Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

@pnpm/lockfile.utils

Package Overview
Dependencies
Maintainers
2
Versions
51
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@pnpm/lockfile.utils - npm Package Compare versions

Comparing version
1100.0.3
 to
1100.0.4
+11
-0
lib/pkgSnapshotToResolution.js
import url from 'node:url';
import * as dp from '@pnpm/deps.path';
import { isGitHostedPkgUrl } from '@pnpm/fetching.pick-fetcher';

@@ -11,2 +12,12 @@ import getNpmTarballUrl from 'get-npm-tarball-url';

}
// Recover the tarball field for `file:` snapshots whose resolution lost
// its tarball (e.g. lockfiles written by an earlier pnpm 11 version that
// dropped the tarball under `lockfile-include-tarball-url=false`).
const nonSemverVersion = dp.parse(depPath).nonSemverVersion;
if (nonSemverVersion?.startsWith('file:')) {
return {
...pkgSnapshot.resolution,
tarball: nonSemverVersion,
};
}
const { name, version } = nameVerFromPkgSnapshot(depPath, pkgSnapshot);

@@ -13,0 +24,0 @@ let registry = '';

+15
-3
lib/toLockfileResolution.js

@@ -0,1 +1,2 @@

import { isGitHostedPkgUrl } from '@pnpm/fetching.pick-fetcher';
import getNpmTarballUrl from 'get-npm-tarball-url';

@@ -6,8 +7,19 @@ export function toLockfileResolution(pkg, resolution, registry, lockfileIncludeTarballUrl) {

}
const tarball = resolution['tarball'];
if (lockfileIncludeTarballUrl) {
return {
integrity: resolution['integrity'],
tarball: resolution['tarball'],
tarball,
};
}
// Tarball URLs that cannot be reconstructed from the package name, version,
// and registry must always stay in the lockfile, otherwise the package can
// no longer be re-fetched. This covers local `file:` tarballs and tarballs
// served by git providers (GitHub, GitLab, Bitbucket).
if (tarball != null && (tarball.startsWith('file:') || isGitHostedPkgUrl(tarball))) {
return {
integrity: resolution['integrity'],
tarball,
};
}
if (lockfileIncludeTarballUrl === false) {

@@ -22,7 +34,7 @@ return {

const expectedTarball = getNpmTarballUrl(pkg.name, pkg.version, { registry });
const actualTarball = resolution['tarball'].replaceAll('%2f', '/');
const actualTarball = tarball.replaceAll('%2f', '/');
if (removeProtocol(expectedTarball) !== removeProtocol(actualTarball)) {
return {
integrity: resolution['integrity'],
tarball: resolution['tarball'],
tarball,
};

@@ -29,0 +41,0 @@ }

+9
-8
package.json
{
"name": "@pnpm/lockfile.utils",
"version": "1100.0.3",
"version": "1100.0.4",
"description": "Utils for dealing with pnpm-lock.yaml",

@@ -31,11 +31,12 @@ "keywords": [

"ramda": "npm:@pnpm/ramda@0.28.1",
"@pnpm/deps.path": "1100.0.1",
"@pnpm/deps.path": "1100.0.2",
"@pnpm/error": "1100.0.0",
"@pnpm/hooks.types": "1100.0.3",
"@pnpm/lockfile.types": "1100.0.2",
"@pnpm/resolving.resolver-base": "1100.1.0",
"@pnpm/types": "1101.0.0",
"@pnpm/fetching.pick-fetcher": "1100.0.3"
"@pnpm/fetching.pick-fetcher": "1100.0.4",
"@pnpm/lockfile.types": "1100.0.3",
"@pnpm/resolving.resolver-base": "1100.1.1",
"@pnpm/hooks.types": "1100.0.4",
"@pnpm/types": "1101.0.0"
},
"devDependencies": {
"@jest/globals": "30.3.0",
"@types/ramda": "0.31.1",

@@ -45,3 +46,3 @@ "tempy": "3.0.0",

"yaml-tag": "1.1.0",
"@pnpm/lockfile.utils": "1100.0.3"
"@pnpm/lockfile.utils": "1100.0.4"
},

@@ -48,0 +49,0 @@ "engines": {