mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 09:55:39 -04:00
6aa5b70595
Let a `proxy:` rule name an ordered list of uplinks (`proxy: npmjs private`, or the YAML sequence form) and walk it as a fallback chain, matching verdaccio's serial first-success semantics: try uplinks in declared order, stop at the first that answers, and fall through to the next on a 404 or an availability failure. A later private uplink can host a package the primary 404s. - config: PackageAccess.proxy becomes an ordered AccessSpec list; Config::resolve_uplinks returns the chain (skipping unknown names); resolve_uplink stays as a primary-only convenience. - packument: walk the chain, sending each uplink only its own cached validators. The cache holds one shared body, so its validators are scoped to that body's origin uplink (the validator map is replaced, not merged, on every write) — a conditional GET only ever reaches the origin, so a 304 can only confirm the bytes actually on disk and can't revalidate another origin's body. The freshness window (maxage) comes from the primary uplink only. - tarball: try each uplink in order; integrity binds the streamed bytes, so the serving uplink decides whether they are mirrored (caches()) while the cache read is gated on whether any uplink caches. - fallthrough is restricted to availability failures (RegistryError::allows_uplink_fallthrough): transport errors, an open circuit, and upstream 5xx. Any authoritative 4xx (401/403 auth, 429 throttle, 400/410, ...) stops the walk immediately so a later uplink can't mask the primary's rejection of a scoped or rate-limited request. Out of scope (left to a later change): verdaccio's full cross-uplink metadata merge and per-version origin tracking. pnpr stays first-success fallback with one cache entry per package. Part of pnpm/pnpm#11973.