mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-06-27 09:25:24 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
main
pnpm/pnpm11/fetching/binary-fetcher/README.md
Zoltan Kochan fc2f33912e refactor: move the TypeScript pnpm CLI into a pnpm11/ directory (#12537) 
The TypeScript pnpm CLI freezes at v11; pnpm 12 will be the Rust pacquet
port. To make that split legible, all TypeScript source, test, and build
directories move under a new top-level pnpm11/ directory. The name states
the version boundary rather than implying a behavioral fork, since the two
stacks are meant to behave identically.

Scope is source-only: the shared workspace root stays at the repo root.
pnpm-workspace.yaml, package.json, pnpm-lock.yaml, .pnpmfile.cjs,
.meta-updater, __patches__, .changeset, .husky, and the lint/spell configs
remain in place, so one pnpm workspace and one Cargo workspace still span
all three products. pnpr/client and pacquet/tasks/registry-mock stay as
cross-product workspace members.

Rewiring the move required:
- pnpm-workspace.yaml globs prefixed with pnpm11/
- root package.json script paths, eslint.config.mjs, tsconfig.lint.json,
  .gitignore, and CODEOWNERS updated
- .meta-updater/src/index.ts literals repointed (pnpm11/pnpm/package.json,
  pnpm11/__utils__, pnpm11/__typings__, and the main package directory)
- regenerated every moved package's repository/homepage URL via meta-updater
- pnpm11/pnpm/bundle-deps.ts and __utils__/scripts/src/typecheck-only.ts
  climb one more level to reach the repo root

.meta-updater stays at the repo root because @pnpm/meta-updater resolves
its config at <cwd>/.meta-updater/main.mjs.

TS CI (.github/workflows/ci.yml) now only runs when pnpm11/-relevant paths
change, via a dorny/paths-filter changes job plus a TS CI / Success
aggregate gate; branch protection should require only that gate.
2026-06-20 14:36:25 +02:00

892 B
Raw Permalink Blame History

@pnpm/fetching.binary-fetcher

A fetcher for binary archives

Installation

pnpm add @pnpm/fetching.binary-fetcher

Testing

Test Fixtures

The test/fixtures/ directory contains malicious ZIP files for testing path traversal protection:

File Entry Path Purpose
path-traversal.zip ../../../.npmrc Tests ../ escape sequences
absolute-path.zip /etc/passwd Tests absolute path entries
backslash-traversal.zip ..\..\..\evil.txt Tests Windows backslash traversal (Windows-only)

These fixtures are manually crafted because AdmZip's addFile() sanitizes paths automatically.

Note: The backslash test only runs on Windows because \ is a valid filename character on Unix.

Regenerating Fixtures

node --experimental-strip-types scripts/create-fixtures.ts

License

MIT

Reference in New Issue View Git Blame Copy Permalink