mirror of
https://github.com/pnpm/pnpm.git
synced 2026-04-27 10:30:58 -04:00
bcc88a1239
* fix(sbom): resolve licenses for git-sourced dependencies `readPackageFileMap` did not handle `type: 'git'` resolutions, causing `pnpm sbom` to emit NOASSERTION and `pnpm licenses` to throw for any dependency installed from a git URL. Closes #11260 * fix: add missing store.cafs devDep, test tsconfigs, and size field - Add @pnpm/store.cafs devDependency and tsconfig reference to license-scanner so CI typecheck resolves the PackageFilesIndex import - Add test/tsconfig.json to pkg-finder so CI typechecks the new tests - Add required `size` field to PackageFileInfo test fixtures * fix: replace spellcheck-failing test strings * fix: use spellcheck-safe integrity string in test * style: fix import sort in pkg-finder test * fix(sbom): use packageIdFromSnapshot to match store index keys The SBOM used `snapshot.id ?? depPath` as the package ID, which includes the package name prefix (e.g. `left-pad@git+https://...`). The store index stores git packages under just the git URL without the name prefix. Use `packageIdFromSnapshot` which strips the prefix, matching how the licenses command already does it. Also fixes test store keys to match the real installer layout so the mismatch would have been caught by tests. * refactor: move git resolution check after tarball check Tarball resolutions are more common than type: 'git', so check them first. Per review feedback from @zkochan.