mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-27 17:35:30 -04:00
852d5379e1
Lockfile verification fetches registry metadata to bind each entry's tarball URL (and to apply the minimumReleaseAge / trust-downgrade policies). On a fetch failure the abbreviated-metadata fetch collapsed every failure mode — 403, 401, network error, 5xx — into the same "missing" value as a version genuinely absent from the metadata, so a transport failure was reported as a tampering-style ERR_PNPM_TARBALL_URL_MISMATCH. Rather than mint a dedicated violation code/message for the transport case, the verifier now propagates the registry's own fetch error and the install aborts with it: - runTarballUrlCheck / runAgeCheck / runTrustCheck rethrow the underlying fetch error rather than folding it into a policy violation. The abbreviated-metadata age shortcut still swallows the error and falls back to per-version lookups. - The verification gate captures a thrown error per entry and rethrows the first after the fan-out settles, so concurrent siblings hitting the same dead registry do not raise unhandled rejections. A transport failure takes precedence over collected policy violations: the run never finished, so the batch is incomplete and the actionable failure is the transport error; a re-run surfaces any remaining violations once the registry is reachable. - Credential leak fixed at the source: `@pnpm/error`'s redactUrlCredentials strips user:pass@ userinfo from a URL in FetchError messages, and the npm resolver redacts the message, stack, and cause of META_FETCH_FAIL. It is a single forward scan, not a regex (the input is uncontrolled, so a backtracking pattern is a ReDoS vector), and it strips up to the last @ in the authority so a raw @ inside the password cannot leak its tail. pacquet parity: ResolutionVerification::FetchFailed is added (the runner aborts with it rather than collecting it as a violation); the gate aborts via VerifyError::RegistryMetaFetchFailed (ERR_PNPM_META_FETCH_FAIL), collect_resolution_policy_violations returns a Result, and the pnpr server maps the abort to a 502. The surfaced fetch error is credential-redacted. The TARBALL_URL_FETCH_FAILED code, its VerifyError variant and hint, and the pnpr-client interning are removed. Note: pacquet surfaces its existing fetch error under ERR_PNPM_META_FETCH_FAIL rather than pnpm's literal ERR_PNPM_FETCH_403 — pacquet's fetch errors do not use the per-status code scheme today, so aligning that globally is a separate effort. The behavior matches: abort with the registry's error, never a tampering label, no credential leak. Fixes pnpm/pnpm#12489.