Skip to content

fix(release/10): fail by default when a tarball does not match the locked integrity#11985

Merged
zkochan merged 1 commit into
release/10from
release/10-update-checksum
May 27, 2026
Merged

fix(release/10): fail by default when a tarball does not match the locked integrity#11985
zkochan merged 1 commit into
release/10from
release/10-update-checksum

Conversation

@zkochan

@zkochan zkochan commented May 27, 2026

Copy link
Copy Markdown
Member

Summary

Backport of #11968 to release/10. pnpm install (non-frozen) used to react to ERR_PNPM_TARBALL_INTEGRITY by logging the error, silently re-resolving from the registry, and overwriting the locked integrity. The lockfile's integrity was effectively advisory by default — a compromised registry, proxy, or republished version could substitute attacker-controlled content on a clean machine even though the project shipped a committed pnpm-lock.yaml.

Integrity mismatches against the lockfile now fail by default.

The only opt-in is pnpm install --update-checksums — a new flag, narrowly scoped to refreshing the locked integrity values. Mirrors yarn's flag of the same name. A warning still prints when the bypass takes effect so the rewrite stays auditable.

--force and pnpm update deliberately do not bypass the integrity check. They are routine refresh operations; silently overwriting a locked integrity in those flows would erase the protection a committed lockfile is supposed to provide. --frozen-lockfile behavior is unchanged. --fix-lockfile keeps its documented purpose (filling in missing lockfile entries) and is also not a bypass.

--update-checksums also bypasses the resolver's on-disk metadata cache fast path (pickPackage.ts). Without that, a stale on-disk packument that already contained the pinned version would short-circuit the registry entirely and the flag would silently no-op on dev machines.

Differences from #11968

The path layout in release/10 predates the installing/ refactor in main, so this PR touches the v10 equivalents:

main release/10
installing/commands/ pkg-manager/plugin-commands-installation/
installing/deps-installer/ pkg-manager/core/
installing/deps-resolver/ pkg-manager/resolve-dependencies/
store/controller-types/ store/store-controller-types/

Pacquet changes from #11968 are out of scope (not in v10).

One v10-specific extra change: pkg-manager/package-requester/src/packageRequester.ts gained && !options.updateChecksums on the skipResolution guard. In main, the package-requester was refactored to always run resolution (so the cache-bypass in pickPackage always applies). In release/10, the skipResolution short-circuit is still in place — without this extra check, --update-checksums would silently no-op on retry because the resolver is never called. The brokenLockfileIntegrity tests caught this.

Test plan

  • pnpm --filter @pnpm/core test test/brokenLockfileIntegrity.ts — passes (covers plain install fails, --update-checksums recovers, --force still fails)
  • pnpm --filter @pnpm/core test test/install/fixLockfile.ts — passes (--fix-lockfile semantics unchanged)
  • pnpm --filter @pnpm/npm-resolver test — 132 pass
  • pnpm --filter @pnpm/tarball-fetcher test — 22 pass
  • pnpm --filter @pnpm/package-requester test — 21 pass
  • pnpm --filter @pnpm/plugin-commands-installation test test/install.ts — passes
  • CI green

Written by an agent (Claude Code, claude-opus-4-7).

Backport of #11968 to release/10. Treats tarball-integrity mismatches
against the lockfile as a hard failure by default; `--update-checksums`
is the only opt-in. `--force` and `pnpm update` deliberately do not
bypass the integrity check.

🤖 Written by an agent (Claude Code, claude-opus-4-7).
@zkochan zkochan merged commit 6c0f294 into release/10 May 27, 2026
3 of 14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant