mirror of
https://github.com/pnpm/pnpm.git
synced 2026-03-27 11:31:45 -04:00
54c4fc4fb4
* fix: respect peer dep range in hoistPeers when preferred versions exist Previously, hoistPeers used semver.maxSatisfying(versions, '*') which picked the highest preferred version from the lockfile regardless of the peer dep range. This caused overrides that narrow a peer dep range to be ignored when a stale version existed in the lockfile. Now hoistPeers first tries semver.maxSatisfying(versions, range) to find a preferred version that satisfies the actual peer dep range. If none satisfies it and autoInstallPeers is enabled, it falls back to the range itself so pnpm resolves a matching version from the registry. * fix: only fall back to exact-version range for overrides, handle workspace: protocol - When no preferred version satisfies the peer dep range, only use the range directly if it is an exact version (e.g. "4.3.0" from an override). For semver ranges (e.g. "1", "^2.0.0"), fall back to the old behavior of picking the highest preferred version for deduplication. - Guard against workspace: protocol ranges that would cause semver.maxSatisfying to throw. - Add unit tests for hoisting deduplication and workspace: ranges. * fix: only apply range-constrained peer selection for exact versions The previous approach used semver.maxSatisfying(versions, range) for all peer dep ranges, which broke aliased-dependency deduplication — e.g. when three aliases of @pnpm.e2e/peer-c existed at 1.0.0, 1.0.1, and 2.0.0, range ^1.0.0 would pick 1.0.1 instead of 2.0.0. Now the range-aware logic only activates when the range is an exact version (semver.valid), which is the override case (e.g. "4.3.0"). Regular semver ranges fall back to picking the highest preferred version.
@pnpm/core
Fast, disk space efficient installation engine. Used by pnpm
Install
Install it via npm.
pnpm add @pnpm/core
It also depends on @pnpm/logger version 1, so install it as well via:
pnpm add @pnpm/logger@1
API
mutateModules(importers, options)
TODO
link(linkFromPkgs, linkToModules, [options])
Create symbolic links from the linked packages to the target package's node_modules (and its node_modules/.bin).
Arguments:
linkFromPkgs- String[] - paths to the packages that should be linked.linkToModules- String - path to the dependent package'snode_modulesdirectory.options.reporter- Function - A function that listens for logs.
linkToGlobal(linkFrom, options)
Create a symbolic link from the specified package to the global node_modules.
Arguments:
linkFrom- String - path to the package that should be linked.globalDir- String - path to the global directory.options.reporter- Function - A function that listens for logs.
linkFromGlobal(pkgNames, linkTo, options)
Create symbolic links from the global pkgNames to the linkTo/node_modules folder.
Arguments:
pkgNames- String[] - packages to link.linkTo- String - package to link to.globalDir- String - path to the global directory.options.reporter- Function - A function that listens for logs.
storeStatus([options])
Return the list of modified dependencies.
Arguments:
options.reporter- Function - A function that listens for logs.
Returns: Promise<string[]> - the paths to the modified packages of the current project. The paths contain the location of packages in the store,
not in the projects node_modules folder.
storePrune([options])
Remove unreferenced packages from the store.
Hooks
Hooks are functions that can step into the installation process. All hooks can be provided as arrays to register multiple hook functions.
readPackage(pkg: Manifest, context): Manifest | Promise<Manifest>
This hook is called with every dependency's manifest information.
The modified manifest returned by this hook is then used by @pnpm/core during installation.
An async function is supported.
Arguments:
pkg- The dependency's package manifest.context.log(message)- A function to log debug messages.
Example:
const { installPkgs } = require('@pnpm/core')
installPkgs({
hooks: {
readPackage: [readPackageHook]
}
})
function readPackageHook (pkg, context) {
if (pkg.name === 'foo') {
context.log('Modifying foo dependencies')
pkg.dependencies = {
bar: '^2.0.0',
}
}
return pkg
}
preResolution(context, logger): Promise<void>
This hook is called after reading lockfiles but before resolving dependencies. It can modify lockfile objects.
Arguments:
context.wantedLockfile- The lockfile frompnpm-lock.yaml.context.currentLockfile- The lockfile fromnode_modules/.pnpm/lock.yaml.context.existsCurrentLockfile- Boolean indicating if current lockfile exists.context.existsNonEmptyWantedLockfile- Boolean indicating if wanted lockfile exists and is not empty.context.lockfileDir- Directory containing the lockfile.context.storeDir- Location of the store directory.context.registries- Map of registry URLs.logger.info(message)- Log an informational message.logger.warn(message)- Log a warning message.
afterAllResolved(lockfile: Lockfile): Lockfile | Promise<Lockfile>
This hook is called after all dependencies are resolved. It receives and returns the resolved lockfile object. An async function is supported.
Arguments:
lockfile- The resolved lockfile object that will be written topnpm-lock.yaml.
Custom Resolvers and Fetchers
Custom resolvers and fetchers allow you to implement custom package resolution and fetching logic for new package identifier schemes (like my-protocol:package-name). These are defined as top-level exports in your .pnpmfile.cjs:
- Custom Resolvers: Convert package descriptors (e.g.,
foo@^1.0.0) into resolutions - Custom Fetchers: Completely handle fetching for custom package types
Custom Resolver Interface:
interface CustomResolver {
// Resolution phase
canResolve?: (wantedDependency: WantedDependency) => boolean | Promise<boolean>
resolve?: (wantedDependency: WantedDependency, opts: ResolveOptions) => ResolveResult | Promise<ResolveResult>
// Force resolution check
shouldRefreshResolution?: (depPath: string, pkgSnapshot: PackageSnapshot) => boolean | Promise<boolean>
}
Custom Fetcher Interface:
interface CustomFetcher {
// Fetch phase - complete fetcher replacement
canFetch?: (pkgId: string, resolution: Resolution) => boolean | Promise<boolean>
fetch?: (cafs: Cafs, resolution: Resolution, opts: FetchOptions, fetchers: Fetchers) => FetchResult | Promise<FetchResult>
}
Custom Resolver Methods:
canResolve(wantedDependency)- Returnstrueif this resolver can resolve the given package descriptorresolve(wantedDependency, opts)- Resolves a package descriptor to a resolution. Should return an object withidandresolutionshouldRefreshResolution(depPath, pkgSnapshot)- Returntrueto trigger full resolution of all packages (skipping the "Lockfile is up to date" optimization). ThedepPathis the package identifier (e.g.,lodash@4.17.21) andpkgSnapshotprovides direct access to the lockfile entry (resolution, dependencies, etc.).
Custom Fetcher Methods:
canFetch(pkgId, resolution)- Returnstrueif this fetcher can handle fetching for the given resolutionfetch(cafs, resolution, opts, fetchers)- Completely handles fetching the package contents. Receives the content-addressable file system (cafs), the resolution, fetch options, and pnpm's standard fetchers for delegation. Must return a FetchResult with the package files.
Example - Reusing pnpm's fetcher utilities:
// .pnpmfile.cjs
const customResolver = {
canResolve: (wantedDependency) => {
return wantedDependency.alias.startsWith('company-cdn:')
},
resolve: async (wantedDependency, opts) => {
const actualName = wantedDependency.alias.replace('company-cdn:', '')
const version = await fetchVersionFromCompanyCDN(actualName, wantedDependency.bareSpecifier)
return {
id: `company-cdn:${actualName}@${version}`,
resolution: {
type: 'custom:cdn',
cdnUrl: `https://cdn.company.com/packages/${actualName}/${version}.tgz`,
cachedAt: Date.now(), // Custom metadata for shouldRefreshResolution
},
}
},
shouldRefreshResolution: (depPath, pkgSnapshot) => {
// Check custom metadata stored in the resolution
const cachedAt = pkgSnapshot.resolution?.cachedAt
if (cachedAt && Date.now() - cachedAt > 24 * 60 * 60 * 1000) {
return true // Re-resolve if cached more than 24 hours ago
}
return false
},
}
const customFetcher = {
canFetch: (pkgId, resolution) => {
return resolution.type === 'custom:cdn'
},
fetch: async (cafs, resolution, opts, fetchers) => {
// Delegate to pnpm's standard tarball fetcher
// Transform the custom resolution to a standard tarball resolution
const tarballResolution = {
tarball: resolution.cdnUrl,
integrity: resolution.integrity,
}
return fetchers.remoteTarball(cafs, tarballResolution, opts)
},
}
// Export as top-level arrays
module.exports = {
resolvers: [customResolver],
fetchers: [customFetcher],
}
Delegating to Standard Fetchers:
The fetchers parameter passed to the custom fetcher's fetch method provides access to pnpm's standard fetchers for delegation:
fetchers.remoteTarball- Fetch from remote tarball URLsfetchers.localTarball- Fetch from local tarball filesfetchers.gitHostedTarball- Fetch from GitHub/GitLab/Bitbucket tarballsfetchers.directory- Fetch from local directoriesfetchers.git- Fetch from git repositories
See the test cases in resolving/default-resolver/test/customResolver.ts and fetching/pick-fetcher/test/pickFetcher.ts for complete working examples.
Notes:
- Multiple custom resolvers and fetchers can be registered; they are tried in order until one matches
- All methods support both synchronous and asynchronous implementations
- Custom resolvers are tried before pnpm's built-in resolvers (npm, git, tarball, etc.)
- Custom fetchers can delegate to pnpm's standard fetchers via the
fetchersparameter to avoid reimplementing common fetch logic - The
shouldRefreshResolutionhook allows fine-grained control over when packages should be re-resolved
Performance Considerations:
canResolve()should be a cheap check (ideally synchronous) as it's called for every dependency during resolutionresolve()can be an expensive async operation (e.g., network requests) as it's only called for matching dependencies- If your
canResolve()implementation is expensive, performance may be impacted during large installations