@pnpm/lockfile.utils - npm Package Compare versions

Comparing version 1100.0.5 to 1100.0.6

lib/toLockfileResolution.js

@@ -6,3 +6,9 @@ import getNpmTarballUrl from 'get-npm-tarball-url';
     }
+    // Tarball-typed resolutions are guaranteed to carry a tarball URL by the
+    // resolver, but guard for unexpected inputs (e.g. resolutions deserialized
+    // from external state) so we don't blow up on a missing field.
     const tarball = resolution['tarball'];
+    if (tarball == null) {
+        return { integrity: resolution['integrity'] };
+    }
     // Honor the resolver-supplied flag, with a URL fallback for resolutions
@@ -12,3 +18,3 @@ // that didn't go through the git resolver (e.g. config-dep migrations or
     const gitHosted = resolution.gitHosted === true ||
-        (tarball != null && isGitHostedTarballUrl(tarball));
+        isGitHostedTarballUrl(tarball);
     if (lockfileIncludeTarballUrl) {
@@ -24,3 +30,3 @@ return preservingGitHosted({
     // served by git providers (GitHub, GitLab, Bitbucket).
-    if (tarball != null && (tarball.startsWith('file:') || gitHosted)) {
+    if (tarball.startsWith('file:') || gitHosted) {
         return preservingGitHosted({
@@ -31,10 +37,11 @@ integrity: resolution['integrity'],
     }
-    if (lockfileIncludeTarballUrl === false) {
-        return {
-            integrity: resolution['integrity'],
-        };
-    }
     // Sometimes packages are hosted under non-standard tarball URLs.
     // For instance, when they are hosted on npm Enterprise. See https://github.com/pnpm/pnpm/issues/867
-    // Or in other weird cases, like https://github.com/pnpm/pnpm/issues/1072
+    // Or in other weird cases, like https://github.com/pnpm/pnpm/issues/1072.
+    // Even when the user explicitly sets `lockfileIncludeTarballUrl: false`, we
+    // must preserve such URLs — otherwise the package cannot be re-fetched on a
+    // frozen-lockfile install (e.g. GitHub Packages tarballs at
+    // `https://npm.pkg.github.com/download/<scope>/<name>/<version>/<hash>`).
+    // `lockfileIncludeTarballUrl` only controls whether URLs that *can* be
+    // derived from name+version+registry are written.
     const expectedTarball = getNpmTarballUrl(pkg.name, pkg.version, { registry });
@@ -41,0 +48,0 @@ const actualTarball = tarball.replaceAll('%2f', '/');

package.json

 {
   "name": "@pnpm/lockfile.utils",
-  "version": "1100.0.5",
+  "version": "1100.0.6",
   "description": "Utils for dealing with pnpm-lock.yaml",
@@ -31,8 +31,8 @@ "keywords": [
     "ramda": "npm:@pnpm/ramda@0.28.1",
-    "@pnpm/error": "1100.0.0",
+    "@pnpm/deps.path": "1100.0.2",
+    "@pnpm/lockfile.types": "1100.0.4",
     "@pnpm/hooks.types": "1100.0.5",
-    "@pnpm/lockfile.types": "1100.0.4",
-    "@pnpm/deps.path": "1100.0.2",
     "@pnpm/resolving.resolver-base": "1100.1.2",
-    "@pnpm/types": "1101.0.0"
+    "@pnpm/types": "1101.0.0",
+    "@pnpm/error": "1100.0.0"
   },
@@ -45,3 +45,3 @@ "devDependencies": {
     "yaml-tag": "1.1.0",
-    "@pnpm/lockfile.utils": "1100.0.5"
+    "@pnpm/lockfile.utils": "1100.0.6"
   },
@@ -48,0 +48,0 @@ "engines": {

No alert changes

Improved metrics

Total package byte prevSize

11965

5.12%

Lines of code

186

3.91%

No dependency changes