Background
PR #11481 fixed GHSA — pnpm did not store integrity for git-hosted tarballs, so codeload.github.com / gitlab / bitbucket downloads can no longer be silently swapped on subsequent installs. The FUSE daemon still has one upgrade-compat fallback that should go away in v12 once lockfile regeneration is forced.
Code to remove
Tagged TODO(v12) in the source:
modules-mounter/daemon/src/createFuseHandlers.ts:
// TODO(v12): once lockfile regeneration is forced, every git-hosted
// tarball will carry integrity; drop the gitHostedStoreIndexKey fallback
// and inline storeIndexKey(integrity, pkgId).
const pkgIndexFilePath = integrity
? storeIndexKey(integrity, pkgId)
: gitHostedStoreIndexKey(pkgId, { built: true })
The fallback lets the daemon serve git-hosted packages from older lockfiles that don't record integrity. After v12 forces regeneration, the integrity branch is the only valid one — remove the conditional and the gitHostedStoreIndexKey import.
Acceptance
TODO(v12) marker above removed.
- No regression in FUSE / install tests touching git-hosted tarballs.
Written by an agent (Claude Code, claude-opus-4-7).
Background
PR #11481 fixed GHSA — pnpm did not store integrity for git-hosted tarballs, so codeload.github.com / gitlab / bitbucket downloads can no longer be silently swapped on subsequent installs. The FUSE daemon still has one upgrade-compat fallback that should go away in v12 once lockfile regeneration is forced.
Code to remove
Tagged
TODO(v12)in the source:modules-mounter/daemon/src/createFuseHandlers.ts:The fallback lets the daemon serve git-hosted packages from older lockfiles that don't record integrity. After v12 forces regeneration, the
integritybranch is the only valid one — remove the conditional and thegitHostedStoreIndexKeyimport.Acceptance
TODO(v12)marker above removed.Written by an agent (Claude Code, claude-opus-4-7).