Big News: Socket raises $60M Series C at a $1B valuation to secure software supply chains for AI-driven development.Announcement
Sign In

@pnpm/lockfile.utils

Package Overview
Dependencies
Maintainers
2
Versions
51
Alerts
File Explorer

Advanced tools

License
Socket logo

Install Socket

Detect and block malicious and high-risk dependencies

Install

@pnpm/lockfile.utils - npm Package Compare versions

Comparing version
1100.0.4
 to
1100.0.5
+1
-2
lib/pkgSnapshotToResolution.js
import url from 'node:url';
import * as dp from '@pnpm/deps.path';
import { isGitHostedPkgUrl } from '@pnpm/fetching.pick-fetcher';
import getNpmTarballUrl from 'get-npm-tarball-url';

@@ -9,3 +8,3 @@ import { nameVerFromPkgSnapshot } from './nameVerFromPkgSnapshot.js';

pkgSnapshot.resolution.tarball?.startsWith('file:') ||
isGitHostedPkgUrl(pkgSnapshot.resolution.tarball ?? '')) {
pkgSnapshot.resolution.gitHosted === true) {
return pkgSnapshot.resolution;

@@ -12,0 +11,0 @@ }

+23
-8
lib/toLockfileResolution.js

@@ -1,2 +0,1 @@

import { isGitHostedPkgUrl } from '@pnpm/fetching.pick-fetcher';
import getNpmTarballUrl from 'get-npm-tarball-url';

@@ -8,7 +7,12 @@ export function toLockfileResolution(pkg, resolution, registry, lockfileIncludeTarballUrl) {

const tarball = resolution['tarball'];
// Honor the resolver-supplied flag, with a URL fallback for resolutions
// that didn't go through the git resolver (e.g. config-dep migrations or
// legacy lockfiles read by callers that don't enrich the field).
const gitHosted = resolution.gitHosted === true ||
(tarball != null && isGitHostedTarballUrl(tarball));
if (lockfileIncludeTarballUrl) {
return {
return preservingGitHosted({
integrity: resolution['integrity'],
tarball,
};
}, gitHosted);
}

@@ -19,7 +23,7 @@ // Tarball URLs that cannot be reconstructed from the package name, version,

// served by git providers (GitHub, GitLab, Bitbucket).
if (tarball != null && (tarball.startsWith('file:') || isGitHostedPkgUrl(tarball))) {
return {
if (tarball != null && (tarball.startsWith('file:') || gitHosted)) {
return preservingGitHosted({
integrity: resolution['integrity'],
tarball,
};
}, gitHosted);
}

@@ -37,6 +41,6 @@ if (lockfileIncludeTarballUrl === false) {

if (removeProtocol(expectedTarball) !== removeProtocol(actualTarball)) {
return {
return preservingGitHosted({
integrity: resolution['integrity'],
tarball,
};
}, gitHosted);
}

@@ -47,2 +51,13 @@ return {

}
function preservingGitHosted(resolution, gitHosted) {
return gitHosted ? { ...resolution, gitHosted: true } : resolution;
}
// Inlined to avoid pulling @pnpm/fetching.pick-fetcher into the lockfile-utils
// dep graph. Used as a fallback when callers haven't pre-set the
// `gitHosted` field on TarballResolution.
function isGitHostedTarballUrl(url) {
return (url.startsWith('https://codeload.github.com/') ||
url.startsWith('https://bitbucket.org/') ||
url.startsWith('https://gitlab.com/')) && url.includes('tar.gz');
}
function removeProtocol(url) {

@@ -49,0 +64,0 @@ return url.split('://')[1];

+6
-7
package.json
{
"name": "@pnpm/lockfile.utils",
"version": "1100.0.4",
"version": "1100.0.5",
"description": "Utils for dealing with pnpm-lock.yaml",

@@ -31,8 +31,7 @@ "keywords": [

"ramda": "npm:@pnpm/ramda@0.28.1",
"@pnpm/error": "1100.0.0",
"@pnpm/hooks.types": "1100.0.5",
"@pnpm/lockfile.types": "1100.0.4",
"@pnpm/deps.path": "1100.0.2",
"@pnpm/error": "1100.0.0",
"@pnpm/fetching.pick-fetcher": "1100.0.4",
"@pnpm/lockfile.types": "1100.0.3",
"@pnpm/resolving.resolver-base": "1100.1.1",
"@pnpm/hooks.types": "1100.0.4",
"@pnpm/resolving.resolver-base": "1100.1.2",
"@pnpm/types": "1101.0.0"

@@ -46,3 +45,3 @@ },

"yaml-tag": "1.1.0",
"@pnpm/lockfile.utils": "1100.0.4"
"@pnpm/lockfile.utils": "1100.0.5"
},

@@ -49,0 +48,0 @@ "engines": {