Files
pnpm/pnpr
Zoltan Kochan f742b0429e fix(pnpr): preserve non-canonical upstream tarball filenames (#12593)
The proxied-tarball integrity fix (pnpm/pnpm#12570, GHSA-5f9g-98vq-2jxw)
started reconstructing each rewritten dist.tarball filename from its
version key (`<name>-<version>.tgz`). That assumes upstream tarball names
are always canonical, which breaks packages like esprima-fb whose real
npm tarball is `esprima-fb-3001.0001.0000-dev-harmony-fb.tgz` for version
`3001.1.0-dev-harmony-fb`: the rewritten URL no longer matched what npm
hosts, so the client recorded the wrong lockfile URL and the proxied
fetch 404'd.

Preserve the upstream basename verbatim in the rewrite again, and resolve
a tarball request's version and dist.integrity by matching the requested
filename against each version's dist.tarball basename instead of parsing
the version out of the filename. OSV screening re-runs against the
resolved version when it differs from the filename-derived one.

The GHSA protection is unchanged: served bytes are still verified against
the SRI declared by the version that owns that tarball name, so a
preserved name cannot smuggle in bytes of another provenance. Tests that
encoded the canonical-reconstruction behavior are updated to assert
basename preservation, with new coverage for non-canonical names.

Also fix a pre-existing compile break in the pnpr server test target:
UserStore::in_memory gained a MaxUsers argument (pnpm/pnpm#12581) but one
test call site was not updated.
2026-06-22 23:15:55 +02:00
..