Conversation
|
Note Reviews pausedIt looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the Use the following commands to manage reviews:
Use the checkboxes below for quick actions:
📝 WalkthroughWalkthroughThis PR separates trusted package-manager bootstrap registries/network config from project registries, validates env-lockfile package-manager entries require registry-based integrity-only resolutions, and threads the trusted bootstrap config through switch and sync flows. ChangesPackage Manager Bootstrap Registries
Sequence DiagramsequenceDiagram
participant SwitchCli as switchCliVersion
participant Validator as assertPackageManagerLockfileUsesRegistryResolutions
participant StoreCtrl as createStoreController
participant Resolver as resolvePackageManagerIntegrities
participant Installer as installPnpmToStore
SwitchCli->>Validator: validate(envLockfile)
Validator-->>SwitchCli: pass / throw INVALID_PACKAGE_MANAGER_LOCKFILE
SwitchCli->>StoreCtrl: create(store opts with bootstrap.registries)
StoreCtrl-->>SwitchCli: storeController
SwitchCli->>Resolver: resolve integrities(registries: bootstrap.registries, envLockfile)
Resolver-->>SwitchCli: resolved integrities
SwitchCli->>Installer: installPnpmToStore(registries: bootstrap.registries)
Installer-->>SwitchCli: installation result
Estimated code review effort🎯 4 (Complex) | ⏱️ ~45 minutes Possibly related PRs
Poem
🚥 Pre-merge checks | ✅ 4 | ❌ 1❌ Failed checks (1 warning)
✅ Passed checks (4 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches📝 Generate docstrings
🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Code Review by Qodo
1. Peer suffix breaks lookup
|
PR Summary by QodoValidate package-manager lockfile bootstrap metadata WalkthroughsDescription• Introduce isolated packageManagerRegistries and packageManagerNetworkConfig on Config, sourced only from trusted (user/CLI) npmrc layers — excluding project/workspace registries — to prevent workspace-level registry overrides from affecting package-manager bootstrap. • Add assertPackageManagerLockfileUsesRegistryResolutions in packageManagerLockfile.ts that recursively validates the env-lockfile dependency graph, rejecting any record that uses a non-registry dep path or a resolution object with fields other than integrity. • Update switchCliVersion and syncEnvLockfile to pass the new packageManagerBootstrapConfig (defaulting to https://registry.npmjs.org/) to createStoreController and resolvePackageManagerIntegrities instead of project registries. • Fix error-handling order in switchCliVersion: validate lockfile integrity before creating the store controller, and properly close the store on validation failure. • Add comprehensive tests covering registry isolation, npmjs fallback, fast-path (no re-resolve), and rejection of poisoned lockfiles (non-integrity fields, non-registry dep paths). Diagramgraph TD
A["loadNpmrcFiles.ts"] -->|"trustedConfig (user+CLI only)"| B["config/reader/index.ts"]
B -->|"packageManagerRegistries\npackageManagerNetworkConfig"| C["Config interface"]
C --> D["getPackageManagerBootstrapConfig"]
D --> E["switchCliVersion.ts"]
D --> F["syncEnvLockfile.ts"]
E -->|"validate before install"| G["packageManagerLockfile.ts"]
E -->|"bootstrap config"| H[("createStoreController")]
F -->|"bootstrap config"| H
G -->|"INVALID_PACKAGE_MANAGER_LOCKFILE"| I{{"PnpmError"}}
subgraph Legend
direction LR
_mod["Module"] ~~~ _db[("Store/DB")] ~~~ _err{{"Error"}}
end
High-Level AssessmentThe following are alternative approaches to this PR: 1. Filter project registries at call-site
2. Re-read npmrc on demand in bootstrap functions
Recommendation: The PR's approach of computing a separate File ChangesEnhancement (5)
Bug fix (2)
Tests (4)
Other (1)
|
|
Code review by qodo was updated up to the latest commit 6b3e490 |
|
Code review by qodo was updated up to the latest commit 6b3e490 |
There was a problem hiding this comment.
Actionable comments posted: 1
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@config/reader/src/index.ts`:
- Around line 332-335: The package manager network config is falling back to
process.env because createPackageManagerNetworkConfig uses getProcessEnv
internally, so calling getConfig without threading the current opts.env leads to
incorrect proxy/no_proxy resolution; to fix, update the call that sets
pnpmConfig.packageManagerNetworkConfig to pass the effective environment through
(i.e., provide opts.env or the env used by getConfig into
createPackageManagerNetworkConfig), or modify getProcessEnv usage inside
createPackageManagerNetworkConfig to accept and use a provided env parameter;
reference pnpmConfig.packageManagerNetworkConfig,
createPackageManagerNetworkConfig, and getProcessEnv/GetConfig to locate the
code paths that need the env threaded and ensure the same env object used for
getConfig is forwarded into package-manager network fallback resolution.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: ce29f1d6-de9d-4072-a6cb-71181c48bf2d
📒 Files selected for processing (9)
.changeset/clean-package-manager-registries.mdconfig/reader/src/Config.tsconfig/reader/src/index.tsconfig/reader/test/index.tspnpm/src/packageManagerRegistries.tspnpm/src/switchCliVersion.test.tspnpm/src/switchCliVersion.tspnpm/src/syncEnvLockfile.test.tspnpm/src/syncEnvLockfile.ts
✅ Files skipped from review due to trivial changes (1)
- .changeset/clean-package-manager-registries.md
🚧 Files skipped from review as they are similar to previous changes (6)
- pnpm/src/packageManagerRegistries.ts
- pnpm/src/syncEnvLockfile.test.ts
- pnpm/src/syncEnvLockfile.ts
- config/reader/test/index.ts
- pnpm/src/switchCliVersion.ts
- pnpm/src/switchCliVersion.test.ts
📜 Review details
🧰 Additional context used
📓 Path-based instructions (1)
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx}: Use Standard Style with trailing commas, prefer functions over classes, declare functions after they are used (relying on hoisting), limit functions to no more than two or three arguments, and use a single options object for functions needing more parameters
Follow import order: standard libraries first, then external dependencies (sorted alphabetically), then relative imports
Do not write comments that restate what the code already says; rename variables, split helpers, or move checks to more obvious places instead
Do not repeat documentation at call sites that already lives on the callee; update the JSDoc once and let every call site benefit
Use JSDoc for the function's contract (preconditions, postconditions, edge cases, why the function exists), not for re-narrating the function body
Do not record past implementation shape, refactor history, or removed code in comments; use git log and git blame for that information instead
Write comments only when the reason for code is non-obvious, a hidden invariant exists, a workaround for a known bug is needed, or an exception to surrounding pattern is deliberate
Files:
config/reader/src/index.tsconfig/reader/src/Config.ts
🧠 Learnings (2)
📚 Learning: 2026-05-14T09:04:00.133Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11622
File: resolving/npm-resolver/test/publishedBy.test.ts:350-354
Timestamp: 2026-05-14T09:04:00.133Z
Learning: In the pnpm/pnpm repository, ESLint is the authoritative style linter. Do not raise review findings for missing trailing commas in multiline function calls (e.g., `fs.writeFileSync(...)`) when this repo’s ESLint configuration does not report them and lint passes. Prefer deferring to the ESLint results for this specific trailing-comma rule rather than enforcing it manually in code review.
Applied to files:
config/reader/src/index.tsconfig/reader/src/Config.ts
📚 Learning: 2026-06-05T13:47:26.046Z
Learnt from: vsumner
Repo: pnpm/pnpm PR: 12190
File: installing/deps-installer/src/install/index.ts:2337-2343
Timestamp: 2026-06-05T13:47:26.046Z
Learning: In the pnpm/pnpm codebase, `PnpmError` automatically prefixes `err.code` with `ERR_PNPM_` when you pass a code that does not already start with `ERR_PNPM_` (it normalizes `this.code` via `code.startsWith('ERR_PNPM_') ? code : `ERR_PNPM_${code}``). Therefore, during code review you should NOT flag `new PnpmError(...)` call sites for passing a bare error code (e.g., `new PnpmError('FROZEN_STORE_INCOMPATIBLE_WITH_PNPR', ...)`); the resulting `err.code` will still be `ERR_PNPM_FROZEN_STORE_INCOMPATIBLE_WITH_PNPR`.
Applied to files:
config/reader/src/index.tsconfig/reader/src/Config.ts
🔇 Additional comments (1)
config/reader/src/Config.ts (1)
21-31: LGTM!Also applies to: 242-242
|
Code review by qodo was updated up to the latest commit bbfa9d4 |
|
Code review by qodo was updated up to the latest commit 9223096 |
There was a problem hiding this comment.
🧹 Nitpick comments (1)
pnpm/src/switchCliVersion.test.ts (1)
94-162: ⚡ Quick winUse
afterEachfor spy restoration instead of inlinemockRestore().Tests 1, 2, and 3 create a
process.exitspy and callmockRestore()at the end of each test. If any assertion fails beforemockRestore()is reached, the spy will not be restored and could leak into subsequent tests.Jest's
restoreAllMockscan be called in theafterEachhook for more reliable cleanup.♻️ Refactor to use afterEach for spy cleanup
Add an
afterEachhook after thebeforeEachblock:beforeEach(() => { closeStore.mockClear() createStoreController.mockClear() installPnpmToStore.mockClear() readEnvLockfile.mockClear() readEnvLockfile.mockResolvedValue(envLockfile) resolvePackageManagerIntegrities.mockClear() resolvePackageManagerIntegrities.mockResolvedValue(envLockfile) spawnSync.mockClear() }) + +afterEach(() => { + jest.restoreAllMocks() +})Then remove the inline
exit.mockRestore()calls from each test (lines 161, 214, 240).Also applies to: 164-215, 217-241
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@pnpm/src/switchCliVersion.test.ts` around lines 94 - 162, The tests create a process.exit spy (jest.spyOn(process, 'exit')) inside multiple tests and call exit.mockRestore() inline, which can leak if a test fails early; add an afterEach hook (after the existing beforeEach) that calls jest.restoreAllMocks() or specifically restores the process.exit spy to ensure cleanup, and remove the inline exit.mockRestore() calls from the tests that create the spy (the tests invoking jest.spyOn(process, 'exit') in switchCliVersion.test.ts).
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Nitpick comments:
In `@pnpm/src/switchCliVersion.test.ts`:
- Around line 94-162: The tests create a process.exit spy (jest.spyOn(process,
'exit')) inside multiple tests and call exit.mockRestore() inline, which can
leak if a test fails early; add an afterEach hook (after the existing
beforeEach) that calls jest.restoreAllMocks() or specifically restores the
process.exit spy to ensure cleanup, and remove the inline exit.mockRestore()
calls from the tests that create the spy (the tests invoking jest.spyOn(process,
'exit') in switchCliVersion.test.ts).
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro Plus
Run ID: 33264577-13dd-49c0-a29d-13b2954382b3
📒 Files selected for processing (11)
.changeset/clean-package-manager-registries.mdconfig/reader/src/Config.tsconfig/reader/src/index.tsconfig/reader/src/loadNpmrcFiles.tsconfig/reader/test/index.tspnpm/src/packageManagerLockfile.tspnpm/src/packageManagerRegistries.tspnpm/src/switchCliVersion.test.tspnpm/src/switchCliVersion.tspnpm/src/syncEnvLockfile.test.tspnpm/src/syncEnvLockfile.ts
🚧 Files skipped from review as they are similar to previous changes (9)
- config/reader/src/Config.ts
- .changeset/clean-package-manager-registries.md
- pnpm/src/syncEnvLockfile.ts
- pnpm/src/packageManagerRegistries.ts
- pnpm/src/switchCliVersion.ts
- pnpm/src/packageManagerLockfile.ts
- config/reader/test/index.ts
- config/reader/src/index.ts
- pnpm/src/syncEnvLockfile.test.ts
📜 Review details
⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)
- GitHub Check: Compile & Lint
🧰 Additional context used
📓 Path-based instructions (2)
**/*.{ts,tsx,js,jsx}
📄 CodeRabbit inference engine (AGENTS.md)
**/*.{ts,tsx,js,jsx}: Use Standard Style with trailing commas, prefer functions over classes, declare functions after they are used (relying on hoisting), limit functions to no more than two or three arguments, and use a single options object for functions needing more parameters
Follow import order: standard libraries first, then external dependencies (sorted alphabetically), then relative imports
Do not write comments that restate what the code already says; rename variables, split helpers, or move checks to more obvious places instead
Do not repeat documentation at call sites that already lives on the callee; update the JSDoc once and let every call site benefit
Use JSDoc for the function's contract (preconditions, postconditions, edge cases, why the function exists), not for re-narrating the function body
Do not record past implementation shape, refactor history, or removed code in comments; use git log and git blame for that information instead
Write comments only when the reason for code is non-obvious, a hidden invariant exists, a workaround for a known bug is needed, or an exception to surrounding pattern is deliberate
Files:
config/reader/src/loadNpmrcFiles.tspnpm/src/switchCliVersion.test.ts
**/*.test.{ts,tsx}
📄 CodeRabbit inference engine (AGENTS.md)
Do not use
instanceof Errorfor checking if a caught error is an Error object in Jest tests; useutil.types.isNativeError()instead to work across realms
Files:
pnpm/src/switchCliVersion.test.ts
🧠 Learnings (2)
📚 Learning: 2026-05-14T09:04:00.133Z
Learnt from: zkochan
Repo: pnpm/pnpm PR: 11622
File: resolving/npm-resolver/test/publishedBy.test.ts:350-354
Timestamp: 2026-05-14T09:04:00.133Z
Learning: In the pnpm/pnpm repository, ESLint is the authoritative style linter. Do not raise review findings for missing trailing commas in multiline function calls (e.g., `fs.writeFileSync(...)`) when this repo’s ESLint configuration does not report them and lint passes. Prefer deferring to the ESLint results for this specific trailing-comma rule rather than enforcing it manually in code review.
Applied to files:
config/reader/src/loadNpmrcFiles.tspnpm/src/switchCliVersion.test.ts
📚 Learning: 2026-06-05T13:47:26.046Z
Learnt from: vsumner
Repo: pnpm/pnpm PR: 12190
File: installing/deps-installer/src/install/index.ts:2337-2343
Timestamp: 2026-06-05T13:47:26.046Z
Learning: In the pnpm/pnpm codebase, `PnpmError` automatically prefixes `err.code` with `ERR_PNPM_` when you pass a code that does not already start with `ERR_PNPM_` (it normalizes `this.code` via `code.startsWith('ERR_PNPM_') ? code : `ERR_PNPM_${code}``). Therefore, during code review you should NOT flag `new PnpmError(...)` call sites for passing a bare error code (e.g., `new PnpmError('FROZEN_STORE_INCOMPATIBLE_WITH_PNPR', ...)`); the resulting `err.code` will still be `ERR_PNPM_FROZEN_STORE_INCOMPATIBLE_WITH_PNPR`.
Applied to files:
config/reader/src/loadNpmrcFiles.tspnpm/src/switchCliVersion.test.ts
🔇 Additional comments (8)
config/reader/src/loadNpmrcFiles.ts (5)
21-22: LGTM!Also applies to: 49-52
66-71: LGTM!
120-127: LGTM!
182-229: LGTM!
245-274: LGTM!pnpm/src/switchCliVersion.test.ts (3)
1-3: LGTM!
5-92: LGTM!
243-319: LGTM!
|
Code review by qodo was updated up to the latest commit 9223096 |
|
Code review by qodo was updated up to the latest commit 8f67b55 |
|
Code review by qodo was updated up to the latest commit 22c39cf |
* fix(package-bins): reject reserved manifest bin names Manifest bin keys "", ".", "..", and scoped forms such as "@scope/.." passed the bin-name guard because encodeURIComponent leaves them unchanged. When joined to the global bin directory during global remove/update/add operations, "." resolves to the bin directory itself and ".." to its parent, which removeBin then recursively deletes. Reject empty, ".", and ".." bin names after scope stripping. Backport of #12289 to v10. * fix: block untrusted request destination env expansion Makes environment expansion trust-aware for registry/auth config and request destinations: - Stops project and workspace .npmrc files from expanding ${...} placeholders in registry/proxy request destinations, URL-scoped keys, and registry credential values. - Stops repository-controlled pnpm-workspace.yaml from expanding ${...} placeholders in the registry setting. - Preserves env expansion for trusted user/global/CLI/env config so existing token and registry setup flows continue to work. Backport of #12291 (CAND-PNPM-122 / GHSA-3qhv-2rgh-x77r) to v10. * fix(security): verify npm registry signature before spawning a package-manager binary The packageManager field (and pnpm self-update) makes pnpm download and run a specific pnpm version. The staged install's bytes were trusted based on lockfile integrity alone, which proves nothing when the inputs are repository-controlled. pnpm now verifies the npm registry signature of the engine it is about to spawn, over the installed integrity, against npm's public signing keys embedded in the pnpm CLI (exactly as corepack does): - verifyPnpmEngineIdentity() checks pnpm/@pnpm/exe and the materialized platform binaries of the staged install before it is linked into the tools directory. - Fails closed: any verification failure, including an unreachable registry, refuses the version switch rather than running an unverified binary. Runs only on a tools-directory cache miss (an actual download). - The embedded keys live in a generated file kept in sync with npm's keys endpoint by scripts/update-npm-signing-keys.mjs; the release workflow runs the check as a gate so a key rotation cannot silently break verification. Backport of #12292 (CAND-PNPM-097) to v10. * fix: harden package-manager bootstrap metadata Resolve package-manager bootstrap traffic through trusted user/CLI registries and trusted network config, defaulting to the public npm registry instead of project/workspace registry settings: - getConfig() now computes packageManagerRegistries and packageManagerNetworkConfig from trusted config sources only (CLI options, env config, user and global .npmrc) — never the repository's project/workspace .npmrc or pnpm-workspace.yaml. - switchCliVersion() applies that bootstrap config when installing and verifying the wanted pnpm version, so repository .npmrc proxy/TLS/registry values cannot steer package-manager bootstrap traffic. Backport of #12296 to v10. The v11 env-lockfile validation parts do not apply: v10 bootstraps the wanted version through a staged child install instead of an env lockfile. * fix(security): verify Node.js runtime SHASUMS OpenPGP signature When a repository requests a Node.js runtime (useNodeVersion or an execution env), pnpm downloads and then executes a Node binary. The download mirror is repository-configurable via node-mirror:<channel> in project .npmrc, and the integrity came from SHASUMS256.txt fetched from that same mirror — a circular check a malicious mirror can satisfy with a tampered binary and matching hashes. pnpm now fetches SHASUMS256.txt.sig and verifies its detached OpenPGP signature against the Node.js release team's public keys, embedded in the pnpm CLI, before trusting the hashes: - @pnpm/crypto.shasums-file: new fetchVerifiedNodeShasums / fetchVerifiedNodeShasumsFile verify the signature via openpgp against the embedded keys (generated src/nodeReleaseKeys.ts, mirrored from the canonical nodejs/release-keys list). - @pnpm/node.fetcher verifies the configurable-mirror SHASUMS for the release channel; pre-release channels (rc, nightly, ...) are unsigned by Node and remain unverified. - scripts/update-node-release-keys.mjs keeps the keys current (pnpm run check:node-release-keys / update:node-release-keys), and the release workflow runs the check as a gate. Backport of #12295 to v10 (without the pacquet Rust port, which does not exist on this branch). * test(env): sign the SHASUMS fixture for Node.js download tests The Node.js download tests exercise the release channel, whose SHASUMS256.txt is now signature-verified. Sign the fixture with a generated OpenPGP key and trust it through the new trustedNodeReleaseKeys test seam (threaded from plugin-commands-env via @pnpm/node.fetcher to fetchVerifiedNodeShasums), so the tests keep exercising the verification path instead of bypassing it. * fix(self-updater): redact registry credentials from engine identity errors Registry URLs may legally embed basic-auth credentials (https://user:pass@host/). verifyPnpmEngineIdentity() interpolated the packument URL and registry URL into PnpmError messages, and the unreachable-registry path surfaced fetch-layer error messages that embed the request URL — all of which land in terminal output and CI logs. Strip URL credentials from every error message and truncate the non-200 response body. * fix: update vulnerable transitive dependencies Override shell-quote to >=1.8.4 (GHSA-w7jw-789q-3m8p, critical, pulled in via concurrently) so the audit workflow passes again. The advisory was published after the last release/10 audit run; it is unrelated to the security backports on this branch.
|
🚢 v11.5.3 |
…tries Port the GHSA-j2hc-m6cf-6jm8 fix (#12296) to pacquet. When pnpm auto-switches to the version requested by `packageManager` / `devEngines.packageManager`, the bootstrap (`pnpm` / `@pnpm/exe`) must be resolved through trusted registries only. Pacquet was resolving it through `config.resolved_registries()`, which a malicious repository controls via the workspace `.npmrc` or `pnpm-workspace.yaml` `registries:` block. Add `Config::package_manager_bootstrap`, built in `Config::current()` from a trusted-only fold of the URL-scoped env, `auth.ini`, and user `.npmrc` sources (the project `.npmrc` is excluded), reusing the existing registry/proxy/TLS/auth application logic. `PNPM_CONFIG_REGISTRY` still overrides the bootstrap default registry because it is user-controlled. `EnvInstallerContext::for_package_manager` routes only the package-manager bootstrap path (`sync_package_manager_dependencies`) through this trusted config; project `configDependencies` resolution keeps the project registries, matching the narrow scope of the upstream TypeScript fix.
…tries Port the GHSA-j2hc-m6cf-6jm8 fix (#12296) to pacquet. When pnpm auto-switches to the version requested by `packageManager` / `devEngines.packageManager`, the bootstrap (`pnpm` / `@pnpm/exe`) must be resolved through trusted registries only. Pacquet was resolving it through `config.resolved_registries()`, which a malicious repository controls via the workspace `.npmrc` or `pnpm-workspace.yaml` `registries:` block. Add `Config::package_manager_bootstrap`, built in `Config::current()` from a trusted-only fold of the URL-scoped env, `auth.ini`, and user `.npmrc` sources (the project `.npmrc` is excluded), reusing the existing registry/proxy/TLS/auth application logic. It defaults to the public npm registry, and `PNPM_CONFIG_REGISTRY` still overrides the default because it is user-controlled. `EnvInstallerContext::for_package_manager` routes only the package-manager bootstrap path (`sync_package_manager_dependencies`) through this trusted config; project `configDependencies` resolution keeps the project registries, matching the narrow scope of the upstream TypeScript fix.
…tries (#12471) Port the GHSA-j2hc-m6cf-6jm8 fix (#12296) to pacquet. When pnpm auto-switches to the version requested by `packageManager` / `devEngines.packageManager`, the bootstrap (`pnpm` / `@pnpm/exe`) must be resolved through trusted registries only. Pacquet was resolving it through `config.resolved_registries()`, which a malicious repository controls via the workspace `.npmrc` or `pnpm-workspace.yaml` `registries:` block. Add `Config::package_manager_bootstrap`, built in `Config::current()` from a trusted-only fold of the URL-scoped env, `auth.ini`, and user `.npmrc` sources (the project `.npmrc` is excluded), reusing the existing registry/proxy/TLS/auth application logic. It defaults to the public npm registry, and `PNPM_CONFIG_REGISTRY` still overrides the default because it is user-controlled. `EnvInstallerContext::for_package_manager` routes only the package-manager bootstrap path (`sync_package_manager_dependencies`) through this trusted config; project `configDependencies` resolution keeps the project registries, matching the narrow scope of the upstream TypeScript fix.
Summary
switchCliVersion()andsyncEnvLockfile()so repository.npmrcproxy/TLS/configByUri values cannot steer package-manager bootstrap traffic.packagesentries withremoveSuffix(depPath)while keepingsnapshotskeyed by the full dep path.Tests
./node_modules/.bin/tsgo --build config/reader/tsconfig.json pnpm/tsconfig.json./node_modules/.bin/tsgo --build pnpm/tsconfig.jsonPNPR_PREPARE_BIN=/Users/zoltan/.cargo_shared_target/debug/pnpr-prepare PNPR_BIN=/Users/zoltan/.cargo_shared_target/debug/pnpr PNPM_REGISTRY_MOCK_PORT=7799 NODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../node_modules/.bin/jest src/switchCliVersion.test.ts src/syncEnvLockfile.test.ts test/getConfig.test.ts --runInBandNODE_OPTIONS="--experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169" ../../node_modules/.bin/jest test/index.ts -t "package manager bootstrap registries|registries in current directory|CLI --registry overrides|request destinations do not expand" --runInBand./node_modules/.bin/eslint config/reader/src/Config.ts config/reader/src/index.ts config/reader/src/loadNpmrcFiles.ts config/reader/test/index.ts pnpm/src/packageManagerLockfile.ts pnpm/src/packageManagerRegistries.ts pnpm/src/switchCliVersion.ts pnpm/src/switchCliVersion.test.ts pnpm/src/syncEnvLockfile.ts pnpm/src/syncEnvLockfile.test.ts pnpm/test/getConfig.test.ts./node_modules/.bin/eslint pnpm/src/packageManagerLockfile.ts pnpm/src/switchCliVersion.test.tsgit diff --checkWritten by an agent (Codex, GPT-5).