mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 01:45:30 -04:00
a84d2a1157
Add @pnpm/resolving.tarball-url, which builds and recognizes the canonical npm tarball URL of a package. It vendors getNpmTarballUrl (previously the external get-npm-tarball-url dependency) and adds isCanonicalRegistryTarballUrl. @pnpm/lockfile.utils (toLockfileResolution, pkgSnapshotToResolution) and @pnpm/installing.env-installer now import from the new package; the private copy of the canonical check in toLockfileResolution is removed, and the external get-npm-tarball-url dependency and its catalog entry are dropped. The vendored getNpmTarballUrl is byte-for-byte equivalent to get-npm-tarball-url@2.1.0, so the fetch paths that use it are unchanged. Two correctness fixes are folded in while consolidating the logic: - the scoped-package unescape now handles uppercase %2F as well as %2f (percent-encoding is case-insensitive), so canonical scoped URLs are not needlessly persisted; - protocol-insensitive comparison strips only a leading http(s):// scheme via regex instead of splitting on the first :// (which could truncate a URL containing a later :// and yield a false-positive "canonical" match). Both fixes are mirrored in the pacquet port (is_canonical_registry_tarball_url in pacquet/crates/lockfile/src/resolution.rs) so the two stacks omit the same canonical scoped registry URLs from the lockfile, with matching regression tests. --------- Co-authored-by: Zoltan Kochan <z@kochan.io>