fix(cache): allow no-remote to read vendored modules

[puneetdixit200]

Fixes #34793.

Summary:

• allow the file fetcher to satisfy http/https requests from cache or vendor data before returning NoRemote
• add a JSR vendor regression that clears DENO_DIR and runs the vendored module with --no-remote

AI assistance disclosure: I used AI tooling while developing this patch and reviewed the final code and tests.

Tests:

• cargo test -p specs_tests --test specs vendor_no_remote
• target/debug/deps/specs-4c25e2a61e04fe22 vendor_no_remote
• PATH="$PWD/target/debug:$PATH" deno run -A --no-config npm:dprint@0.47.2 check --config=.dprint.json libs/cache_dir/file_fetcher/mod.rs tests/specs/jsr/vendor_no_remote/__test__.jsonc tests/specs/jsr/vendor_no_remote/deno.json tests/specs/jsr/vendor_no_remote/main.ts
• PATH="$PWD/target/debug:$PATH" deno run -A --config=tests/config/deno.json tools/format.js --check

[bartlomieju]

Thanks for tackling this, and for the clear repro and the AI disclosure. The vendor case the issue describes is real and this does fix it. But the implementation broadens --no-remote further than the issue intends — it changes the flag's behavior for all projects, not just vendored manifests. I think it needs to be scoped down (or get an explicit maintainer call). Details inline; I verified the behavior change locally.

[bartlomieju]

This reads from self.http_cache, which is not vendor-only:

• With "vendor": true, http_cache is a LocalHttpCache built with the global cache as a fallback (GlobalToLocalCopy::Allow, libs/resolver/factory.rs:510).
• Without vendor, http_cache is the global DENO_DIR cache directly (factory.rs:518).

So this makes --no-remote serve http/https from the global cache in all cases, not just vendored manifests. That changes long-standing --no-remote semantics: a remote import that merely happens to be in the global cache now loads, where before it errored — effectively turning --no-remote into --cached-only for cached modules, and dropping the strict "no remote modules" guarantee that distinguishes the two flags.

I confirmed this on a non-vendored project with a globally-cached jsr:@std/fmt:

• today: error: JSR package manifest for '@std/fmt' failed to load. A remote specifier was requested ... but --no-remote is specified.
• with this change it would instead resolve from the global cache.

The issue is specifically about vendored jsr/npm manifests (it even notes --cached-only already covers the offline case), so suggest scoping this cache read to the vendor/local cache only — e.g. only take this path when self.http_cache is a Local (vendor) cache — so non-vendored globally-cached modules still error under --no-remote.

cc @bartlomieju — this is a --no-remote semantics change; worth a maintainer call on whether serving from the global cache is acceptable or it should be vendor-scoped.

[bartlomieju]

nit: this spec only covers the vendor case (DENO_DIR wiped). Once the scope is decided, please also pin the non-vendor boundary — a globally-cached jsr:/https: import run with --no-remote and no vendor — so the intended behavior is locked in and can't silently regress.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Deepak kudi seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}