Skip to content

perf(pnpr): shrink the abbreviated packuments served to clients#12163

Merged
zkochan merged 5 commits into
mainfrom
pnpr-shrink-abbreviated-packument
Jun 3, 2026
Merged

perf(pnpr): shrink the abbreviated packuments served to clients#12163
zkochan merged 5 commits into
mainfrom
pnpr-shrink-abbreviated-packument

Conversation

@zkochan

@zkochan zkochan commented Jun 3, 2026

Copy link
Copy Markdown
Member

What

When pnpr proxies a registry, trim the application/vnd.npm.install-v1+json packument down to only the fields the pnpm and pacquet resolvers actually read, so clients download, parse, and cache less metadata.

Only the abbreviated path (Accept: application/vnd.npm.install-v1+json) is affected; full-document clients are untouched.

Dropped (never read during resolution)

  • top-level: readme, readmeFilename, _id, _revreadme is the dominant per-packument bloat (full README text) and npm's own abbreviated format never carried it.
  • per-version: funding, devDependencies, acceptDependencies, _hasShrinkwrap. A dependency's devDependencies are never installed, so the resolver has no use for them.
  • per-version dist["npm-signature"] — npm's deprecated PGP detached signature. npm stopped populating it years ago and nothing in pnpm or pacquet reads it.
  • per-version dist.fileCount — read nowhere in pnpm or pacquet.
  • per-version dist.unpackedSize — read only by pnpm view, which fetches the full metadata document (fullMetadata: true) that pnpr serves unstripped.
  • per-version dist.shasum when dist.integrity is present. Both pnpm (getIntegrity) and pacquet prefer SRI integrity and only fall back to the legacy sha1 shasum when integrity is absent, so shipping both is a redundant hash on every version. shasum is kept when integrity is absent (pre-2017 publishes) so the getIntegrity fallback still has a hash.

Deliberately kept

  • time (top-level publish timestamps). npm's own abbreviated form omits it, but pnpr retains it because pnpm/pacquet read it for the minimumReleaseAge check.
  • dist.signatures (ECDSA registry signatures). It binds name@version:integrity to the upstream registry's signing key and survives pnpr's dist.tarball rewriting (the signature covers the triple, not the URL). Nothing verifies it at install time today — pnpm audit signatures fetches its own full metadata — but keeping it leaves the door open to an optional client-side install-time registry-signature check, which is most valuable precisely on the pnpr path (an extra trust hop).
  • dist.attestations — read by pacquet's trustPolicy verifier.

Fixed along the way

Per-version libc is now forwarded alongside os/cpu — it was previously stripped. pnpm reads libc for optional-dependency platform filtering (#9950), so omitting it produced wrong installs through pnpr.

Impact (measured)

Compact JSON size of the abbreviated packument, before vs. after this PR, on real registry metadata:

Package Versions Before After Reduction
typescript 3760 8379 KB 1985 KB 76%
webpack 875 1974 KB 824 KB 58%
@types/node 2336 2249 KB 995 KB 55%
chalk 43 46 KB 21 KB 53%
react 2817 2735 KB 1509 KB 44%
express 288 331 KB 240 KB 27%
lodash 117 67 KB 49 KB 26%
aggregate 15.4 MB 5.5 MB 64%

Where the savings come from (react, % of the before size):

Field dropped Share
dist["npm-signature"] 36.0%
dist.shasum (integrity present) 5.2%
dist.unpackedSize 2.1%
dist.fileCount 1.4%
funding / devDependencies / etc. <0.1%

dist["npm-signature"] dominates. (dist.signatures, kept, is a further ~18% that this PR intentionally leaves in place.)

Methodology note: the table simulates the per-version and dist trims against npm's already-abbreviated metadata, which does not contain top-level readme/_id/_rev. pnpr fetches the full upstream document and abbreviates it, so the real reduction is at least the figures above plus the full README text that is additionally dropped at the top level.

The win lands on the proxy/registry path (where the client still resolves locally); it does not affect the /v1/install accelerator path, where the client never receives a packument.

Follow-up

Dropping dist.tarball (a further ~8% on react) is tracked separately in #12164 — it first needs pnpm and pacquet to reconstruct the URL when it is absent.

Safety

  • Verified against the pnpm TS resolver: none of the dropped fields are read during resolution; getIntegrity returns integrity outright when present; dist.signatures / npm-signature / unpackedSize are consumed only by commands (audit signatures, view) that fetch their own full metadata, which pnpr serves unstripped.
  • pacquet's PackageVersion has #[serde(default)] on dev_dependencies and ignores shasum / signature / size fields, so a pacquet-as-client deserialization stays valid.

Tests

  • New unit tests in upstream/tests.rs: one asserts every dropped field is gone (incl. npm-signature, fileCount, unpackedSize, and shasum-when-integrity-present) while os/cpu/libc, time, and dist.signatures survive; another asserts shasum is kept when integrity is absent.
  • Updated registry_mock.rs to assert readme/readmeFilename are dropped.
  • All pnpr lib + integration tests pass; clippy and dylint clean.

No changeset (pnpr is a Rust binary, not a published npm package).


Written by an agent (Claude Code, claude-opus-4-8).

Summary by CodeRabbit

  • Bug Fixes

    • Optimized package manifest format to reduce size by removing unnecessary internal fields and streamlining distribution metadata.
  • Tests

    • Added comprehensive test coverage for manifest optimization behavior.

Review Change Stack

zkochan added 2 commits June 3, 2026 12:15
When pnpr proxies a registry, trim the `application/vnd.npm.install-v1+json`
packument down to only the fields the pnpm and pacquet resolvers actually
read, so clients download, parse, and cache less metadata.

Dropped (never read during resolution):
- top-level `readme`, `readmeFilename`, `_id`, `_rev`
- per-version `funding`, `devDependencies`, `acceptDependencies`,
  `_hasShrinkwrap`
- per-version `dist.shasum` when `dist.integrity` is present (the
  resolvers prefer SRI integrity and only fall back to the legacy sha1
  shasum when integrity is absent, so shipping both is redundant)

`shasum` is kept when `integrity` is absent (pre-2017 publishes) so
pnpm's getIntegrity fallback still has a hash.

Also forwards per-version `libc` alongside `os`/`cpu`, which was
previously stripped — pnpm reads it for optional-dependency platform
filtering (#9950), so omitting it produced wrong installs through pnpr.
Satisfies the perfectionist::bare-issue-reference dylint.
@coderabbitai

coderabbitai Bot commented Jun 3, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro Plus

Run ID: 730a9adc-03f6-4959-8a2e-39086076435e

📥 Commits

Reviewing files that changed from the base of the PR and between a71a2d9 and 3c94c5e.

📒 Files selected for processing (2)
  • pnpr/crates/pnpr/src/upstream.rs
  • pnpr/crates/pnpr/src/upstream/tests.rs
📜 Recent review details
🧰 Additional context used
📓 Path-based instructions (1)
pnpr/**/pnpr/**/*.rs

📄 CodeRabbit inference engine (pnpr/AGENTS.md)

pnpr/**/pnpr/**/*.rs: Follow the pacquet code-style guide (../pacquet/CODE_STYLE_GUIDE.md) for Rust-level conventions including imports, naming, ownership, and error handling
Follow the pacquet contributing guide (../pacquet/CONTRIBUTING.md) for test layout and Rust conventions

Files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
🧠 Learnings (24)
📓 Common learnings
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-25T12:36:42.202Z
Learning: User-visible changes (CLI flags, defaults, environment variables, lockfile/manifest/state-file formats, error codes/messages, log emissions, store layout, hook semantics) in pnpm must be mirrored to pacquet in the same PR
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11784
File: pacquet/crates/resolving-deps-resolver/src/hoist_peers.rs:120-133
Timestamp: 2026-05-20T23:08:06.093Z
Learning: Pacquet (pnpm's Rust port) has a cardinal rule: "match pnpm exactly — do not fix pnpm quirks unless the same fix has landed in pnpm first." Review comments should not suggest behavioral deviations from upstream pnpm, even when the upstream behavior appears buggy. If a real bug is identified, it must be fixed upstream first.
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11729
File: pacquet/crates/resolving-npm-resolver/src/fetch_attestation_published_at.rs:55-57
Timestamp: 2026-05-18T20:35:22.917Z
Learning: In `pacquet/crates/resolving-npm-resolver/src/fetch_attestation_published_at.rs`, the npm attestation endpoint (`/-/npm/v1/attestations/{pkg_name}@{version}`) intentionally does NOT percent-encode the package name — the endpoint accepts literal `/` in scoped package names (e.g. `scope/pkg`). This matches upstream pnpm's `fetchAttestationPublishedAt.ts` behavior. Do not flag missing URL encoding here. By contrast, the full-metadata fetch paths (`fetch_full_metadata`, `fetch_full_metadata_cached`) DO percent-encode via the `registry_url::to_registry_url` helper, matching upstream's `toUri` behavior.
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11915
File: pacquet/crates/resolving-deps-resolver/src/resolve_dependency_tree.rs:553-617
Timestamp: 2026-05-24T21:11:04.272Z
Learning: In the pacquet Rust port (pnpm/pnpm repo), the `ResolvedPackage.optional` AND-folding on revisit intentionally mirrors pnpm's `resolveDependencies.ts:1627-1648` behavior: only the directly-revisited package's `optional` flag is updated; transitive descendants are not re-walked. pnpm CLI corrects stale optional flags downstream via `copyDependencySubGraph` BFS in `lockfile/pruner/src/index.ts:160-205`, which tracks a `nonOptional` set and re-stamps any package reachable by an all-non-optional path. Pacquet does not yet have this pruner equivalent, so the stale flags flow directly through `dependencies_graph_to_lockfile.rs:409` → `create_virtual_store.rs:762` → `installability.rs:394`. A follow-up to port `copyDependencySubGraph` is planned; until then, do not flag the resolver-layer optional propagation gap as a bug in pacquet PRs — it is intentional parity with pnpm's resolver layer.
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11878
File: resolving/npm-resolver/src/createNpmResolutionVerifier.ts:381-418
Timestamp: 2026-05-23T17:30:06.849Z
Learning: In `resolving/npm-resolver/src/pickPackage.ts` (pnpm/pnpm), the resolver's `PackageMetaCache` keys by `name` (abbreviated) and `name:full` (full metadata) only — no registry component is included. This is a pre-existing limitation meaning that if two different registries serve packages of the same name in one install, the cache will only hold the first fetched entry. The `createNpmResolutionVerifier.ts` shares this same cache and inherits the limitation; a `validateSharedMeta` name-check guards against cross-package contamination but cannot distinguish same-named packages from different registries. Tightening to a registry-qualified key would require a coordinated change to the resolver's cache key shape. The Pacquet/Rust side is already registry-qualified (`{registry}\x00{name}:full`).
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11755
File: pacquet/crates/resolving-npm-resolver/src/pick_package_from_meta.rs:193-200
Timestamp: 2026-05-20T01:52:55.764Z
Learning: In `pacquet/crates/resolving-npm-resolver/src/pick_package_from_meta.rs`, the package-level `modified` shortcut for the maturity/minimumReleaseAge filter uses inclusive `<=` (not strict `<`) when comparing `modified_date <= cutoff`. This mirrors the corrected behavior in pnpm (fixed in ab4c96ead5). The reasoning: `modified` is "last modification time," which is an upper bound on every version's `time[v]`. The per-version maturity filter uses `<=` (a version published exactly at the cutoff is mature). Since `modified == cutoff` means every version satisfies the per-version filter, the abbreviated-metadata fast path should accept this case rather than forcing a full-metadata re-fetch or raising `MissingTime`. The same fix was applied to pnpm TS: `pickPackage.ts` (×2) and `pickPackageFromMeta.ts`.
Learnt from: KSXGitHub
Repo: pnpm/pnpm PR: 12093
File: pacquet/crates/cli/src/cli_args/run/recursive.rs:290-315
Timestamp: 2026-06-01T08:59:42.161Z
Learning: In pacquet's recursive run implementation (`pacquet/crates/cli/src/cli_args/run/recursive.rs`), the `pnpm-exec-summary.json` format for failed package entries correctly includes `prefix` and `message` fields in addition to `status` and `duration`. This matches pnpm's `ActionFailure` variant in `cli/utils/src/recursiveSummary.ts` and the direct serialization in `exec/commands/src/exec.ts`. There is no `ExecutionStatusInSummary` type in pnpm. The only intentional divergence is omitting the JS `error` field, whose `JSON.stringify` output is non-deterministic due to non-enumerable `Error` properties.
Learnt from: zkochan
Repo: pnpm/pnpm PR: 12134
File: pacquet/crates/resolving-npm-resolver/src/create_npm_resolution_verifier.rs:311-325
Timestamp: 2026-06-02T13:18:26.437Z
Learning: In pacquet's lockfile resolution verifier (`pacquet/crates/resolving-npm-resolver/src/create_npm_resolution_verifier.rs`), URL-keyed tarball dependencies do NOT need a separate `non_semver_version` field in `VerifyCtx`. Unlike the TypeScript side (which derives `version` from `snapshot.version` and threads `nonSemverVersion` separately), pacquet's `collect_candidates` takes `version` from the lockfile key suffix. For a URL-keyed dep the key is `name@<url>`, so `ctx.version` is the URL string, which fails `node_semver::Version::parse(ctx.version)` and the existing guard `if node_semver::Version::parse(ctx.version).is_err() { return ResolutionVerification::Ok; }` already skips the registry lookup correctly. Adding a `non_semver_version` field to `VerifyCtx` for this purpose would be inert.
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.354Z
Learning: Reference the upstream pnpm commit/PR when porting code from pnpm in commit messages
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11773
File: pacquet/crates/resolving-tarball-resolver/src/tarball_resolver.rs:115-117
Timestamp: 2026-05-20T20:41:30.632Z
Learning: In the pacquet Rust port of pnpm, the `is_http_url` helper in `pacquet/crates/resolving-tarball-resolver/src/tarball_resolver.rs` intentionally uses `bare.starts_with("http:") || bare.starts_with("https:")` (not `"http://"` / `"https://"`) to match upstream pnpm's `startsWith('http:')` / `startsWith('https:')` check byte-for-byte. Pacquet's cardinal rule (pacquet/AGENTS.md) requires matching pnpm even on quirks; malformed non-URL inputs are rejected downstream by `reqwest::Url::parse` as a `ResolveError`.
📚 Learning: 2026-05-29T18:03:15.354Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.354Z
Learning: Applies to pacquet/**/tests/**/*.rs : Port relevant pnpm tests to Rust tests whenever they translate when porting behavior from pnpm

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
📚 Learning: 2026-05-20T21:18:56.391Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11778
File: pacquet/crates/resolving-local-resolver/tests/resolve.rs:365-372
Timestamp: 2026-05-20T21:18:56.391Z
Learning: In `pacquet/crates/resolving-local-resolver/tests/resolve.rs`, the test `fail_when_resolving_from_not_existing_directory_an_injected_dependency` intentionally uses `injected: false`. The test is a verbatim port of the upstream pnpm TypeScript test (resolving/local-resolver/test/index.ts at ef87f3ccff). The `injected` flag only affects the file/link protocol choice for plain directory paths; when the `file:` scheme is explicit in the bare specifier, the flag has no effect on the resolution code path. The misleading test name is inherited from upstream.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
📚 Learning: 2026-05-29T18:03:15.354Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.354Z
Learning: Applies to pacquet/**/*.rs : Tests are documentation — do not duplicate test scenarios, edge cases, failure modes, or worked examples in prose when they are already captured by tests

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
📚 Learning: 2026-05-28T16:19:30.483Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 12025
File: pacquet/crates/deps-path/src/link_path_to_peer_version.rs:0-0
Timestamp: 2026-05-28T16:19:30.483Z
Learning: In `pacquet/crates/deps-path/src/link_path_to_peer_version.rs`, the `link_path_to_peer_version` function intentionally deviates from upstream pnpm/JS behavior for non-BMP Unicode code points: the JavaScript `filenamify` v4 implementation sees UTF-16 code units and emits two surrogate fragments for a single non-BMP scalar, while the Rust port iterates `chars()` and emits one clean Unicode scalar. pnpm has no tests for non-ASCII link paths, so the behavior was undefined upstream; the Rust scalar form is the intentional, preferred behavior for pacquet.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-20T01:52:55.764Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11755
File: pacquet/crates/resolving-npm-resolver/src/pick_package_from_meta.rs:193-200
Timestamp: 2026-05-20T01:52:55.764Z
Learning: In `pacquet/crates/resolving-npm-resolver/src/pick_package_from_meta.rs`, the package-level `modified` shortcut for the maturity/minimumReleaseAge filter uses inclusive `<=` (not strict `<`) when comparing `modified_date <= cutoff`. This mirrors the corrected behavior in pnpm (fixed in ab4c96ead5). The reasoning: `modified` is "last modification time," which is an upper bound on every version's `time[v]`. The per-version maturity filter uses `<=` (a version published exactly at the cutoff is mature). Since `modified == cutoff` means every version satisfies the per-version filter, the abbreviated-metadata fast path should accept this case rather than forcing a full-metadata re-fetch or raising `MissingTime`. The same fix was applied to pnpm TS: `pickPackage.ts` (×2) and `pickPackageFromMeta.ts`.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-29T18:03:15.354Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.354Z
Learning: Applies to pacquet/**/tests/**/*.rs : Use snapshot tests with `insta` and carefully review diffs when intentional changes alter snapshots; accept with `cargo insta review` only after careful review

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
📚 Learning: 2026-05-29T18:03:15.354Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.354Z
Learning: Applies to pacquet/**/tests/**/*.rs : Tests that need the mocked registry should start `pnpr` through `pacquet-testing-utils`; `cargo test` / `cargo nextest run` should not require a separate `just registry-mock launch` step

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
📚 Learning: 2026-05-29T18:03:24.760Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pnpr/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:24.760Z
Learning: Applies to pnpr/**/pnpr/**/*.rs : Follow the pacquet contributing guide (../pacquet/CONTRIBUTING.md) for test layout and Rust conventions

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
📚 Learning: 2026-06-01T08:59:42.161Z
Learnt from: KSXGitHub
Repo: pnpm/pnpm PR: 12093
File: pacquet/crates/cli/src/cli_args/run/recursive.rs:290-315
Timestamp: 2026-06-01T08:59:42.161Z
Learning: In pacquet's recursive run implementation (`pacquet/crates/cli/src/cli_args/run/recursive.rs`), the `pnpm-exec-summary.json` format for failed package entries correctly includes `prefix` and `message` fields in addition to `status` and `duration`. This matches pnpm's `ActionFailure` variant in `cli/utils/src/recursiveSummary.ts` and the direct serialization in `exec/commands/src/exec.ts`. There is no `ExecutionStatusInSummary` type in pnpm. The only intentional divergence is omitting the JS `error` field, whose `JSON.stringify` output is non-deterministic due to non-enumerable `Error` properties.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-18T20:35:22.917Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11729
File: pacquet/crates/resolving-npm-resolver/src/fetch_attestation_published_at.rs:55-57
Timestamp: 2026-05-18T20:35:22.917Z
Learning: In `pacquet/crates/resolving-npm-resolver/src/fetch_attestation_published_at.rs`, the npm attestation endpoint (`/-/npm/v1/attestations/{pkg_name}@{version}`) intentionally does NOT percent-encode the package name — the endpoint accepts literal `/` in scoped package names (e.g. `scope/pkg`). This matches upstream pnpm's `fetchAttestationPublishedAt.ts` behavior. Do not flag missing URL encoding here. By contrast, the full-metadata fetch paths (`fetch_full_metadata`, `fetch_full_metadata_cached`) DO percent-encode via the `registry_url::to_registry_url` helper, matching upstream's `toUri` behavior.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-20T13:36:20.653Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11768
File: pacquet/crates/crypto-hash/src/lib.rs:63-69
Timestamp: 2026-05-20T13:36:20.653Z
Learning: In `pacquet/crates/crypto-hash/src/lib.rs`, `shorten_virtual_store_name` intentionally produces a 33-byte `"_<32-hex>"` result even when `max_length < 33`. This mirrors pnpm's upstream `depPathToFilename` (deps/path/src/index.ts), where JavaScript's `String.prototype.substring(0, negative)` clamps to 0, giving an empty prefix and the full `"_<hash>"` suffix. Do not suggest capping to `max_length` for small values — it would diverge from the on-disk naming contract. The upstream test suite only exercises `max_length = 120`; values below ~50 are self-defeating in practice.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-23T16:55:36.507Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11878
File: pacquet/crates/cli/tests/lockfile_verification.rs:158-162
Timestamp: 2026-05-23T16:55:36.507Z
Learning: In `pacquet/crates/cli/tests/lockfile_verification.rs`, the `trust_lockfile_skips_verification` and `trust_lockfile_cli_flag_skips_verification` tests intentionally do NOT assert `output.status.success()`. The hand-rolled fixture lockfile uses a placeholder integrity hash (`sha512-AAA…`), so the install always fails the downstream tarball integrity check regardless of the supply-chain gate. The contract being tested is "gate-skipped, not install-succeeded"; asserting success would require generating a real lockfile via the `generate_lockfile` pattern (see `hoist.rs`) which is considered not worth the extra wiring for an opt-out smoke test.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-06-02T13:18:26.437Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 12134
File: pacquet/crates/resolving-npm-resolver/src/create_npm_resolution_verifier.rs:311-325
Timestamp: 2026-06-02T13:18:26.437Z
Learning: In pacquet's lockfile resolution verifier (`pacquet/crates/resolving-npm-resolver/src/create_npm_resolution_verifier.rs`), URL-keyed tarball dependencies do NOT need a separate `non_semver_version` field in `VerifyCtx`. Unlike the TypeScript side (which derives `version` from `snapshot.version` and threads `nonSemverVersion` separately), pacquet's `collect_candidates` takes `version` from the lockfile key suffix. For a URL-keyed dep the key is `name@<url>`, so `ctx.version` is the URL string, which fails `node_semver::Version::parse(ctx.version)` and the existing guard `if node_semver::Version::parse(ctx.version).is_err() { return ResolutionVerification::Ok; }` already skips the registry lookup correctly. Adding a `non_semver_version` field to `VerifyCtx` for this purpose would be inert.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-20T23:24:24.022Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11783
File: pacquet/crates/crypto-shasums-file/src/lib.rs:156-160
Timestamp: 2026-05-20T23:24:24.022Z
Learning: In `pacquet/crates/crypto-shasums-file/src/lib.rs`, the `pick_file_checksum_from_shasums_file` function intentionally uses `format!("  {file_name}")` with **two** spaces. This matches upstream pnpm's `pickFileChecksumFromShasumsFile` which uses `` `  ${fileName}` `` (two-space template literal). Do not suggest changing to a single space — that would diverge from pnpm behavior.

Applied to files:

  • pnpr/crates/pnpr/src/upstream/tests.rs
  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-25T12:36:42.202Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: AGENTS.md:0-0
Timestamp: 2026-05-25T12:36:42.202Z
Learning: User-visible changes (CLI flags, defaults, environment variables, lockfile/manifest/state-file formats, error codes/messages, log emissions, store layout, hook semantics) in pnpm must be mirrored to pacquet in the same PR

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-20T23:08:06.093Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11784
File: pacquet/crates/resolving-deps-resolver/src/hoist_peers.rs:120-133
Timestamp: 2026-05-20T23:08:06.093Z
Learning: Pacquet (pnpm's Rust port) has a cardinal rule: "match pnpm exactly — do not fix pnpm quirks unless the same fix has landed in pnpm first." Review comments should not suggest behavioral deviations from upstream pnpm, even when the upstream behavior appears buggy. If a real bug is identified, it must be fixed upstream first.

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-24T21:11:04.272Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11915
File: pacquet/crates/resolving-deps-resolver/src/resolve_dependency_tree.rs:553-617
Timestamp: 2026-05-24T21:11:04.272Z
Learning: In the pacquet Rust port (pnpm/pnpm repo), the `ResolvedPackage.optional` AND-folding on revisit intentionally mirrors pnpm's `resolveDependencies.ts:1627-1648` behavior: only the directly-revisited package's `optional` flag is updated; transitive descendants are not re-walked. pnpm CLI corrects stale optional flags downstream via `copyDependencySubGraph` BFS in `lockfile/pruner/src/index.ts:160-205`, which tracks a `nonOptional` set and re-stamps any package reachable by an all-non-optional path. Pacquet does not yet have this pruner equivalent, so the stale flags flow directly through `dependencies_graph_to_lockfile.rs:409` → `create_virtual_store.rs:762` → `installability.rs:394`. A follow-up to port `copyDependencySubGraph` is planned; until then, do not flag the resolver-layer optional propagation gap as a bug in pacquet PRs — it is intentional parity with pnpm's resolver layer.

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-29T18:03:15.354Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.354Z
Learning: Reference the upstream pnpm commit/PR when porting code from pnpm in commit messages

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-23T17:30:06.849Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11878
File: resolving/npm-resolver/src/createNpmResolutionVerifier.ts:381-418
Timestamp: 2026-05-23T17:30:06.849Z
Learning: In `resolving/npm-resolver/src/pickPackage.ts` (pnpm/pnpm), the resolver's `PackageMetaCache` keys by `name` (abbreviated) and `name:full` (full metadata) only — no registry component is included. This is a pre-existing limitation meaning that if two different registries serve packages of the same name in one install, the cache will only hold the first fetched entry. The `createNpmResolutionVerifier.ts` shares this same cache and inherits the limitation; a `validateSharedMeta` name-check guards against cross-package contamination but cannot distinguish same-named packages from different registries. Tightening to a registry-qualified key would require a coordinated change to the resolver's cache key shape. The Pacquet/Rust side is already registry-qualified (`{registry}\x00{name}:full`).

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-24T16:07:54.784Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11904
File: pacquet/crates/package-manager/src/install.rs:556-560
Timestamp: 2026-05-24T16:07:54.784Z
Learning: In pacquet's `is_modules_yaml_consistent` (pacquet/crates/package-manager/src/install.rs), `enableGlobalVirtualStore` is intentionally NOT checked as a separate field. Upstream pnpm's `validateModules.ts` does not persist or check `enableGlobalVirtualStore` in `.modules.yaml` either. Drift on this setting is caught indirectly: toggling `enableGlobalVirtualStore` changes `config.effective_virtual_store_dir()` (GVS-on → `<store>/v11/links`, GVS-off → `<project>/node_modules/.pnpm`), so the existing `modules.virtual_store_dir == config.effective_virtual_store_dir()` comparison in `is_modules_yaml_consistent` already detects the mismatch and prevents the short-circuit. Do not flag the absence of an explicit `enableGlobalVirtualStore` field as a bug.

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-15T11:37:17.491Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11526
File: config/reader/src/loadNpmrcFiles.ts:189-195
Timestamp: 2026-05-15T11:37:17.491Z
Learning: In pnpm/pnpm `config/reader/src/loadNpmrcFiles.ts`, the `resolveEnvValue` helper intentionally diverges from `pnpm/config.env-replace`'s strict path (which uses `hasOwnProperty`) by checking `env[varName] === undefined` instead. This is deliberate: the strict path only sees `process.env` (which never holds `undefined` values), whereas `resolveEnvValue` is also called from tests that model an unset variable as `{ KEY: undefined }`. Using `=== undefined` ensures that `${VAR-default}` falls back to `default` when the variable is present but set to `undefined`, consistent with the `Record<string, string | undefined>` public API contract.

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-29T18:03:15.354Z
Learnt from: CR
Repo: pnpm/pnpm PR: 0
File: pacquet/AGENTS.md:0-0
Timestamp: 2026-05-29T18:03:15.354Z
Learning: Match how the same feature is implemented in the TypeScript pnpm CLI — any change in pacquet must match pnpm's behavior, logic, edge cases, config resolution, error messages, file/lockfile formats, and existing tests

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
📚 Learning: 2026-05-24T21:11:04.272Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11915
File: pacquet/crates/resolving-deps-resolver/src/resolve_dependency_tree.rs:553-617
Timestamp: 2026-05-24T21:11:04.272Z
Learning: In pacquet (pnpm/pnpm repo), `ResolvedPackage.optional` AND-folding intentionally mirrors pnpm's resolveDependencies.ts:1627-1648 revisit behavior: only the directly-visited package's `optional` flag is updated on revisit, not transitive descendants. pnpm CLI corrects stale optional flags via `copyDependencySubGraph` BFS in `lockfile/pruner/src/index.ts:160-205`. Pacquet does not yet have this pruner equivalent, so raw `node.optional` flows directly into snapshot/virtual-store via `dependencies_graph_to_lockfile.rs:409` → `create_virtual_store.rs:762` → `installability.rs:394`. A follow-up issue to port `copyDependencySubGraph` is planned.

Applied to files:

  • pnpr/crates/pnpr/src/upstream.rs
🔇 Additional comments (6)
pnpr/crates/pnpr/src/upstream.rs (3)

155-182: LGTM!


187-218: LGTM!


220-251: LGTM!

pnpr/crates/pnpr/src/upstream/tests.rs (3)

103-173: LGTM!


175-196: LGTM!


198-221: LGTM!


📝 Walkthrough

Walkthrough

The PR narrows the abbreviated "install-v1" packument shape by reducing preserved top-level and per-version fields, adds a helper to prune dist subfields (dropping legacy signatures and sizes, and conditionally shasum), and updates tests to validate the new wire shape.

Changes

Packument Abbreviation and Dist Trimming

Layer / File(s) Summary
Packument field abbreviation and dist trimming
pnpr/crates/pnpr/src/upstream.rs
Updates ABBREVIATED_TOP_FIELDS to preserve only name, dist-tags, and time; adjusts ABBREVIATED_VERSION_FIELDS to drop several metadata fields and add libc; keeps modified synthesized from time.modified; and introduces trim_dist_fields to remove npm-signature, fileCount, unpackedSize, and conditionally shasum when integrity is present while retaining dist.signatures.
Test coverage for abbreviation behavior
pnpr/crates/pnpr/src/upstream/tests.rs, pnpr/crates/pnpr/tests/registry_mock.rs
Adds abbreviate_packument unit tests validating top-level and per-version field-dropping plus shasum-preservation/-removal cases, and updates an integration test to expect omission of readme/readmeFilename while preserving modified derived from time.modified.

Possibly Related PRs

  • pnpm/pnpm#11704: The updated packument abbreviation output preserving the time field to synthesize the abbreviated modified value directly supports the minimumReleaseAge shortcut that reads abbreviated metadata before falling back to full lookups.

A rabbit trims fields in tidy rows,
Hops past shasums where integrity shows;
Keeps the time, forgets the rest,
Shrinks the packument to be its best. 🐰✂️

🎯 3 (Moderate) | ⏱️ ~25 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The PR title clearly summarizes the main objective: reducing the size of abbreviated packuments served to clients by removing unnecessary fields.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
📝 Generate docstrings
  • Create stacked PR
  • Commit on current branch
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch pnpr-shrink-abbreviated-packument

Warning

Review ran into problems

🔥 Problems

Git: Failed to clone repository. Please run the @coderabbitai full review command to re-trigger a full review. If the issue persists, set path_filters to include or exclude specific files.


Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@codecov-commenter

codecov-commenter commented Jun 3, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 91.66667% with 1 line in your changes missing coverage. Please review.
✅ Project coverage is 87.58%. Comparing base (2b788d5) to head (3c94c5e).
⚠️ Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
pnpr/crates/pnpr/src/upstream.rs 91.66% 1 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #12163      +/-   ##
==========================================
+ Coverage   87.56%   87.58%   +0.01%     
==========================================
  Files         268      268              
  Lines       30761    30775      +14     
==========================================
+ Hits        26935    26953      +18     
+ Misses       3826     3822       -4     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

…ments

`npm-signature` is npm's deprecated PGP detached signature; npm stopped
populating it years ago and neither pnpm nor pacquet reads it. The ECDSA
`dist.signatures` is kept — it binds `name@version:integrity` to the
upstream registry key and survives pnpr's tarball-URL rewriting, so it
remains available for a potential client-side install-time check.
@zkochan zkochan marked this pull request as ready for review June 3, 2026 10:38
Copilot AI review requested due to automatic review settings June 3, 2026 10:38
@qodo-free-for-open-source-projects

Copy link
Copy Markdown

Review Summary by Qodo

Shrink abbreviated packuments by removing unused resolver fields

✨ Enhancement 🐞 Bug fix

Grey Divider

Walkthroughs

Description
• Trim abbreviated packuments to resolver-read fields only
• Drop unused top-level fields: readme, readmeFilename, _id, _rev
• Drop unused per-version fields: funding, devDependencies, acceptDependencies,
  _hasShrinkwrap
• Remove redundant dist.shasum when dist.integrity present; drop dist.npm-signature
• Add missing libc field for optional-dependency platform filtering
Diagram
flowchart LR
  A["Full Packument"] -->|abbreviate_packument| B["Trimmed Abbreviated Form"]
  B -->|drop unused fields| C["Smaller JSON"]
  B -->|keep resolver-read fields| D["Functional Metadata"]
  E["trim_dist_fields"] -->|remove npm-signature| F["Legacy PGP gone"]
  E -->|remove shasum if integrity present| G["No redundant hashes"]
  E -->|keep dist.signatures| H["ECDSA signatures preserved"]

Loading

Grey Divider

File Changes

1. pnpr/crates/pnpr/src/upstream.rs Enhancement, bug fix +44/-26

Trim packument fields to resolver requirements

• Updated ABBREVIATED_TOP_FIELDS to drop _id, _rev, readme; kept name, dist-tags, time
• Updated ABBREVIATED_VERSION_FIELDS to drop funding, devDependencies, acceptDependencies,
 _hasShrinkwrap; added libc
• Removed hardcoded readmeFilename synthesis from abbreviate_packument
• Added new trim_dist_fields function to remove npm-signature and redundant shasum when
 integrity present
• Updated comments to clarify rationale for field retention/removal

pnpr/crates/pnpr/src/upstream.rs


2. pnpr/crates/pnpr/src/upstream/tests.rs 🧪 Tests +92/-1

Add comprehensive abbreviation field trimming tests

• Added import of abbreviate_packument function
• Added abbreviation_drops_fields_the_resolver_ignores test verifying dropped fields are absent
 and kept fields present
• Added abbreviation_keeps_shasum_when_integrity_absent test for pre-2017 package fallback
 behavior
• Tests verify libc is retained, npm-signature is dropped, shasum conditional removal works

pnpr/crates/pnpr/src/upstream/tests.rs


3. pnpr/crates/pnpr/tests/registry_mock.rs 🧪 Tests +8/-5

Update integration test for dropped README fields

• Updated integration test to verify readme and readmeFilename are dropped from abbreviated form
• Changed assertion from readmeFilename == "" to verifying both fields are absent
• Updated comments to explain README prose is dominant bloat and never read during resolution

pnpr/crates/pnpr/tests/registry_mock.rs


Grey Divider

Qodo Logo

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR optimizes pnpr’s registry-proxy behavior by further shrinking abbreviated packuments (Accept: application/vnd.npm.install-v1+json) to only the metadata fields actually used by pnpm/pacquet during dependency resolution, reducing network transfer and client-side JSON parse/cache overhead while keeping full-metadata responses unchanged.

Changes:

  • Drop unused top-level and per-version fields from abbreviated packuments and synthesize modified from time.modified.
  • Preserve resolver-relevant platform fields (notably libc) for correct optional-dependency filtering.
  • Trim redundant dist subfields in abbreviated responses (e.g. remove npm-signature, and conditionally remove shasum when integrity is present), with new unit/integration tests.

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File Description
pnpr/crates/pnpr/src/upstream.rs Implements the abbreviated-packument field whitelist, adds libc, and trims dist subfields to reduce response size.
pnpr/crates/pnpr/src/upstream/tests.rs Adds unit tests asserting dropped/kept fields and shasum retention when integrity is absent.
pnpr/crates/pnpr/tests/registry_mock.rs Updates end-to-end assertions to ensure README-related fields are dropped in abbreviated responses.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread pnpr/crates/pnpr/src/upstream.rs
…d packuments

Neither is read during resolution or install. `fileCount` is read
nowhere in pnpm or pacquet; `unpackedSize` is read only by `pnpm view`,
which fetches the full metadata document (`fullMetadata: true`) that
pnpr serves unstripped. On a large packument like react's the two sizes
account for ~3.5% of the abbreviated payload.

`dist.signatures` (the ECDSA registry signatures, ~18% of react's
metadata) is kept: a future client-side install-time check on the pnpr
path can verify against it.
Match pnpm's `getIntegrity` truthiness (`if (dist.integrity)`): an
absent, empty, or non-string `integrity` must keep `shasum` so the sha1
fallback still works. The previous check only excluded null, so
`integrity: ""` would wrongly strip the fallback hash.
Copilot AI review requested due to automatic review settings June 3, 2026 11:02

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated no new comments.

@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

Integrated-Benchmark Report (Linux)

Each scenario has pacquet rows (direct install) and pnpr rows (the same client through the pnpr install accelerator), so pnpr@HEAD vs pacquet@HEAD is the pnpr-vs-direct ratio. Cold-store scenarios wipe the client store between runs (warm server); hot-store scenarios keep it warm. The pacquet@HEAD rows feed the pacquet Bencher testbed; the pnpr@HEAD rows feed the pnpr testbed.

Scenario: Isolated linker: fresh restore, cold cache + cold store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 2.028 ± 0.089 1.928 2.226 1.03 ± 0.05
pacquet@main 2.005 ± 0.079 1.930 2.149 1.02 ± 0.05
pnpr@HEAD 1.997 ± 0.065 1.916 2.149 1.01 ± 0.04
pnpr@main 1.972 ± 0.046 1.922 2.074 1.00
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 2.02785176262,
      "stddev": 0.08911990979935962,
      "median": 2.0085909282200003,
      "user": 2.6421887,
      "system": 3.2200080199999994,
      "min": 1.9278284042199998,
      "max": 2.22600202622,
      "times": [
        2.22600202622,
        1.9278284042199998,
        1.95052519722,
        2.01231524822,
        1.98132578822,
        2.02264172722,
        2.1367264072200003,
        2.02605353122,
        1.99023268822,
        2.00486660822
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 2.00530014372,
      "stddev": 0.07850624199254083,
      "median": 1.9739370482199998,
      "user": 2.6695900999999997,
      "system": 3.2378142199999997,
      "min": 1.9302020392199999,
      "max": 2.14944397622,
      "times": [
        1.9302020392199999,
        2.14944397622,
        1.98578336022,
        2.03369113822,
        1.93147744222,
        1.96209073622,
        2.05267992522,
        1.95735760922,
        2.1123663932200003,
        1.93790881722
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 1.9973875404199997,
      "stddev": 0.0654365344914182,
      "median": 1.9933188932199999,
      "user": 2.6732291999999998,
      "system": 3.2195297199999997,
      "min": 1.91647492822,
      "max": 2.14918201022,
      "times": [
        1.94597768622,
        1.98024406522,
        2.01214620622,
        2.02464144022,
        1.91647492822,
        2.02597967722,
        1.93259160422,
        1.9922116432199999,
        1.99442614322,
        2.14918201022
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 1.97164165322,
      "stddev": 0.04609814527204395,
      "median": 1.9566944017199999,
      "user": 2.6613379,
      "system": 3.2033963199999995,
      "min": 1.92222467322,
      "max": 2.07412839222,
      "times": [
        1.99685045622,
        1.93988974322,
        1.96476081422,
        1.93993184722,
        1.94587752222,
        1.92222467322,
        2.01936428022,
        1.9497960002199999,
        1.9635928032199998,
        2.07412839222
      ]
    }
  ]
}

Scenario: Isolated linker: fresh restore, hot cache + hot store

Command Mean [ms] Min [ms] Max [ms] Relative
pacquet@HEAD 658.2 ± 19.7 638.1 710.2 1.00
pacquet@main 659.1 ± 10.4 647.6 677.2 1.00 ± 0.03
pnpr@HEAD 701.7 ± 43.4 662.8 811.3 1.07 ± 0.07
pnpr@main 735.8 ± 91.6 655.3 970.2 1.12 ± 0.14
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 0.6582197401000001,
      "stddev": 0.019701756983415964,
      "median": 0.6551835519,
      "user": 0.36495002,
      "system": 1.3256836,
      "min": 0.6381355924000001,
      "max": 0.7101924194000001,
      "times": [
        0.7101924194000001,
        0.6530940354000001,
        0.6610878004,
        0.6576040694,
        0.6381355924000001,
        0.6405183624,
        0.6540048984000001,
        0.6539060174000001,
        0.6572920004,
        0.6563622054
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 0.6591196673,
      "stddev": 0.010409308221694067,
      "median": 0.6559924194,
      "user": 0.35782561999999996,
      "system": 1.3408412,
      "min": 0.6475648744000001,
      "max": 0.6772360604000001,
      "times": [
        0.6772360604000001,
        0.6758455124,
        0.6545982944000001,
        0.6475648744000001,
        0.6566872914,
        0.6552975474,
        0.6506521344,
        0.6498155134000001,
        0.6585369504,
        0.6649624944000001
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 0.7017298776,
      "stddev": 0.04335697607780875,
      "median": 0.6885637294,
      "user": 0.36296582000000005,
      "system": 1.3346044999999997,
      "min": 0.6628160974,
      "max": 0.8113452694000001,
      "times": [
        0.8113452694000001,
        0.7199880174000001,
        0.7222638714,
        0.6679473924,
        0.6628160974,
        0.6902668504,
        0.6793066224000001,
        0.6999517124000001,
        0.6868606084000001,
        0.6765523344000001
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 0.735842348,
      "stddev": 0.09161558889771305,
      "median": 0.7104622414000001,
      "user": 0.35928102,
      "system": 1.3463068,
      "min": 0.6552951474,
      "max": 0.9702170954000001,
      "times": [
        0.7977422084000001,
        0.7101865004000001,
        0.6829657544000001,
        0.7107379824000001,
        0.7458161534000001,
        0.6552951474,
        0.6853880634,
        0.7223562984,
        0.6777182764,
        0.9702170954000001
      ]
    }
  ]
}

Scenario: Isolated linker: fresh install, cold cache + cold store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 2.129 ± 0.034 2.089 2.186 1.01 ± 0.02
pacquet@main 2.118 ± 0.033 2.071 2.177 1.00 ± 0.02
pnpr@HEAD 2.117 ± 0.031 2.074 2.165 1.00
pnpr@main 2.128 ± 0.022 2.091 2.151 1.01 ± 0.02
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 2.1294681658199996,
      "stddev": 0.03436095636337518,
      "median": 2.11910228442,
      "user": 3.43033992,
      "system": 2.9837288600000003,
      "min": 2.08892597042,
      "max": 2.18569493042,
      "times": [
        2.18569493042,
        2.17157540942,
        2.09176055042,
        2.12301348342,
        2.11519108542,
        2.16715633942,
        2.08892597042,
        2.10728878942,
        2.10866171742,
        2.13541338242
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 2.1182140830200002,
      "stddev": 0.032748242604357276,
      "median": 2.12321524742,
      "user": 3.4343397199999997,
      "system": 2.9349980600000003,
      "min": 2.07062618542,
      "max": 2.17674159342,
      "times": [
        2.17674159342,
        2.13059643242,
        2.08153119142,
        2.0925615994199998,
        2.09734439042,
        2.13809485842,
        2.13347413642,
        2.14533638042,
        2.11583406242,
        2.07062618542
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 2.1167361031199996,
      "stddev": 0.030530923510809115,
      "median": 2.1276011434199997,
      "user": 3.41606732,
      "system": 2.95568886,
      "min": 2.07366057242,
      "max": 2.1648244874199998,
      "times": [
        2.13948813142,
        2.07366057242,
        2.12297728942,
        2.08406618842,
        2.13326046142,
        2.08283970742,
        2.13222499742,
        2.09538512642,
        2.13863406942,
        2.1648244874199998
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 2.12752536182,
      "stddev": 0.021598616843611893,
      "median": 2.12948828542,
      "user": 3.4535176199999995,
      "system": 2.9607284599999995,
      "min": 2.09136178842,
      "max": 2.15114027142,
      "times": [
        2.14996183442,
        2.12364175942,
        2.09425792542,
        2.09136178842,
        2.15114027142,
        2.11803711042,
        2.12949535342,
        2.14991061442,
        2.13796574342,
        2.12948121742
      ]
    }
  ]
}

Scenario: Isolated linker: fresh install, hot cache + hot store

Command Mean [s] Min [s] Max [s] Relative
pacquet@HEAD 1.265 ± 0.020 1.241 1.306 1.00
pacquet@main 1.280 ± 0.062 1.240 1.452 1.01 ± 0.05
pnpr@HEAD 1.281 ± 0.038 1.241 1.378 1.01 ± 0.03
pnpr@main 1.293 ± 0.028 1.265 1.358 1.02 ± 0.03
BENCHMARK_REPORT.json
{
  "results": [
    {
      "command": "pacquet@HEAD",
      "mean": 1.26457336562,
      "stddev": 0.01987202701182894,
      "median": 1.25899676442,
      "user": 1.3407974200000001,
      "system": 1.7235582000000005,
      "min": 1.24144986842,
      "max": 1.30631639142,
      "times": [
        1.26893848642,
        1.30631639142,
        1.24371654142,
        1.26078305542,
        1.25721047342,
        1.27887517342,
        1.2540882954199999,
        1.28177592842,
        1.24144986842,
        1.25257944242
      ]
    },
    {
      "command": "pacquet@main",
      "mean": 1.28017386812,
      "stddev": 0.06229369044614951,
      "median": 1.26410045092,
      "user": 1.33852092,
      "system": 1.7463478000000001,
      "min": 1.24041513342,
      "max": 1.45241937642,
      "times": [
        1.24512868142,
        1.26871005842,
        1.28232480542,
        1.25949084342,
        1.45241937642,
        1.28188755742,
        1.27063616442,
        1.25281129642,
        1.24791476442,
        1.24041513342
      ]
    },
    {
      "command": "pnpr@HEAD",
      "mean": 1.2807651871199996,
      "stddev": 0.03812883492638937,
      "median": 1.27413463292,
      "user": 1.3392362199999996,
      "system": 1.7359016999999999,
      "min": 1.24137168342,
      "max": 1.37763571242,
      "times": [
        1.25271709242,
        1.2845917894199999,
        1.24137168342,
        1.28405389142,
        1.37763571242,
        1.29304661442,
        1.28922171142,
        1.26269747342,
        1.25810052842,
        1.26421537442
      ]
    },
    {
      "command": "pnpr@main",
      "mean": 1.2934959095199998,
      "stddev": 0.02807033283924353,
      "median": 1.2861175569199998,
      "user": 1.34582602,
      "system": 1.7549021,
      "min": 1.26549159342,
      "max": 1.35795415242,
      "times": [
        1.27344190542,
        1.26549159342,
        1.30955987742,
        1.29470800442,
        1.35795415242,
        1.30579693942,
        1.26771384742,
        1.3057135574199998,
        1.27705210842,
        1.27752710942
      ]
    }
  ]
}

@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

🐰 Bencher Report

Branchpr/12163
Testbedpacquet
Click to view all benchmark results
BenchmarkLatencyBenchmark Result
milliseconds (ms)
(Result Δ%)
Upper Boundary
milliseconds (ms)
(Limit %)
isolated-linker.fresh-install.cold-cache.cold-store📈 view plot
🚷 view threshold
2,129.47 ms
(-9.08%)Baseline: 2,342.23 ms
2,810.68 ms
(75.76%)
isolated-linker.fresh-install.hot-cache.hot-store📈 view plot
🚷 view threshold
1,264.57 ms
(-16.83%)Baseline: 1,520.53 ms
1,824.64 ms
(69.31%)
isolated-linker.fresh-restore.cold-cache.cold-store📈 view plot
🚷 view threshold
2,027.85 ms
(-1.08%)Baseline: 2,050.05 ms
2,460.06 ms
(82.43%)
isolated-linker.fresh-restore.hot-cache.hot-store📈 view plot
🚷 view threshold
658.22 ms
(+1.22%)Baseline: 650.28 ms
780.34 ms
(84.35%)
🐰 View full continuous benchmarking report in Bencher

@github-actions

github-actions Bot commented Jun 3, 2026

Copy link
Copy Markdown
Contributor

🐰 Bencher Report

Branchpr/12163
Testbedpnpr

⚠️ WARNING: No Threshold found!

Without a Threshold, no Alerts will ever be generated.

Click here to create a new Threshold
For more information, see the Threshold documentation.
To only post results if a Threshold exists, set the --ci-only-thresholds flag.

Click to view all benchmark results
BenchmarkLatencymilliseconds (ms)
isolated-linker.fresh-install.cold-cache.cold-store📈 view plot
⚠️ NO THRESHOLD
2,116.74 ms
isolated-linker.fresh-install.hot-cache.hot-store📈 view plot
⚠️ NO THRESHOLD
1,280.77 ms
isolated-linker.fresh-restore.cold-cache.cold-store📈 view plot
⚠️ NO THRESHOLD
1,997.39 ms
isolated-linker.fresh-restore.hot-cache.hot-store📈 view plot
⚠️ NO THRESHOLD
701.73 ms
🐰 View full continuous benchmarking report in Bencher

@zkochan zkochan merged commit 6305e95 into main Jun 3, 2026
27 checks passed
@zkochan zkochan deleted the pnpr-shrink-abbreviated-packument branch June 3, 2026 11:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants