mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 09:55:39 -04:00
bf1b731ee6
## Summary Package-name `allowBuilds` entries no longer approve lifecycle scripts for artifacts whose identity a name cannot pin: git, git-hosted tarball, direct tarball, and local directory dependencies. To approve such an artifact explicitly, use its peer-suffix-free lockfile depPath as the `allowBuilds` key — error hints, `pnpm ignored-builds`, and `pnpm approve-builds` print exactly that key. - `AllowBuild` policy functions identify packages by `DepPath` instead of caller-supplied name/version. The policy parses name and version out of the depPath itself, so name-keyed rules can never be fed an identity that disagrees with the gated artifact. `AllowBuildContext` carries only an explicit `trustPackageIdentity` override, used to evaluate a previously recorded policy under its original semantics when detecting revoked approvals. - Identity trust is derived from the depPath shape: a registry-style depPath (`name@semver`) is a trusted identity. This is sound because lockfile verification runs a new unconditional, offline structural pass that rejects lockfiles where such a key is backed by a git, directory, or git-hosted tarball resolution (`ERR_PNPM_RESOLUTION_SHAPE_MISMATCH`), while the npm resolution verifier already binds explicit tarball URLs of semver-keyed entries to the registry's own `dist.tarball` unconditionally. The pass runs inside the existing candidate walk and participates in the verification cache key (`resolutionShapeCheck`) on both the gate's and the fresh-resolve record paths, so the stat-only cache fast path stays sound and records written before the rule existed are re-verified. - Installs detect approvals that were revoked (or stopped applying) for git/tarball artifacts and surface those packages as ignored builds; approvals granted for previously ignored builds trigger a rebuild of exactly those packages. - `preparePackage` always treats the fetched manifest as an untrusted identity: it requires a `pkgResolutionId` and gates on the synthesized `name@<resolution id>` depPath. scp-style git URLs are normalized to `ssh://` form in resolution ids, and the git fetcher reuses `createGitHostedPkgId` from the resolver instead of re-deriving ids. - Under the global virtual store, `pnpm rebuild` locates a projection created before the approval was granted by following the project's node_modules link, since the projection hash includes the allowBuilds verdict (relocating the projection instead is tracked in https://github.com/pnpm/pnpm/issues/12302). - New shared helpers: `removePeersSuffix()` in `@pnpm/deps.path` (string-level peer-suffix stripping for user-written keys) and `allowBuildKeyFromIgnoredBuild()` in `@pnpm/building.policy` (the key under which an ignored build is approved). - pacquet mirrors the whole policy: `AllowBuildPolicy::check(dep_path)` derives trust from the dep path, the git-fetcher allow-build closures take only the dep path, `pacquet-lockfile-verification` gains the same structural pass, error code, and cache identity, and dep-path keys normalize via `remove_suffix`. - `shell-quote` is overridden to 1.8.4 (GHSA-w7jw-789q-3m8p / CVE-2026-9277). - Test-harness fix: a module-level drain keeps the global log stream flowing in the deps-installer lifecycle tests, so reporter assertions no longer receive the buffered backlog of earlier installs that ran without a reporter.
42 lines
1.1 KiB
TypeScript
42 lines
1.1 KiB
TypeScript
import { expect, it } from '@jest/globals'
|
|
import { iterateHashedGraphNodes } from '@pnpm/deps.graph-hasher'
|
|
import type { AllowBuild, DepPath } from '@pnpm/types'
|
|
|
|
it('gates built dep paths through the allowBuild policy by depPath', () => {
|
|
const registryDepPath = 'foo@1.0.0' as DepPath
|
|
const directTarballDepPath = 'foo@https://example.com/foo.tgz' as DepPath
|
|
const checkedDepPaths: DepPath[] = []
|
|
const allowBuild: AllowBuild = (depPath) => {
|
|
checkedDepPaths.push(depPath)
|
|
return depPath === registryDepPath
|
|
}
|
|
|
|
Array.from(iterateHashedGraphNodes(
|
|
{
|
|
[registryDepPath]: {
|
|
children: {},
|
|
fullPkgId: 'foo@1.0.0:sha512-abc',
|
|
},
|
|
[directTarballDepPath]: {
|
|
children: {},
|
|
fullPkgId: 'foo@1.0.0:sha512-def',
|
|
},
|
|
},
|
|
[
|
|
{
|
|
depPath: registryDepPath,
|
|
name: 'foo',
|
|
version: '1.0.0',
|
|
},
|
|
{
|
|
depPath: directTarballDepPath,
|
|
name: 'foo',
|
|
version: '1.0.0',
|
|
},
|
|
].values(),
|
|
allowBuild
|
|
))
|
|
|
|
expect(checkedDepPaths).toStrictEqual([registryDepPath, directTarballDepPath])
|
|
})
|