mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-29 11:11:43 -04:00
edbe2a7c9b
Cherry-pick of #11481 from main, adapted to the v10 layout. For git-hosted tarballs (codeload.github.com / gitlab.com / bitbucket.org) the fetcher dropped the integrity it computed while downloading, so the lockfile only stored the URL. A compromised git host or man-in-the-middle could serve a substituted tarball on subsequent installs and pnpm would install it without lockfile changes. This pins the SHA-512 SRI of the raw tarball in the lockfile in the same sha512-<base64> form npm-registry tarballs use; subsequent installs verify the download against that integrity in the worker. A new optional gitHosted: boolean field is recorded on TarballResolution so every store-key consumer can route by a single typed read instead of re-deriving the routing from the URL. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly. 🤖 Cherry-picked by Claude (claude-opus-4-7) on behalf of @zkochan