pnpm
diff --git a/‎.changeset/record-locally-resolved-lockfile-verified.md‎
Lines changed: 7 additions & 0 deletions b/‎.changeset/record-locally-resolved-lockfile-verified.md‎
Lines changed: 7 additions & 0 deletions
diff --git a/‎AGENTS.md‎
Lines changed: 17 additions & 0 deletions b/‎AGENTS.md‎
Lines changed: 17 additions & 0 deletions
diff --git a/‎installing/deps-installer/src/install/index.ts‎
Lines changed: 29 additions & 4 deletions b/‎installing/deps-installer/src/install/index.ts‎
Lines changed: 29 additions & 4 deletions
diff --git a/‎installing/deps-installer/src/install/recordLockfileVerified.ts‎
Lines changed: 36 additions & 0 deletions b/‎installing/deps-installer/src/install/recordLockfileVerified.ts‎
Lines changed: 36 additions & 0 deletions
diff --git a/‎installing/deps-installer/src/install/verifyLockfileResolutions.ts‎
Lines changed: 1 addition & 2 deletions b/‎installing/deps-installer/src/install/verifyLockfileResolutions.ts‎
Lines changed: 1 addition & 2 deletions
diff --git a/‎installing/deps-installer/src/install/writeLockfilesAndRecordVerified.ts‎
Lines changed: 48 additions & 0 deletions b/‎installing/deps-installer/src/install/writeLockfilesAndRecordVerified.ts‎
Lines changed: 48 additions & 0 deletions
diff --git a/‎installing/deps-installer/src/install/writeWantedLockfileAndRecordVerified.ts‎
Lines changed: 42 additions & 0 deletions b/‎installing/deps-installer/src/install/writeWantedLockfileAndRecordVerified.ts‎
Lines changed: 42 additions & 0 deletions
@@ -0,0 +1,7 @@
+---
+"@pnpm/installing.deps-installer": patch
+"@pnpm/lockfile.fs": minor
+"pnpm": patch
+---
+
+Record the post-resolution lockfile in the verification cache. Previously the cache only captured the lockfile that was loaded at the start of an install, so a flow like `pnpm install <pkg>` followed by `rm -rf node_modules && pnpm install` re-ran the per-package registry round-trip against the newly written lockfile even though the local resolver had already enforced the policy when picking those versions. The fresh lockfile is now recorded immediately after each install-time write, so the second install takes the cache fast path.
@@ -186,6 +186,23 @@ To ensure your code adheres to the style guide, run:
 pnpm run lint
 ```
 
+### Comments
+
+Write code that explains itself. A reader should understand what a function does from its name, parameters, and types — not from prose above the call site.
+
+Defaults:
+
+-   **Do not write a comment** that restates what the code already says. If renaming a variable, splitting a helper, or moving a check to a more obvious place would carry the information, do that instead.
+-   **Do not repeat documentation** at call sites that already lives on the callee. If the function has a JSDoc, the call site shouldn't re-explain what calling it does. Update the JSDoc once; let every call site benefit.
+-   **JSDoc is for the function's contract** — preconditions, postconditions, edge cases, why the function exists. Not for re-narrating the body.
+
+Write a comment only when:
+
+-   The reason for the code is non-obvious from reading it (a hidden invariant, a workaround for a known bug, a deliberate exception to the surrounding pattern).
+-   The right name doesn't fit — e.g., a temporary technical constraint that's worth flagging but doesn't justify a new symbol.
+
+Before adding a comment, ask: "Could I rename, restructure, or extract instead?" If yes, do that. The bar for prose-in-code is high; the bar for prose-that-restates-code is "don't."
+
 ## Common Gotchas
 
 ### Error Type Checking in Jest (TypeScript only)
 
@@ -42,6 +42,7 @@ import { writeModulesManifest } from '@pnpm/installing.modules-yaml'
 import {
   type CatalogSnapshots,
   cleanGitBranchLockfiles,
+  getWantedLockfileName,
   type LockfileObject,
   type ProjectSnapshot,
   readWantedLockfile,
@@ -97,6 +98,8 @@ import { linkPackages } from './link.js'
 import { reportPeerDependencyIssues } from './reportPeerDependencyIssues.js'
 import { validateModules } from './validateModules.js'
 import { verifyLockfileResolutions } from './verifyLockfileResolutions.js'
+import { writeLockfilesAndRecordVerified } from './writeLockfilesAndRecordVerified.js'
+import { writeWantedLockfileAndRecordVerified } from './writeWantedLockfileAndRecordVerified.js'
 
 class LockfileConfigMismatchError extends PnpmError {
   constructor (outdatedLockfileSettingName: string) {
@@ -358,10 +361,17 @@ export async function mutateModules (
   // resolver's own filters already cover fresh resolution. We run this
   // exactly once, right after the lockfile is loaded from disk, before any
   // path branches.
+  const cacheActive = opts.cacheDir != null && opts.resolutionVerifiers.length > 0
+  const wantedLockfilePath = cacheActive
+    ? path.resolve(ctx.lockfileDir, await getWantedLockfileName({
+      useGitBranchLockfile: opts.useGitBranchLockfile,
+      mergeGitBranchLockfiles: opts.mergeGitBranchLockfiles,
+    }))
+    : undefined
   try {
     await verifyLockfileResolutions(ctx.wantedLockfile, opts.resolutionVerifiers, {
       cacheDir: opts.cacheDir,
-      lockfilePath: path.resolve(ctx.lockfileDir, WANTED_LOCKFILE),
+      lockfilePath: wantedLockfilePath,
     })
   } catch (err) {
     // verifyLockfileResolutions is the one throw site in this function
@@ -1657,11 +1667,13 @@ const _installInContext: InstallFunction = async (projects, ctx, opts) => {
     const currentLockfileDir = path.join(ctx.rootModulesDir, '.pnpm')
     await Promise.all([
       opts.useLockfile && opts.saveLockfile
-        ? writeLockfiles({
+        ? writeLockfilesAndRecordVerified({
           currentLockfile: result.currentLockfile,
           currentLockfileDir,
           wantedLockfile: newLockfile,
           wantedLockfileDir: ctx.lockfileDir,
+          cacheDir: opts.cacheDir,
+          resolutionVerifiers: opts.resolutionVerifiers,
           ...lockfileOpts,
         })
         : writeCurrentLockfile(ctx.virtualStoreDir, result.currentLockfile),
@@ -1716,7 +1728,13 @@ const _installInContext: InstallFunction = async (projects, ctx, opts) => {
     }
   } else {
     if (opts.useLockfile && opts.saveLockfile && !isInstallationOnlyForLockfileCheck) {
-      await writeWantedLockfile(ctx.lockfileDir, newLockfile, lockfileOpts)
+      await writeWantedLockfileAndRecordVerified({
+        lockfileDir: ctx.lockfileDir,
+        lockfile: newLockfile,
+        cacheDir: opts.cacheDir,
+        resolutionVerifiers: opts.resolutionVerifiers,
+        ...lockfileOpts,
+      })
     }
 
     if (opts.nodeLinker !== 'hoisted') {
@@ -2264,7 +2282,14 @@ async function installFromPnpmRegistry (
       storeIndex.close()
     }
 
-    await writeWantedLockfile(lockfileDir, lockfile)
+    await writeWantedLockfileAndRecordVerified({
+      lockfileDir,
+      lockfile,
+      cacheDir: opts.cacheDir,
+      resolutionVerifiers: opts.resolutionVerifiers,
+      useGitBranchLockfile: opts.useGitBranchLockfile,
+      mergeGitBranchLockfiles: opts.mergeGitBranchLockfiles,
+    })
 
     logger.info({
       message: `Resolved ${agentStats.totalPackages} packages: ${agentStats.alreadyInStore} cached, ${agentStats.filesToDownload} files to download`,
 
@@ -0,0 +1,36 @@
+import { hashObject } from '@pnpm/crypto.object-hasher'
+import type { LockfileObject } from '@pnpm/lockfile.fs'
+import type { ResolutionVerifier } from '@pnpm/resolving.resolver-base'
+
+import { recordVerification } from './verifyLockfileResolutionsCache.js'
+
+export interface RecordLockfileVerifiedOptions {
+  cacheDir?: string
+  /** Absolute path of the lockfile the next install will read.
+   *  Under `useGitBranchLockfile` this is the branch-suffixed name. */
+  lockfilePath: string
+  /** The writer's canonical return value — see {@link writeWantedLockfile}.
+   *  Passing the raw in-memory write object would record a hash the
+   *  next install can't match (YAML drops undefined fields). */
+  lockfile: LockfileObject
+  resolutionVerifiers: readonly ResolutionVerifier[] | undefined
+}
+
+/**
+ * Records the post-resolution lockfile as verified so the next install
+ * skips the registry round-trip. Skipping is safe: fresh local picks
+ * are filtered by the resolver (see
+ * `resolving/npm-resolver/src/pickPackage.ts`) and carried-over entries
+ * already passed the gate at the top of `mutateModules`, so the
+ * recorded lockfile is policy-clean by construction.
+ */
+export function recordLockfileVerified (opts: RecordLockfileVerifiedOptions): void {
+  if (!opts.cacheDir) return
+  if (!opts.resolutionVerifiers?.length) return
+  if (!opts.lockfile.packages) return
+  recordVerification(opts.cacheDir, {
+    lockfilePath: opts.lockfilePath,
+    verifiers: opts.resolutionVerifiers,
+    hashLockfile: () => hashObject(opts.lockfile),
+  })
+}
@@ -97,8 +97,7 @@ export async function verifyLockfileResolutions (
   // miss the precomputed stat+hash flow to recordVerification.
   type Precomputed = ReturnType<typeof tryLockfileVerificationCache>['precomputed']
   let cachePrecomputed: Precomputed | undefined
-  // hashObject is streaming (no "Invalid string length" on huge lockfiles)
-  // and key-order-stable, which JSON.stringify is not.
+  // hashObject streams and is key-order-stable, unlike JSON.stringify.
   let cachedHash: string | undefined
   const hashLockfile = (): string => {
     if (cachedHash == null) cachedHash = hashObject(lockfile)
 
@@ -0,0 +1,48 @@
+import path from 'node:path'
+
+import { getWantedLockfileName, type LockfileObject, writeLockfiles, type WriteLockfilesResult } from '@pnpm/lockfile.fs'
+import type { ResolutionVerifier } from '@pnpm/resolving.resolver-base'
+
+import { recordLockfileVerified } from './recordLockfileVerified.js'
+
+export interface WriteLockfilesAndRecordVerifiedOptions {
+  wantedLockfile: LockfileObject
+  wantedLockfileDir: string
+  currentLockfile: LockfileObject
+  currentLockfileDir: string
+  useGitBranchLockfile?: boolean
+  mergeGitBranchLockfiles?: boolean
+  cacheDir?: string
+  resolutionVerifiers: readonly ResolutionVerifier[] | undefined
+}
+
+/** Plural counterpart of {@link writeWantedLockfileAndRecordVerified}. */
+export async function writeLockfilesAndRecordVerified (
+  opts: WriteLockfilesAndRecordVerifiedOptions
+): Promise<WriteLockfilesResult> {
+  const cacheActive = opts.cacheDir != null && (opts.resolutionVerifiers?.length ?? 0) > 0
+  const wantedLockfileName = cacheActive
+    ? await getWantedLockfileName({
+      useGitBranchLockfile: opts.useGitBranchLockfile,
+      mergeGitBranchLockfiles: opts.mergeGitBranchLockfiles,
+    })
+    : undefined
+  const written = await writeLockfiles({
+    wantedLockfile: opts.wantedLockfile,
+    wantedLockfileDir: opts.wantedLockfileDir,
+    currentLockfile: opts.currentLockfile,
+    currentLockfileDir: opts.currentLockfileDir,
+    useGitBranchLockfile: opts.useGitBranchLockfile,
+    mergeGitBranchLockfiles: opts.mergeGitBranchLockfiles,
+    wantedLockfileName,
+  })
+  if (cacheActive) {
+    recordLockfileVerified({
+      cacheDir: opts.cacheDir,
+      lockfilePath: path.resolve(opts.wantedLockfileDir, wantedLockfileName!),
+      lockfile: written.wantedLockfile,
+      resolutionVerifiers: opts.resolutionVerifiers,
+    })
+  }
+  return written
+}
@@ -0,0 +1,42 @@
+import path from 'node:path'
+
+import { getWantedLockfileName, type LockfileObject, writeWantedLockfile } from '@pnpm/lockfile.fs'
+import type { ResolutionVerifier } from '@pnpm/resolving.resolver-base'
+
+import { recordLockfileVerified } from './recordLockfileVerified.js'
+
+export interface WriteWantedLockfileAndRecordVerifiedOptions {
+  lockfileDir: string
+  lockfile: LockfileObject
+  cacheDir?: string
+  resolutionVerifiers: readonly ResolutionVerifier[] | undefined
+  useGitBranchLockfile?: boolean
+  mergeGitBranchLockfiles?: boolean
+}
+
+/** Combines {@link writeWantedLockfile} and {@link recordLockfileVerified} — see each for semantics. */
+export async function writeWantedLockfileAndRecordVerified (
+  opts: WriteWantedLockfileAndRecordVerifiedOptions
+): Promise<LockfileObject> {
+  const cacheActive = opts.cacheDir != null && (opts.resolutionVerifiers?.length ?? 0) > 0
+  const lockfileName = cacheActive
+    ? await getWantedLockfileName({
+      useGitBranchLockfile: opts.useGitBranchLockfile,
+      mergeGitBranchLockfiles: opts.mergeGitBranchLockfiles,
+    })
+    : undefined
+  const written = await writeWantedLockfile(opts.lockfileDir, opts.lockfile, {
+    useGitBranchLockfile: opts.useGitBranchLockfile,
+    mergeGitBranchLockfiles: opts.mergeGitBranchLockfiles,
+    lockfileName,
+  })
+  if (cacheActive) {
+    recordLockfileVerified({
+      cacheDir: opts.cacheDir,
+      lockfilePath: path.resolve(opts.lockfileDir, lockfileName!),
+      lockfile: written,
+      resolutionVerifiers: opts.resolutionVerifiers,
+    })
+  }
+  return written
+}