mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-12 10:11:42 -04:00
60fd20536d
For git-hosted tarballs (`codeload.github.com` / `gitlab.com` / `bitbucket.org`) the fetcher dropped the integrity it computed while downloading, so the lockfile only ever stored the URL. A compromised git host or man-in-the-middle could serve a substituted tarball on subsequent installs and pnpm would install it — the lockfile had no hash to compare against.
This pins the SHA-512 SRI of the raw tarball in the lockfile, in the same `sha512-<base64>` form npm-registry tarballs use. The only difference is the source: for npm we pass through `dist.integrity`, for git we compute it locally from the downloaded buffer. Subsequent installs validate the download against that integrity in the worker (`addTarballToStore` → `parseIntegrity` → hash compare), so a tampered tarball fails with `TarballIntegrityError`.
## Why git-hosted stays on `gitHostedStoreIndexKey`
The lockfile pins integrity for security, but the *store key* for git-hosted resolutions stays on `gitHostedStoreIndexKey(pkgId, { built })` rather than collapsing under the integrity-based key. Reason: git-hosted tarballs are post-processed (`preparePackage` / `packlist`), so the cached file set depends on whether build scripts ran during fetch. The integrity-only key would fold the built and not-built variants into a single slot, letting one overwrite the other and serving the wrong content if `ignoreScripts` was toggled between runs. Keeping git-hosted on the existing key shape preserves that dimension; the integrity is still validated on every fresh download.
## How the routing stays clean
The naive way to express "use gitHostedStoreIndexKey for git-hosted, integrity key for npm" is to call `isGitHostedPkgUrl(resolution.tarball)` everywhere a store key is computed — fragile, scattered, and easy to forget when adding new readers (Copilot caught two of those during review). Instead, a typed annotation: `TarballResolution` gets an optional `gitHosted: boolean` field. The git resolver sets it; the lockfile loader (`convertToLockfileObject`) backfills it for entries written by older pnpm versions; `toLockfileResolution` carries it through on serialize. Every consumer reads `resolution.gitHosted` directly. URL detection lives in exactly two places — the resolver and the loader — instead of seven.
## Changes
### Security fix
- `fetching/tarball-fetcher/src/gitHostedTarballFetcher.ts` — return the `integrity` that the inner remote-tarball fetch already computed (was being silently dropped by the destructure).
### Lockfile schema (additive)
- `@pnpm/lockfile.types` and `@pnpm/resolving.resolver-base` — `TarballResolution` gains optional `gitHosted: boolean`.
- `@pnpm/resolving.git-resolver` — sets `gitHosted: true` on every git-hosted tarball it produces.
- `@pnpm/lockfile.fs` (`convertToLockfileObject`) — backfills the field on load for older lockfiles via inlined URL detection.
- `@pnpm/lockfile.utils` (`toLockfileResolution`, `pkgSnapshotToResolution`) — preserve / read the field.
### Store-key consumers (now one-line typed reads, dropped the URL-sniffing dep)
- `installing/package-requester` (`getFilesIndexFilePath`)
- `store/pkg-finder` (`readPackageFileMap`)
- `modules-mounter/daemon` (`createFuseHandlers`)
- `building/after-install` (side-effects-cache lookup + write)
- `store/commands/storeStatus`
- `installing/deps-installer` (agent-mode store-controller wrapper)
### Fetcher routing
- `fetching/pick-fetcher` — `pickFetcher` prefers `resolution.gitHosted`; URL fallback retained for ad-hoc resolutions.
### Tests
- New integrity-validation test in `tarball-fetcher` (mismatched `integrity` on the resolution must throw `TarballIntegrityError`).
- New git-hosted lookup test in `pkg-finder` asserting routing through `gitHostedStoreIndexKey` even when integrity is present.
- New `toLockfileResolution` test asserting `gitHosted: true` flows through serialization.
- `fromRepo.ts` lockfile snapshot updated for the now-pinned integrity + `gitHosted: true`.
- `git-resolver` tests updated to assert `gitHosted: true` in produced resolutions.
60 lines
1.6 KiB
JSON
60 lines
1.6 KiB
JSON
{
|
|
"name": "@pnpm/lockfile.utils",
|
|
"version": "1100.0.4",
|
|
"description": "Utils for dealing with pnpm-lock.yaml",
|
|
"keywords": [
|
|
"pnpm",
|
|
"pnpm11",
|
|
"lockfile",
|
|
"shrinkwrap"
|
|
],
|
|
"license": "MIT",
|
|
"funding": "https://opencollective.com/pnpm",
|
|
"repository": "https://github.com/pnpm/pnpm/tree/main/lockfile/utils",
|
|
"homepage": "https://github.com/pnpm/pnpm/tree/main/lockfile/utils#readme",
|
|
"bugs": {
|
|
"url": "https://github.com/pnpm/pnpm/issues"
|
|
},
|
|
"type": "module",
|
|
"main": "lib/index.js",
|
|
"types": "lib/index.d.ts",
|
|
"exports": {
|
|
".": "./lib/index.js"
|
|
},
|
|
"files": [
|
|
"lib",
|
|
"!*.map"
|
|
],
|
|
"scripts": {
|
|
"lint": "eslint \"src/**/*.ts\" \"test/**/*.ts\"",
|
|
"test": "pn compile && pn .test",
|
|
"prepublishOnly": "tsgo --build",
|
|
"compile": "tsgo --build && pn lint --fix",
|
|
".test": "cross-env NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" jest"
|
|
},
|
|
"dependencies": {
|
|
"@pnpm/deps.path": "workspace:*",
|
|
"@pnpm/error": "workspace:*",
|
|
"@pnpm/hooks.types": "workspace:*",
|
|
"@pnpm/lockfile.types": "workspace:*",
|
|
"@pnpm/resolving.resolver-base": "workspace:*",
|
|
"@pnpm/types": "workspace:*",
|
|
"get-npm-tarball-url": "catalog:",
|
|
"ramda": "catalog:"
|
|
},
|
|
"devDependencies": {
|
|
"@jest/globals": "catalog:",
|
|
"@pnpm/lockfile.utils": "workspace:*",
|
|
"@types/ramda": "catalog:",
|
|
"tempy": "catalog:",
|
|
"write-yaml-file": "catalog:",
|
|
"yaml-tag": "catalog:"
|
|
},
|
|
"engines": {
|
|
"node": ">=22.13"
|
|
},
|
|
"jest": {
|
|
"preset": "@pnpm/jest-config"
|
|
}
|
|
}
|