mirror of
https://github.com/pnpm/pnpm.git
synced 2026-07-17 11:12:25 -04:00
The proxied-tarball integrity fix (pnpm/pnpm#12570, GHSA-5f9g-98vq-2jxw) started reconstructing each rewritten dist.tarball filename from its version key (`<name>-<version>.tgz`). That assumes upstream tarball names are always canonical, which breaks packages like esprima-fb whose real npm tarball is `esprima-fb-3001.0001.0000-dev-harmony-fb.tgz` for version `3001.1.0-dev-harmony-fb`: the rewritten URL no longer matched what npm hosts, so the client recorded the wrong lockfile URL and the proxied fetch 404'd. Preserve the upstream basename verbatim in the rewrite again, and resolve a tarball request's version and dist.integrity by matching the requested filename against each version's dist.tarball basename instead of parsing the version out of the filename. OSV screening re-runs against the resolved version when it differs from the filename-derived one. The GHSA protection is unchanged: served bytes are still verified against the SRI declared by the version that owns that tarball name, so a preserved name cannot smuggle in bytes of another provenance. Tests that encoded the canonical-reconstruction behavior are updated to assert basename preservation, with new coverage for non-canonical names. Also fix a pre-existing compile break in the pnpr server test target: UserStore::in_memory gained a MaxUsers argument (pnpm/pnpm#12581) but one test call site was not updated.