@pnpm/network.web-auth (#12569)
* feat(network-web-auth): port web-based authentication flow from pnpm Port the `@pnpm/network.web-auth` package to a new `pacquet-network-web-auth` crate, in preparation for the registry-auth commands (login / publish) that pacquet has not ported yet. The crate provides: - `poll_for_web_auth_token` — polls a registry "done" URL for an auth token, honoring `Retry-After` and an overall timeout (`ERR_PNPM_WEBAUTH_TIMEOUT`). - `with_otp_handling` — runs an operation and, on an EOTP challenge, drives either the web-auth flow (QR code + browser open + poll) or a classic OTP prompt, then retries once. Surfaces `ERR_PNPM_OTP_NON_INTERACTIVE` and `ERR_PNPM_OTP_SECOND_CHALLENGE`. - `prompt_browser_open`, `generate_qr_code`, and the `SyntheticOtpError` helpers. Rather than porting the TypeScript context-of-closures verbatim, every side effect is a self-less capability trait composed on a single `Sys` parameter (`Clock`, `Sleep`, `WebAuthFetch`, `OpenUrl`, `EnterKeyListener`, `PromptOtp`, plus the TTY probes), with the real OS behind `Host` and fn-bound unit-struct fakes in tests. User-facing messages flow through the `Reporter` seam on a new `pnpm:global` channel, matching pnpm's `globalInfo` / `globalWarn` and rendered by `pacquet-default-reporter`. New workspace dependencies: `qrcode` (no default features) and `open`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8 * style(network-web-auth): satisfy perfectionist dylint lints CI's dylint job flagged the new crate against the `perfectionist` lint library (which clippy does not run). Fix every finding: - Reorder derive lists to the configured `prefix_then_alphabetical` order (`Debug, Default, Clone, ...`). - Rename the single-letter `R` reporter generic to `Reporter`, bound as `self::Reporter`, matching the existing pacquet convention. - Move the inline `mod tests { ... }` blocks for `capabilities`, `generate_qr_code`, and `web_auth_timeout_error` into external `tests.rs` files (the crate's `unit_test_file_layout` is `external_only`). - Add trailing commas to multi-line macro invocations. No behavior change. Verified clean with the same command CI runs: `RUSTFLAGS='-D warnings' cargo dylint --all -- --all-targets --workspace`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8 * fix(network-web-auth): cancel the web-auth Enter listener on drop The production `EnterKeyListener` used `spawn_blocking` + a blocking `stdin().read_line()`, which cannot be cancelled: if the user never pressed Enter (e.g. authentication completed via a phone QR scan), the reader thread lingered until process exit. Replace it with a dedicated thread that polls stdin with a 100ms timeout via `crossterm::event::poll` and re-checks a cancel flag each tick, so dropping the handle stops the thread within one poll interval. `crossterm` reads in the terminal's default (cooked) mode — no raw mode — matching pnpm's plain `readline.createInterface({ input: process.stdin })`, which reacts to a submitted line rather than individual keypresses. In Node, stdin is event-loop-driven so `rl.close()` needs no thread to cancel; the poll loop is the Rust equivalent. Adds `crossterm` to `[workspace.dependencies]`. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8 * fix(network-web-auth): don't let a dropped Enter listener steal stdin A code review of the cancellable web-auth listener surfaced two items: - The polling reader thread could consume one keystroke in the window between the handle being dropped (cancel flag set) and the thread noticing it: `event::poll` reports input, then `event::read` swallows a key meant for whatever reads stdin next. Re-check the cancel flag after poll and before read so a dropped handle leaves the input buffered, matching pnpm's clean `readline` close. - Drop the redundant `Option<sender>`: the Enter arm returns right after sending, so the oneshot sender moves directly into `send()`. Also document that the handle is meant to be raced and never resolves on a stdin read error, so it must not be awaited on its own. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8 * docs(network-web-auth): de-duplicate Enter-listener comments Review follow-up: keep the polling/cancel rationale on `HostEnterHandle` (where `Drop` lives) and trim `listen`'s doc to its unique cooked-mode detail; drop a select-arm comment sentence that restated automatic `Drop` and the function's own doc comment. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8 * docs(network-web-auth): correct the Enter-listener cancellation rationale Round-3 review follow-up: - The `HostEnterHandle` doc blamed `std`'s blocking `read_line` for needing a poll loop, but the listener uses crossterm's `event::read()` (`read_line` was the pre-crossterm implementation). Name the real primitive. - Drop the `listen` doc's reference to the private `HostEnterHandle` type (a public method's docs must not name a more-private item); point to "the returned handle" instead. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8 * docs(network-web-auth): state the why in the clock test doc The doc comment on host_clock_reads_a_non_zero_time restated the test name and its assertion instead of the non-obvious reason behind it. Replace it with the rationale: 0 is Host::now_ms's pre-epoch fallback, so a non-zero read proves the real wall clock was queried. --------- Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Zoltan Kochan <z@kochan.io>
简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro
Fast, disk space efficient package manager:
- Fast. Up to 2x faster than the alternatives (see benchmark).
- Efficient. Files inside
node_modulesare linked from a single content-addressable storage. - Great for monorepos.
- Strict. A package can access only dependencies that are specified in its
package.json. - Deterministic. Has a lockfile called
pnpm-lock.yaml. - Works as a Node.js version manager. See pnpm runtime.
- Works everywhere. Supports Windows, Linux, and macOS.
- Battle-tested. Used in production by teams of all sizes since 2016.
- Experimental Rust port. Includes pacquet, an experimental port of the CLI written in Rust.
- See the full feature comparison with npm and Yarn.
To quote the Rush team:
Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and we’ve found it to be very fast and reliable.
Platinum Sponsors
|
|
|
Gold Sponsors
|
|
|
|
|
|
|
|
|
|
|
Silver Sponsors
|
|
|
|
|
|
|
|
|
|
|
| ⏱️ Time.now |
Support this project by becoming a sponsor.
Background
pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:
- If you depend on different versions of lodash, only the files that differ are added to the store.
If lodash has 100 files, and a new version has a change only in one of those files,
pnpm updatewill only add 1 new file to the storage. - All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).
As a result, you save gigabytes of space on your disk and you have a lot faster installations!
If you'd like more details about the unique node_modules structure that pnpm creates and
why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.
💖 Like this project? Let people know with a tweet
Getting Started
Benchmark
pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.
Benchmarks on an app with lots of dependencies:
License
MIT, except the pnpr/ directory, which is source-available under the PolyForm Shield License 1.0.0.