mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 01:45:30 -04:00
1c04a00cdb
Bind proxied tarball requests to the selected packument version. Require supported dist.integrity before serving upstream or cached tarballs. Verify cache hits before response construction. Fail closed on a hosted-store fault instead of falling through to the upstream proxy, so an I/O error in the authoritative store can never serve bytes of a different provenance for the same package name. Delete invalid cache entries and promote upstream bytes only after SRI verification. For cache:false uplinks, verify into a temp file and stream the same open handle (rewound to the start) instead of dropping and reopening it by path, closing the TOCTOU window where an attacker-writable cache directory could swap the verified bytes before they are served; remove the temp file after streaming. Harden publish attachment SRI parsing for missing or unsupported integrity. Addresses GHSA-5f9g-98vq-2jxw.