mirror of
https://github.com/pnpm/pnpm.git
synced 2026-06-28 09:55:39 -04:00
fbdc0ebaf9
`minimumReleaseAgeExclude` (and `trustPolicyExclude`) ignored every rule after the first match for a given package, so two separate exact-version entries like `[form-data@4.0.6, form-data@2.5.6]` could still trip the policy for the second version while `[form-data@4.0.6 || 2.5.6]` (a single disjunction entry) worked. That made list semantics depend on whether the user happened to merge versions into one `||` selector, which is surprising and unsafe for supply-chain exclusion lists. Walk every matching rule and merge consecutive `name@version[...]` matches in source order with duplicates removed. A bare-name or wildcard match still terminates the walk, with first-match precedence between bare and exact rules: a wildcard listed after an exact-version rule no longer silently widens the exclusion to every version of the package, while a bare-name rule listed first keeps its existing `AnyVersion` semantics. Apply the same change to the pacquet port so both stacks stay in sync. Closes pnpm/pnpm#12463 --------- Co-authored-by: Zoltan Kochan <z@kochan.io>