mirror of https://github.com/pnpm/pnpm.git synced 2026-03-27 11:31:45 -04:00

Files

Zoltan Kochan dba4153767 refactor: rename packages and consolidate runtime resolvers (#10999 )

* refactor: rename workspace.sort-packages and workspace.pkgs-graph

- workspace.sort-packages -> workspace.projects-sorter
- workspace.pkgs-graph -> workspace.projects-graph

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: rename packages/ to core/ and pkg-manifest.read-package-json to reader

- Rename packages/ directory to core/ for clarity
- Rename pkg-manifest/read-package-json to pkg-manifest/reader (@pnpm/pkg-manifest.reader)
- Update all tsconfig, package.json, and lockfile references

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: consolidate runtime resolvers under engine/runtime domain

- Remove unused @pnpm/engine.runtime.node.fetcher package
- Rename engine/runtime/node.resolver to node-resolver (dash convention)
- Move resolving/bun-resolver to engine/runtime/bun-resolver
- Move resolving/deno-resolver to engine/runtime/deno-resolver
- Update all package names, tsconfig paths, and lockfile references

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: update lockfile after removing node.fetcher

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: sort tsconfig references and package.json deps alphabetically

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: auto-fix import sorting

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: update __typings__ paths in tsconfig.lint.json for moved resolvers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove deno-resolver from deps of bun-resolver

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

2026-03-18 00:19:58 +01:00

scripts

fix: prevent path traversal vulnerabilities during ZIP extraction

2026-01-16 20:36:40 +01:00

src

refactor: rename internal packages to @pnpm/<domain>.<leaf> convention (#10997 )

2026-03-17 21:50:40 +01:00

test

style: enforce node: protocol for builtin imports (#10951 )

2026-03-13 07:59:51 +01:00

CHANGELOG.md

chore(release): 10.19.0

2025-10-21 15:30:20 +02:00

package.json

refactor: rename internal packages to @pnpm/<domain>.<leaf> convention (#10997 )

2026-03-17 21:50:40 +01:00

README.md

fix: prevent path traversal vulnerabilities during ZIP extraction

2026-01-16 20:36:40 +01:00

tsconfig.json

refactor: rename packages and consolidate runtime resolvers (#10999 )

2026-03-18 00:19:58 +01:00

tsconfig.lint.json

feat: support installing Deno runtime (#9791 )

2025-07-30 11:27:07 +02:00

README.md

@pnpm/fetching.binary-fetcher

A fetcher for binary archives

Installation

pnpm add @pnpm/fetching.binary-fetcher

Testing

Test Fixtures

The test/fixtures/ directory contains malicious ZIP files for testing path traversal protection:

File	Entry Path	Purpose
`path-traversal.zip`	`../../../.npmrc`	Tests `../` escape sequences
`absolute-path.zip`	`/etc/passwd`	Tests absolute path entries
`backslash-traversal.zip`	`..\..\..\evil.txt`	Tests Windows backslash traversal (Windows-only)

These fixtures are manually crafted because AdmZip's addFile() sanitizes paths automatically.

Note: The backslash test only runs on Windows because \ is a valid filename character on Unix.

Regenerating Fixtures

node --experimental-strip-types scripts/create-fixtures.ts

License

MIT