Khải 6fadd7def9 feat(pacquet): port @pnpm/network.web-auth (#12569)
* feat(network-web-auth): port web-based authentication flow from pnpm

Port the `@pnpm/network.web-auth` package to a new `pacquet-network-web-auth`
crate, in preparation for the registry-auth commands (login / publish) that
pacquet has not ported yet.

The crate provides:
- `poll_for_web_auth_token` — polls a registry "done" URL for an auth token,
  honoring `Retry-After` and an overall timeout (`ERR_PNPM_WEBAUTH_TIMEOUT`).
- `with_otp_handling` — runs an operation and, on an EOTP challenge, drives
  either the web-auth flow (QR code + browser open + poll) or a classic OTP
  prompt, then retries once. Surfaces `ERR_PNPM_OTP_NON_INTERACTIVE` and
  `ERR_PNPM_OTP_SECOND_CHALLENGE`.
- `prompt_browser_open`, `generate_qr_code`, and the `SyntheticOtpError` helpers.

Rather than porting the TypeScript context-of-closures verbatim, every side
effect is a self-less capability trait composed on a single `Sys` parameter
(`Clock`, `Sleep`, `WebAuthFetch`, `OpenUrl`, `EnterKeyListener`, `PromptOtp`,
plus the TTY probes), with the real OS behind `Host` and fn-bound unit-struct
fakes in tests. User-facing messages flow through the `Reporter` seam on a new
`pnpm:global` channel, matching pnpm's `globalInfo` / `globalWarn` and rendered
by `pacquet-default-reporter`.

New workspace dependencies: `qrcode` (no default features) and `open`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8

* style(network-web-auth): satisfy perfectionist dylint lints

CI's dylint job flagged the new crate against the `perfectionist` lint
library (which clippy does not run). Fix every finding:

- Reorder derive lists to the configured `prefix_then_alphabetical`
  order (`Debug, Default, Clone, ...`).
- Rename the single-letter `R` reporter generic to `Reporter`, bound as
  `self::Reporter`, matching the existing pacquet convention.
- Move the inline `mod tests { ... }` blocks for `capabilities`,
  `generate_qr_code`, and `web_auth_timeout_error` into external
  `tests.rs` files (the crate's `unit_test_file_layout` is `external_only`).
- Add trailing commas to multi-line macro invocations.

No behavior change. Verified clean with the same command CI runs:
`RUSTFLAGS='-D warnings' cargo dylint --all -- --all-targets --workspace`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8

* fix(network-web-auth): cancel the web-auth Enter listener on drop

The production `EnterKeyListener` used `spawn_blocking` + a blocking
`stdin().read_line()`, which cannot be cancelled: if the user never
pressed Enter (e.g. authentication completed via a phone QR scan), the
reader thread lingered until process exit. Replace it with a dedicated
thread that polls stdin with a 100ms timeout via `crossterm::event::poll`
and re-checks a cancel flag each tick, so dropping the handle stops the
thread within one poll interval.

`crossterm` reads in the terminal's default (cooked) mode — no raw mode —
matching pnpm's plain `readline.createInterface({ input: process.stdin })`,
which reacts to a submitted line rather than individual keypresses. In
Node, stdin is event-loop-driven so `rl.close()` needs no thread to
cancel; the poll loop is the Rust equivalent.

Adds `crossterm` to `[workspace.dependencies]`.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8

* fix(network-web-auth): don't let a dropped Enter listener steal stdin

A code review of the cancellable web-auth listener surfaced two items:

- The polling reader thread could consume one keystroke in the window
  between the handle being dropped (cancel flag set) and the thread
  noticing it: `event::poll` reports input, then `event::read` swallows a
  key meant for whatever reads stdin next. Re-check the cancel flag after
  poll and before read so a dropped handle leaves the input buffered,
  matching pnpm's clean `readline` close.
- Drop the redundant `Option<sender>`: the Enter arm returns right after
  sending, so the oneshot sender moves directly into `send()`.

Also document that the handle is meant to be raced and never resolves on a
stdin read error, so it must not be awaited on its own.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8

* docs(network-web-auth): de-duplicate Enter-listener comments

Review follow-up: keep the polling/cancel rationale on `HostEnterHandle`
(where `Drop` lives) and trim `listen`'s doc to its unique cooked-mode
detail; drop a select-arm comment sentence that restated automatic `Drop`
and the function's own doc comment.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8

* docs(network-web-auth): correct the Enter-listener cancellation rationale

Round-3 review follow-up:
- The `HostEnterHandle` doc blamed `std`'s blocking `read_line` for needing
  a poll loop, but the listener uses crossterm's `event::read()`
  (`read_line` was the pre-crossterm implementation). Name the real
  primitive.
- Drop the `listen` doc's reference to the private `HostEnterHandle` type
  (a public method's docs must not name a more-private item); point to "the
  returned handle" instead.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Claude-Session: https://claude.ai/code/session_01RWejcxTU8n144a1KK4nRj8

* docs(network-web-auth): state the why in the clock test doc

The doc comment on host_clock_reads_a_non_zero_time restated the test name
and its assertion instead of the non-obvious reason behind it. Replace it
with the rationale: 0 is Host::now_ms's pre-epoch fallback, so a non-zero
read proves the real wall clock was queried.

---------

Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-06-29 10:18:35 +00:00
2026-06-19 23:33:39 +02:00
2026-01-16 16:31:31 +01:00
2024-03-21 01:09:22 +01:00

简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro

pnpm

Fast, disk space efficient package manager:

  • Fast. Up to 2x faster than the alternatives (see benchmark).
  • Efficient. Files inside node_modules are linked from a single content-addressable storage.
  • Great for monorepos.
  • Strict. A package can access only dependencies that are specified in its package.json.
  • Deterministic. Has a lockfile called pnpm-lock.yaml.
  • Works as a Node.js version manager. See pnpm runtime.
  • Works everywhere. Supports Windows, Linux, and macOS.
  • Battle-tested. Used in production by teams of all sizes since 2016.
  • Experimental Rust port. Includes pacquet, an experimental port of the CLI written in Rust.
  • See the full feature comparison with npm and Yarn.

To quote the Rush team:

Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and weve found it to be very fast and reliable.

npm version OpenCollective OpenCollective X Follow Stand With Ukraine

Platinum Sponsors

Bit OpenAI

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

Silver Sponsors

Replit Cybozu BairesDev
Thesys devowl.io u|screen
Leniolabs_ Depot Cerbos
⏱️ Time.now

Support this project by becoming a sponsor.

Background

pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:

  1. If you depend on different versions of lodash, only the files that differ are added to the store. If lodash has 100 files, and a new version has a change only in one of those files, pnpm update will only add 1 new file to the storage.
  2. All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).

As a result, you save gigabytes of space on your disk and you have a lot faster installations! If you'd like more details about the unique node_modules structure that pnpm creates and why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.

💖 Like this project? Let people know with a tweet

Getting Started

Benchmark

pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.

Benchmarks on an app with lots of dependencies:

License

MIT, except the pnpr/ directory, which is source-available under the PolyForm Shield License 1.0.0.

Description
No description provided
Readme MIT 336 MiB
Languages
Rust 59.5%
TypeScript 39.9%
JavaScript 0.5%