Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

@pnpm/lockfile.utils

Package Overview
Dependencies
Maintainers
2
Versions
52
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@pnpm/lockfile.utils - npm Package Compare versions

Comparing version
1100.0.9
 to
1100.0.10
+25
-3
lib/pkgSnapshotToResolution.js
import url from 'node:url';
import * as dp from '@pnpm/deps.path';
import { PnpmError } from '@pnpm/error';
import getNpmTarballUrl from 'get-npm-tarball-url';
import { nameVerFromPkgSnapshot } from './nameVerFromPkgSnapshot.js';
import { isGitHostedTarballUrl } from './toLockfileResolution.js';
export function pkgSnapshotToResolution(depPath, pkgSnapshot, registries) {
if (Boolean(pkgSnapshot.resolution.type) ||
pkgSnapshot.resolution.tarball?.startsWith('file:') ||
pkgSnapshot.resolution.gitHosted === true) {
const resolution = pkgSnapshot.resolution;
// Tarball-shaped resolutions (no `type` field) must carry `integrity`,
// except where the URL itself anchors the bytes:
// - `file:` tarballs (local file on the user's machine; integrity
// adds nothing the user doesn't already control).
// - Git-hosted tarballs (URL contains the commit SHA; git's content-
// addressed model binds the bytes to the commit). The `gitHosted`
// flag may be absent on legacy lockfiles, so fall back to a URL
// match — same logic as `toLockfileResolution`.
// For any other tarball entry a missing integrity is what a tampered
// lockfile looks like: the worker would mint a fresh integrity from
// whatever bytes the URL returned, so we fail closed here. Pacquet
// enforces the same invariant via
// `pacquet_package_manager::missing_tarball_integrity`.
if (resolution.type == null &&
resolution.integrity == null &&
!resolution.tarball?.startsWith('file:') &&
!(resolution.gitHosted === true || (resolution.tarball != null && isGitHostedTarballUrl(resolution.tarball)))) {
throw new PnpmError('MISSING_TARBALL_INTEGRITY', `Cannot install package "${depPath}": its lockfile entry has no "integrity" field, so pnpm cannot verify the downloaded tarball.`, { hint: 'The lockfile may be corrupted or have been tampered with. Restore it from a trusted source, or delete it and re-run installation without --frozen-lockfile to regenerate.' });
}
if (Boolean(resolution.type) ||
resolution.tarball?.startsWith('file:') ||
resolution.gitHosted === true) {
return pkgSnapshot.resolution;

@@ -10,0 +32,0 @@ }

+1
-0
lib/toLockfileResolution.d.ts

@@ -7,1 +7,2 @@ import type { LockfileResolution } from '@pnpm/lockfile.types';

}, resolution: Resolution, registry: string, lockfileIncludeTarballUrl?: boolean): LockfileResolution;
export declare function isGitHostedTarballUrl(url: string): boolean;
+1
-1
lib/toLockfileResolution.js

@@ -61,3 +61,3 @@ import getNpmTarballUrl from 'get-npm-tarball-url';

// `gitHosted` field on TarballResolution.
function isGitHostedTarballUrl(url) {
export function isGitHostedTarballUrl(url) {
return (url.startsWith('https://codeload.github.com/') ||

@@ -64,0 +64,0 @@ url.startsWith('https://bitbucket.org/') ||

+8
-8
package.json
{
"name": "@pnpm/lockfile.utils",
"version": "1100.0.9",
"version": "1100.0.10",
"description": "Utils for dealing with pnpm-lock.yaml",

@@ -31,8 +31,8 @@ "keywords": [

"ramda": "npm:@pnpm/ramda@0.28.1",
"@pnpm/deps.path": "1100.0.4",
"@pnpm/error": "1100.0.0",
"@pnpm/hooks.types": "1100.0.8",
"@pnpm/resolving.resolver-base": "1100.3.0",
"@pnpm/types": "1101.1.1",
"@pnpm/lockfile.types": "1100.0.7"
"@pnpm/deps.path": "1100.0.5",
"@pnpm/lockfile.types": "1100.0.8",
"@pnpm/hooks.types": "1100.0.9",
"@pnpm/types": "1101.2.0",
"@pnpm/resolving.resolver-base": "1100.3.1",
"@pnpm/error": "1100.0.0"
},

@@ -45,3 +45,3 @@ "devDependencies": {

"yaml-tag": "1.1.0",
"@pnpm/lockfile.utils": "1100.0.9"
"@pnpm/lockfile.utils": "1100.0.10"
},

@@ -48,0 +48,0 @@ "engines": {