Zoltan Kochan f2db87c0e3 fix(pacquet/directory-fetcher,pacquet/package-manager): address CodeRabbit review on #11678
Three parity / hardening fixes flagged in the CodeRabbit review on PR
#11678:

1. **Carve out directory snapshots from the current-lockfile-skip
   gate** (`create_virtual_store.rs`). Directory-typed snapshots have
   `integrity() == None`; without the carve-out `integrity_equal`
   collapsed `None == None == true` and the skip filter dropped the
   snapshot whenever a slot for it existed on disk, so a second
   install never re-walked the (mutable) source dir. Mirrors pnpm's
   `!isDirectoryDep` clause in `depIsPresent` at
   <https://github.com/pnpm/pnpm/blob/94240bc046/deps/graph-builder/src/lockfileToDepGraph.ts#L226-L228>.

2. **Add `DirectoryFetch` to `is_fetch_side_failure`**
   (`create_virtual_store.rs`). Upstream's catch at
   [`lockfileToDepGraph.ts:286-298`](https://github.com/pnpm/pnpm/blob/94240bc046/deps/graph-builder/src/lockfileToDepGraph.ts#L286-L298)
   wraps the whole `fetchPackage` dispatch, so directory-fetcher
   errors on optional snapshots are swallowed uniformly with tarball
   / git fetch errors. Without this, an optional injected-directory
   dep whose source was missing would hard-fail the install instead
   of being dropped.

3. **Symlink-cycle guard in `walk_all_inner`** (`directory-fetcher/
   src/walker.rs`). A `loop -> .` (or any ancestor-pointing) symlink
   previously sank the walker into infinite recursion until either
   ENAMETOOLONG or stack overflow fired. Skip-on-revisit keyed off
   `fs::canonicalize`, matching the pattern
   `pacquet_git_fetcher::packlist` already uses for
   `bundleDependencies` cycles. Pnpm's directory-fetcher has the same
   vulnerability; the guard is a defensible divergence because the
   positive-case behavior is identical to pnpm and the cycle case
   degrades from "crash" to "skip with a `tracing::warn`".

Added a regression test
(`walk_all_files_terminates_on_symlink_cycle`) that points a
`loop -> root` symlink at the walk root and asserts the cycle guard
short-circuits before any `loop/` descendant is recorded.

---
Written by an agent (Claude Code, claude-opus-4-7).
2026-05-16 11:35:48 +02:00
2026-04-10 18:30:33 +02:00
2026-04-10 18:30:33 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-11 19:56:10 +02:00
2026-04-30 23:03:46 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-04-30 23:19:31 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-04-30 23:03:46 +02:00
2026-05-14 13:31:53 +02:00
2026-05-14 13:31:53 +02:00
2026-01-16 16:31:31 +01:00
2024-03-21 01:09:22 +01:00
2022-06-01 02:48:58 +03:00

简体中文 | 日本語 | 한국어 | Italiano | Português Brasileiro

pnpm

Fast, disk space efficient package manager:

  • Fast. Up to 2x faster than the alternatives (see benchmark).
  • Efficient. Files inside node_modules are linked from a single content-addressable storage.
  • Great for monorepos.
  • Strict. A package can access only dependencies that are specified in its package.json.
  • Deterministic. Has a lockfile called pnpm-lock.yaml.
  • Works as a Node.js version manager. See pnpm runtime.
  • Works everywhere. Supports Windows, Linux, and macOS.
  • Battle-tested. Used in production by teams of all sizes since 2016.
  • See the full feature comparison with npm and Yarn.

To quote the Rush team:

Microsoft uses pnpm in Rush repos with hundreds of projects and hundreds of PRs per day, and weve found it to be very fast and reliable.

npm version OpenCollective OpenCollective X Follow Stand With Ukraine

Platinum Sponsors

Bit

Gold Sponsors

Sanity Discord Vite
SerpApi CodeRabbit Stackblitz
Workleap Nx

Silver Sponsors

Replit Cybozu devowl.io
u|screen Leniolabs_ Depot
Cerbos ⏱️ Time.now

Support this project by becoming a sponsor.

Background

pnpm uses a content-addressable filesystem to store all files from all module directories on a disk. When using npm, if you have 100 projects using lodash, you will have 100 copies of lodash on disk. With pnpm, lodash will be stored in a content-addressable storage, so:

  1. If you depend on different versions of lodash, only the files that differ are added to the store. If lodash has 100 files, and a new version has a change only in one of those files, pnpm update will only add 1 new file to the storage.
  2. All the files are saved in a single place on the disk. When packages are installed, their files are linked from that single place consuming no additional disk space. Linking is performed using either hard-links or reflinks (copy-on-write).

As a result, you save gigabytes of space on your disk and you have a lot faster installations! If you'd like more details about the unique node_modules structure that pnpm creates and why it works fine with the Node.js ecosystem, read this small article: Flat node_modules is not the only way.

💖 Like this project? Let people know with a tweet

Getting Started

Benchmark

pnpm is up to 2x faster than npm and Yarn classic. See all benchmarks here.

Benchmarks on an app with lots of dependencies:

License

MIT

Description
No description provided
Readme MIT 284 MiB
Languages
Rust 56.5%
TypeScript 42.9%
JavaScript 0.5%