognize plain HTTP/HTTPS URLs
ending in `.git` and prioritize git resolver over tarball resolver.

close #10468
2026-01-16 20:18:53 +01:00
Vedant Madane
1df570b468 feat: show available workspace versions on mismatch (#10466) 2026-01-16 20:17:02 +01:00
btea
6e4b09415f fix: make catalog protocol matching error messages clearer (#10052)
* fix: verify in advance whether the specifier that the catalog pkg is valid

* fix: update error message

* test: update

* Update resolving/default-resolver/src/index.ts

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>

---------

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>
2026-01-16 01:53:08 +01:00
Sam Chung
80a608008a revert: "fix: try not to make network requests with prefer offline" (#10423)
* Revert "fix: try not to make network requests with prefer offline (#10334)"

This reverts commit 1bc6b5ac2c.

* Add changeset

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-01-12 13:41:32 +01:00
Zoltan Kochan
91a241e692 chore(release): 10.28.0 2026-01-09 23:47:40 +01:00
Zoltan Kochan
6bdba72ad3 chore(release): 10.27.0 2025-12-30 21:49:41 +01:00
btea
3f2c5f4d39 feat: add trustPolicyIgnoreAfter (#10359)
* feat: add `trustPolicyIgnoreAfter`

* Update .changeset/big-lies-pump.md

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

* refactor: npm-resolver

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Zoltan Kochan <z@kochan.io>
2025-12-28 02:03:56 +01:00
Zoltan Kochan
8ec7939657 chore(release): 10.26.2 2025-12-23 14:34:19 +01:00
Zoltan Kochan
644c97a1de test: fix 2025-12-23 13:39:35 +01:00
Zoltan Kochan
f9d53286e5 fix: compile 2025-12-23 12:45:14 +01:00
Zoltan Kochan
cdd1fcd1fc fix(git-resolver): installing git-hosted dependency using annotated tags (#10349)
close #10335
2025-12-23 12:31:19 +01:00
月正海角
71624c9384 feat: improve error message for versions not meeting minimumReleaseAge (#10350)
close #10307
2025-12-23 12:31:08 +01:00
Sam Chung
080857a3b9 fix: try not to make network requests with prefer offline (#10334) 2025-12-23 12:29:41 +01:00
Zoltan Kochan
4986c46b48 chore(release): 10.26.1 2025-12-19 01:48:40 +01:00
klassiker
aba18acafd fix(git-fetcher): ensure the specified commit is used after checkout (#10310)
* fix(git-fetcher): ensure the specified commit is used after checkout

* fix(git-resolver): always resolve to a full commit

* chore: add changeset heavy-dragons-start

* test: fix related test case

* test: fix some other test that gets stuck

* Update heavy-dragons-start.md with PR reference

Add reference to pull request #10310 for clarity.
2025-12-17 12:16:31 +01:00
Zoltan Kochan
244e33b4e9 chore(release): 10.26.0 2025-12-15 12:10:26 +01:00
Zoltan Kochan
c601d5d9ee test: fix 2025-12-12 00:40:09 +01:00
VR
948c717f9a fix: npm compat on installing redirecting tarballs (#10197)
close #9802

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2025-12-11 12:02:09 +01:00
Minijus L
cfec937abd fix: normalize tarball URLs by removing default HTTP/HTTPS ports (#10273)
* fix: normalize tarball URLs by removing default HTTP/HTTPS ports

closes #6725

* feat: refactor, add test and changeset

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2025-12-11 12:02:02 +01:00
Zoltan Kochan
b0cd2dea48 chore(release): 10.25.0 2025-12-08 15:33:42 +01:00
Zoltan Kochan
8e05103cda fix: don't fail with ERR_PNPM_MISSING_TIME on packages that are excluded from trust checks (#10292)
* fix: don't fail with ERR_PNPM_MISSING_TIME on packages that are excluded from trust checks

close #10259

* test: add coverage for excluded packages missing time field (#10293)

* Initial plan

* test: add coverage for excluded packages missing time field

Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com>

---------

Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com>
Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com>
2025-12-08 15:27:16 +01:00