Khải 4ec0049f55 fix(pacquet/git-fetcher): bundle transitive deps of bundled dependencies (#12620)
* fix(git-fetcher): bundle transitive deps of bundled dependencies

The packlist `bundleDependencies` pass only spliced in each
directly-bundled package's own files; it never followed that package's
own dependencies, so a bundled dep's transitive (and hoisted)
dependencies were dropped from the published file set.

Replace the per-dependency recursion with npm-bundled's reachability
walk: seed from the root manifest's `bundleDependencies`, then
transitively pull in every reachable package's `dependencies` and
`optionalDependencies`, resolving each via the node module-resolution
walk-up (nested `node_modules/` first, then ancestor `node_modules/`).
The walk-up is what lets a hoisted transitive dep at the root
`node_modules/` be found and spliced in under its real path. A
visited-set keyed on the canonicalised resolved directory keeps a
diamond from being processed twice and stops dependency cycles.

Ports the upstream pnpm test "bundles transitive dependencies of
bundled dependencies (hoisted)" from
releasing/commands/test/publish/pack.ts, plus nested-wins-over-hoisted
and optionalDependencies/devDependencies coverage.

Resolves https://github.com/pnpm/pnpm/issues/12602

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XXHGos5SaEKKr7pUW4FXga

* docs(git-fetcher): fix stale bundling comment and pin test citation

Address review nits on the transitive-bundling change:

- The comment in `collect_own_files` referred to a `bundleDependencies`
  pass "below", but bundling now lives in the separate
  `collect_bundled_files`; describe the current structure instead.
- Pin the ported-test citation to a commit permalink, per
  pacquet/AGENTS.md's rule that code citations link to a specific SHA.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XXHGos5SaEKKr7pUW4FXga

* fix(git-fetcher): refuse bundled deps whose real path escapes the package

A `node_modules/<name>` entry can be a symlink pointing outside the
package (a sibling directory or an absolute host path). The name still
passes `is_safe_bundle_name` because it is a single safe segment, so the
walk-up resolves it and `collect_own_files` walks the symlink target —
splicing host files into the published set. The git/directory fetchers
import untrusted packages, making this an information-disclosure path.

Check each resolved dependency's canonical (symlink-resolved) path
against the canonical package root and refuse anything that escapes,
falling back to a lexical comparison when canonicalization is
unavailable. Reuses the canonicalize call already used for cycle dedup.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XXHGos5SaEKKr7pUW4FXga

* fix(git-fetcher): fail closed when a bundled dep's real path is unverifiable

The symlink-escape guard fell back to a lexical path check whenever
`fs::canonicalize` returned `None` for the dependency. A symlink under
`node_modules/` is lexically inside the package even when its target
escapes, so that fallback was fail-open. When the root canonicalizes but
the dependency does not, refuse the dependency instead: a genuine
dependency always canonicalizes here, since `resolve_bundled_dependency`
already stat'd its `package.json` through the same path. The lexical
fallback now applies only when the root itself cannot be canonicalized.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XXHGos5SaEKKr7pUW4FXga

* fix(git-fetcher): correct the upstream test citation to a real commit

The previous citation pinned SHA cab1c11c69, which does not exist — it
was taken from the issue body without verification. Point instead at the
in-repo copy of the test at pnpm11/releasing/commands/test/publish/pack.ts,
pinned to a commit that actually contains it.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01XXHGos5SaEKKr7pUW4FXga

---------

Co-authored-by: Claude <noreply@anthropic.com>
2026-06-24 11:38:38 +00:00
2026-06-19 23:33:39 +02:00
2026-06-19 23:33:39 +02:00
2026-01-16 16:31:31 +01:00
2024-03-21 01:09:22 +01:00

简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro

pnpm

Fast, disk space efficient package manager:

  • Fast. Up to 2x faster than the alternatives (see benchmark).
  • Efficient. Files inside node_modules are linked from a single content-addressable storage.
  • Great for monorepos.
  • Strict. A package can access only dependencies that are specified in its package.json.
  • Deterministic. Has a lockfile called pnpm-lock.yaml.
  • Works as a Node.js version manager. See pnpm runtime.
  • Works everywhere. Supports Windows, Linux, and macOS.
  • Battle-tested. Used in production by teams of all sizes since 2016.
  • Experimental Rust port. Includes pacquet, an experimental port of the CLI written in Rust.
  • See the full feature comparison with npm and Yarn.

To quote the Rush team:

Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and weve found it to be very fast and reliable.

npm version OpenCollective OpenCollective X Follow Stand With Ukraine

Platinum Sponsors

Bit OpenAI

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

Silver Sponsors

Replit Cybozu BairesDev
Thesys devowl.io u|screen
Leniolabs_ Depot Cerbos
⏱️ Time.now

Support this project by becoming a sponsor.

Background

pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:

  1. If you depend on different versions of lodash, only the files that differ are added to the store. If lodash has 100 files, and a new version has a change only in one of those files, pnpm update will only add 1 new file to the storage.
  2. All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).

As a result, you save gigabytes of space on your disk and you have a lot faster installations! If you'd like more details about the unique node_modules structure that pnpm creates and why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.

💖 Like this project? Let people know with a tweet

Getting Started

Benchmark

pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.

Benchmarks on an app with lots of dependencies:

License

MIT, except the pnpr/ directory, which is source-available under the PolyForm Shield License 1.0.0.

Description
No description provided
Readme MIT 283 MiB
Languages
Rust 59.8%
TypeScript 39.6%
JavaScript 0.5%