Skip to content

Remove v11→v12 git-hosted tarball migration code in pnpm v12 #11482

Description

@zkochan

Background

PR #11481 fixed GHSA — pnpm did not store integrity for git-hosted tarballs, so codeload.github.com / gitlab / bitbucket downloads can no longer be silently swapped on subsequent installs. The FUSE daemon still has one upgrade-compat fallback that should go away in v12 once lockfile regeneration is forced.

Code to remove

Tagged TODO(v12) in the source:

modules-mounter/daemon/src/createFuseHandlers.ts:

// TODO(v12): once lockfile regeneration is forced, every git-hosted
// tarball will carry integrity; drop the gitHostedStoreIndexKey fallback
// and inline storeIndexKey(integrity, pkgId).
const pkgIndexFilePath = integrity
  ? storeIndexKey(integrity, pkgId)
  : gitHostedStoreIndexKey(pkgId, { built: true })

The fallback lets the daemon serve git-hosted packages from older lockfiles that don't record integrity. After v12 forces regeneration, the integrity branch is the only valid one — remove the conditional and the gitHostedStoreIndexKey import.

Acceptance

  • TODO(v12) marker above removed.
  • No regression in FUSE / install tests touching git-hosted tarballs.

Written by an agent (Claude Code, claude-opus-4-7).

Metadata

Metadata

Assignees

No one assigned

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions