mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-05-31 20:20:35 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
a662de44dd8e76f4e4e67bb5b2cd193f84ce4e73
pnpm/resolving/npm-resolver
History
mehmet turac 0721d64188 fix: require provenance for trusted publisher evidence (#11911) 
* fix: require provenance for trusted publisher evidence

* test: align provenance fixtures with registry types

* chore: include pnpm CLI in changeset

The repo guideline requires every changeset that touches a published
package to list the pnpm CLI explicitly so the fix appears in the CLI's
release notes.

* fix(resolving-npm-resolver): require provenance for trusted publisher evidence

Ports pnpm's fea5fd41da: `get_trust_evidence` now only returns
`TrustedPublisher` when the version carries both
`_npmUser.trustedPublisher` *and* `dist.attestations.provenance`.
Without the attestation, the publisher flag is metadata a staged
publish could mint, so it can't be ranked above plain provenance.

Refs #11887.

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-05-25 12:52:35 +02:00
..
src
fix: require provenance for trusted publisher evidence (#11911)
2026-05-25 12:52:35 +02:00
test
fix: require provenance for trusted publisher evidence (#11911)
2026-05-25 12:52:35 +02:00
CHANGELOG.md
chore(release): 11.3.0 (#11894)
2026-05-24 02:23:07 +02:00
example.js
refactor: rename internal packages to @pnpm/<domain>.<leaf> convention (#10997)
2026-03-17 21:50:40 +01:00
package.json
chore(release): 11.3.0 (#11894)
2026-05-24 02:23:07 +02:00
README.md
docs: fix package names in README files (#11409)
2026-04-30 22:59:17 +02:00
tsconfig.json
perf: replace node-fetch with undici (#10537)
2026-03-29 12:44:00 +02:00
tsconfig.lint.json
refactor: put all non-public projects to directories that start with __
2022-11-20 02:40:44 +02:00

README.md

@pnpm/resolving.npm-resolver

Resolver for npm-hosted packages

npm version

Installation

pnpm add @pnpm/resolving.npm-resolver

Usage

'use strict'
const createResolveFromNpm = require('@pnpm/resolving.npm-resolver').default

const resolveFromNpm = createResolveFromNpm({
  store: '.store',
  offline: false,
  rawConfig: {
    registry: 'https://registry.npmjs.org/',
  },
})

resolveFromNpm({alias: 'is-positive', bareSpecifier: '1.0.0'}, {
  registry: 'https://registry.npmjs.org/',
})
.then(resolveResult => console.log(JSON.stringify(resolveResult, null, 2)))
//> {
//    "id": "registry.npmjs.org/is-positive/1.0.0",
//    "latest": "3.1.0",
//    "package": {
//      "name": "is-positive",
//      "version": "1.0.0",
//      "devDependencies": {
//        "ava": "^0.0.4"
//      },
//      "_hasShrinkwrap": false,
//      "directories": {},
//      "dist": {
//        "shasum": "88009856b64a2f1eb7d8bb0179418424ae0452cb",
//        "tarball": "https://registry.npmjs.org/is-positive/-/is-positive-1.0.0.tgz"
//      },
//      "engines": {
//        "node": ">=0.10.0"
//      }
//    },
//    "resolution": {
//      "integrity": "sha1-iACYVrZKLx632LsBeUGEJK4EUss=",
//      "registry": "https://registry.npmjs.org/",
//      "tarball": "https://registry.npmjs.org/is-positive/-/is-positive-1.0.0.tgz"
//    },
//    "resolvedVia": "npm-registry"
//  }

License

MIT

Reference in New Issue View Git Blame Copy Permalink