mirror/pnpm - pnpm - Gitea: Git with a cup of tea

mirror/pnpm

Fork 0

mirror of https://github.com/pnpm/pnpm.git synced 2026-06-28 09:55:39 -04:00

Commit Graph

Author	SHA1	Message	Date
Zoltan Kochan	60fd20536d	fix: pin integrity of git-hosted tarballs in lockfile (#11481 ) For git-hosted tarballs (`codeload.github.com` / `gitlab.com` / `bitbucket.org`) the fetcher dropped the integrity it computed while downloading, so the lockfile only ever stored the URL. A compromised git host or man-in-the-middle could serve a substituted tarball on subsequent installs and pnpm would install it — the lockfile had no hash to compare against. This pins the SHA-512 SRI of the raw tarball in the lockfile, in the same `sha512-<base64>` form npm-registry tarballs use. The only difference is the source: for npm we pass through `dist.integrity`, for git we compute it locally from the downloaded buffer. Subsequent installs validate the download against that integrity in the worker (`addTarballToStore` → `parseIntegrity` → hash compare), so a tampered tarball fails with `TarballIntegrityError`. ## Why git-hosted stays on `gitHostedStoreIndexKey` The lockfile pins integrity for security, but the store key for git-hosted resolutions stays on `gitHostedStoreIndexKey(pkgId, { built })` rather than collapsing under the integrity-based key. Reason: git-hosted tarballs are post-processed (`preparePackage` / `packlist`), so the cached file set depends on whether build scripts ran during fetch. The integrity-only key would fold the built and not-built variants into a single slot, letting one overwrite the other and serving the wrong content if `ignoreScripts` was toggled between runs. Keeping git-hosted on the existing key shape preserves that dimension; the integrity is still validated on every fresh download. ## How the routing stays clean The naive way to express "use gitHostedStoreIndexKey for git-hosted, integrity key for npm" is to call `isGitHostedPkgUrl(resolution.tarball)` everywhere a store key is computed — fragile, scattered, and easy to forget when adding new readers (Copilot caught two of those during review). Instead, a typed annotation: `TarballResolution` gets an optional `gitHosted: boolean` field. The git resolver sets it; the lockfile loader (`convertToLockfileObject`) backfills it for entries written by older pnpm versions; `toLockfileResolution` carries it through on serialize. Every consumer reads `resolution.gitHosted` directly. URL detection lives in exactly two places — the resolver and the loader — instead of seven. ## Changes ### Security fix - `fetching/tarball-fetcher/src/gitHostedTarballFetcher.ts` — return the `integrity` that the inner remote-tarball fetch already computed (was being silently dropped by the destructure). ### Lockfile schema (additive) - `@pnpm/lockfile.types` and `@pnpm/resolving.resolver-base` — `TarballResolution` gains optional `gitHosted: boolean`. - `@pnpm/resolving.git-resolver` — sets `gitHosted: true` on every git-hosted tarball it produces. - `@pnpm/lockfile.fs` (`convertToLockfileObject`) — backfills the field on load for older lockfiles via inlined URL detection. - `@pnpm/lockfile.utils` (`toLockfileResolution`, `pkgSnapshotToResolution`) — preserve / read the field. ### Store-key consumers (now one-line typed reads, dropped the URL-sniffing dep) - `installing/package-requester` (`getFilesIndexFilePath`) - `store/pkg-finder` (`readPackageFileMap`) - `modules-mounter/daemon` (`createFuseHandlers`) - `building/after-install` (side-effects-cache lookup + write) - `store/commands/storeStatus` - `installing/deps-installer` (agent-mode store-controller wrapper) ### Fetcher routing - `fetching/pick-fetcher` — `pickFetcher` prefers `resolution.gitHosted`; URL fallback retained for ad-hoc resolutions. ### Tests - New integrity-validation test in `tarball-fetcher` (mismatched `integrity` on the resolution must throw `TarballIntegrityError`). - New git-hosted lookup test in `pkg-finder` asserting routing through `gitHostedStoreIndexKey` even when integrity is present. - New `toLockfileResolution` test asserting `gitHosted: true` flows through serialization. - `fromRepo.ts` lockfile snapshot updated for the now-pinned integrity + `gitHosted: true`. - `git-resolver` tests updated to assert `gitHosted: true` in produced resolutions.	2026-05-06 13:22:25 +02:00
Zoltan Kochan	187049055f	chore: upgrade @typescript/native-preview to 7.0.0-dev.20260421.2 (#11332 ) * chore: upgrade @typescript/native-preview to 7.0.0-dev.20260421.2 - Add explicit `types: ["node"]` to the shared tsconfig because tsgo 20260421 no longer auto-acquires `@types/` from `node_modules`. - Refactor test files to explicitly import jest globals (`describe`, `it`, `test`, `expect`, `beforeEach`, etc.) from `@jest/globals` instead of relying on `@types/jest` ambient declarations. Under the new tsgo build, `import { jest } from '@jest/globals'` shadows the ambient `jest` namespace, breaking `@types/jest`'s `declare var describe: jest.Describe;` globals. - Add `@jest/globals` to each package's devDependencies where tests now import from it, and add `@types/node` to packages that need it but were relying on hoisted resolution. - Replace `fail()` calls with `throw new Error(...)` since `fail` is no longer globally available. chore: fix remaining tsgo type-strictness errors - Strip `as <PnpmType>` casts on objects passed to toMatchObject / toStrictEqual / toEqual; @jest/globals rejects the typed objects (which include AsymmetricMatchers) vs. the repo-specific type. - Type `jest.fn<...>()` explicitly where the mock's signature matters for toHaveBeenCalledWith. - Replace `beforeEach(() => X)` with `beforeEach(() => { X })` so the return value is void, as the stricter jest typing requires. - Use `expect.objectContaining({...})` in one place where the full expected object triggered stricter type resolution. - Cast `prompt.mock.calls` arg through `as unknown as Record<...>[]` for patch.test.ts's nested-array matchers. - Fix off-by-one `<reference path>` in pnpm/test/getConfig.test.ts that only surfaced now. - Move `@jest/globals` from devDependencies to dependencies in the two `__utils__` packages that import it from `src/`. - Clean up unused imports from the @jest/globals migration. * chore: address Copilot review on #11332 - Move misplaced `@jest/globals` imports to the top import block in checkEngine, run.ts, and workspace/root-finder tests where the script dropped them below executable code. - Replace `try { await x(); throw new Error('should have thrown') } catch` in bins/linker, lockfile/fs, and resolving/local-resolver tests with `await expect(x()).rejects.toMatchObject({...})`. The old pattern swallowed an unrelated `throw` if the under-test call silently succeeded, which would fail on the catch-block assertion with a misleading message.	2026-04-21 22:50:40 +02:00
Allan Kimmer Jensen	bcc88a1239	fix(sbom): resolve licenses for git-sourced dependencies (#11310 ) * fix(sbom): resolve licenses for git-sourced dependencies `readPackageFileMap` did not handle `type: 'git'` resolutions, causing `pnpm sbom` to emit NOASSERTION and `pnpm licenses` to throw for any dependency installed from a git URL. Closes #11260 * fix: add missing store.cafs devDep, test tsconfigs, and size field - Add @pnpm/store.cafs devDependency and tsconfig reference to license-scanner so CI typecheck resolves the PackageFilesIndex import - Add test/tsconfig.json to pkg-finder so CI typechecks the new tests - Add required `size` field to PackageFileInfo test fixtures * fix: replace spellcheck-failing test strings * fix: use spellcheck-safe integrity string in test * style: fix import sort in pkg-finder test * fix(sbom): use packageIdFromSnapshot to match store index keys The SBOM used `snapshot.id ?? depPath` as the package ID, which includes the package name prefix (e.g. `left-pad@git+https://...`). The store index stores git packages under just the git URL without the name prefix. Use `packageIdFromSnapshot` which strips the prefix, matching how the licenses command already does it. Also fixes test store keys to match the real installer layout so the mismatch would have been caught by tests. * refactor: move git resolution check after tarball check Tarball resolutions are more common than type: 'git', so check them first. Per review feedback from @zkochan.	2026-04-20 14:29:35 +02:00

Author

SHA1

Message

Date

Zoltan Kochan

60fd20536d

fix: pin integrity of git-hosted tarballs in lockfile (#11481 )

For git-hosted tarballs (`codeload.github.com` / `gitlab.com` / `bitbucket.org`) the fetcher dropped the integrity it computed while downloading, so the lockfile only ever stored the URL. A compromised git host or man-in-the-middle could serve a substituted tarball on subsequent installs and pnpm would install it — the lockfile had no hash to compare against.

This pins the SHA-512 SRI of the raw tarball in the lockfile, in the same `sha512-<base64>` form npm-registry tarballs use. The only difference is the source: for npm we pass through `dist.integrity`, for git we compute it locally from the downloaded buffer. Subsequent installs validate the download against that integrity in the worker (`addTarballToStore` → `parseIntegrity` → hash compare), so a tampered tarball fails with `TarballIntegrityError`.

## Why git-hosted stays on `gitHostedStoreIndexKey`

The lockfile pins integrity for security, but the *store key* for git-hosted resolutions stays on `gitHostedStoreIndexKey(pkgId, { built })` rather than collapsing under the integrity-based key. Reason: git-hosted tarballs are post-processed (`preparePackage` / `packlist`), so the cached file set depends on whether build scripts ran during fetch. The integrity-only key would fold the built and not-built variants into a single slot, letting one overwrite the other and serving the wrong content if `ignoreScripts` was toggled between runs. Keeping git-hosted on the existing key shape preserves that dimension; the integrity is still validated on every fresh download.

## How the routing stays clean

The naive way to express "use gitHostedStoreIndexKey for git-hosted, integrity key for npm" is to call `isGitHostedPkgUrl(resolution.tarball)` everywhere a store key is computed — fragile, scattered, and easy to forget when adding new readers (Copilot caught two of those during review). Instead, a typed annotation: `TarballResolution` gets an optional `gitHosted: boolean` field. The git resolver sets it; the lockfile loader (`convertToLockfileObject`) backfills it for entries written by older pnpm versions; `toLockfileResolution` carries it through on serialize. Every consumer reads `resolution.gitHosted` directly. URL detection lives in exactly two places — the resolver and the loader — instead of seven.

## Changes

### Security fix
- `fetching/tarball-fetcher/src/gitHostedTarballFetcher.ts` — return the `integrity` that the inner remote-tarball fetch already computed (was being silently dropped by the destructure).

### Lockfile schema (additive)
- `@pnpm/lockfile.types` and `@pnpm/resolving.resolver-base` — `TarballResolution` gains optional `gitHosted: boolean`.
- `@pnpm/resolving.git-resolver` — sets `gitHosted: true` on every git-hosted tarball it produces.
- `@pnpm/lockfile.fs` (`convertToLockfileObject`) — backfills the field on load for older lockfiles via inlined URL detection.
- `@pnpm/lockfile.utils` (`toLockfileResolution`, `pkgSnapshotToResolution`) — preserve / read the field.

### Store-key consumers (now one-line typed reads, dropped the URL-sniffing dep)
- `installing/package-requester` (`getFilesIndexFilePath`)
- `store/pkg-finder` (`readPackageFileMap`)
- `modules-mounter/daemon` (`createFuseHandlers`)
- `building/after-install` (side-effects-cache lookup + write)
- `store/commands/storeStatus`
- `installing/deps-installer` (agent-mode store-controller wrapper)

### Fetcher routing
- `fetching/pick-fetcher` — `pickFetcher` prefers `resolution.gitHosted`; URL fallback retained for ad-hoc resolutions.

### Tests
- New integrity-validation test in `tarball-fetcher` (mismatched `integrity` on the resolution must throw `TarballIntegrityError`).
- New git-hosted lookup test in `pkg-finder` asserting routing through `gitHostedStoreIndexKey` even when integrity is present.
- New `toLockfileResolution` test asserting `gitHosted: true` flows through serialization.
- `fromRepo.ts` lockfile snapshot updated for the now-pinned integrity + `gitHosted: true`.
- `git-resolver` tests updated to assert `gitHosted: true` in produced resolutions.

2026-05-06 13:22:25 +02:00

Zoltan Kochan

187049055f

chore: upgrade @typescript/native-preview to 7.0.0-dev.20260421.2 (#11332 )

* chore: upgrade @typescript/native-preview to 7.0.0-dev.20260421.2

- Add explicit `types: ["node"]` to the shared tsconfig because tsgo
  20260421 no longer auto-acquires `@types/*` from `node_modules`.
- Refactor test files to explicitly import jest globals (`describe`,
  `it`, `test`, `expect`, `beforeEach`, etc.) from `@jest/globals`
  instead of relying on `@types/jest` ambient declarations. Under the
  new tsgo build, `import { jest } from '@jest/globals'` shadows the
  ambient `jest` namespace, breaking `@types/jest`'s `declare var
  describe: jest.Describe;` globals.
- Add `@jest/globals` to each package's devDependencies where tests
  now import from it, and add `@types/node` to packages that need it
  but were relying on hoisted resolution.
- Replace `fail()` calls with `throw new Error(...)` since `fail` is
  no longer globally available.

* chore: fix remaining tsgo type-strictness errors

- Strip `as <PnpmType>` casts on objects passed to toMatchObject /
  toStrictEqual / toEqual; @jest/globals rejects the typed objects
  (which include AsymmetricMatchers) vs. the repo-specific type.
- Type `jest.fn<...>()` explicitly where the mock's signature matters
  for toHaveBeenCalledWith.
- Replace `beforeEach(() => X)` with `beforeEach(() => { X })` so the
  return value is void, as the stricter jest typing requires.
- Use `expect.objectContaining({...})` in one place where the full
  expected object triggered stricter type resolution.
- Cast `prompt.mock.calls` arg through `as unknown as Record<...>[]`
  for patch.test.ts's nested-array matchers.
- Fix off-by-one `<reference path>` in pnpm/test/getConfig.test.ts
  that only surfaced now.
- Move `@jest/globals` from devDependencies to dependencies in the
  two `__utils__` packages that import it from `src/`.
- Clean up unused imports from the @jest/globals migration.

* chore: address Copilot review on #11332

- Move misplaced `@jest/globals` imports to the top import block in
  checkEngine, run.ts, and workspace/root-finder tests where the
  script dropped them below executable code.
- Replace `try { await x(); throw new Error('should have thrown') } catch`
  in bins/linker, lockfile/fs, and resolving/local-resolver tests with
  `await expect(x()).rejects.toMatchObject({...})`. The old pattern
  swallowed an unrelated `throw` if the under-test call silently
  succeeded, which would fail on the catch-block assertion with a
  misleading message.

2026-04-21 22:50:40 +02:00

Allan Kimmer Jensen

bcc88a1239

fix(sbom): resolve licenses for git-sourced dependencies (#11310 )

* fix(sbom): resolve licenses for git-sourced dependencies

`readPackageFileMap` did not handle `type: 'git'` resolutions, causing
`pnpm sbom` to emit NOASSERTION and `pnpm licenses` to throw for any
dependency installed from a git URL.

Closes #11260

* fix: add missing store.cafs devDep, test tsconfigs, and size field

- Add @pnpm/store.cafs devDependency and tsconfig reference to
  license-scanner so CI typecheck resolves the PackageFilesIndex import
- Add test/tsconfig.json to pkg-finder so CI typechecks the new tests
- Add required `size` field to PackageFileInfo test fixtures

* fix: replace spellcheck-failing test strings

* fix: use spellcheck-safe integrity string in test

* style: fix import sort in pkg-finder test

* fix(sbom): use packageIdFromSnapshot to match store index keys

The SBOM used `snapshot.id ?? depPath` as the package ID, which
includes the package name prefix (e.g. `left-pad@git+https://...`).
The store index stores git packages under just the git URL without
the name prefix. Use `packageIdFromSnapshot` which strips the prefix,
matching how the licenses command already does it.

Also fixes test store keys to match the real installer layout so the
mismatch would have been caught by tests.

* refactor: move git resolution check after tarball check

Tarball resolutions are more common than type: 'git', so check them
first. Per review feedback from @zkochan.

2026-04-20 14:29:35 +02:00

3 Commits