Update js-yaml to version 3.7.0 🚀#476
Closed
greenkeeperio-bot wants to merge 1 commit into
Closed
Conversation
pull Bot
pushed a commit
to dwongdev/pnpm
that referenced
this pull request
May 14, 2026
…m#476) * feat(network): add ThrottledClient::for_installs with proxy support Ports pnpm v11's `getDispatcher` (`network/fetch/src/dispatcher.ts` at SHA 94240bc) onto reqwest, with the resolved proxy configuration modeled by the new `ProxyConfig` + `NoProxySetting` types in `pacquet-network`. HTTPS targets route through `https_proxy`; HTTP targets through `http_proxy`; the `no_proxy` field short-circuits both via a reverse-dot-segment-prefix matcher that mirrors upstream's `checkNoProxy` semantics (`npmjs.org` matches `registry.npmjs.org` but not `evilnpmjs.org`). The proxy types live in `pacquet-network` rather than `pacquet-config` because `pacquet-config` already depends on `pacquet-network` for the auth-headers plumbing (pnpm#337), so the reverse direction would form a cycle. The downstream `pacquet-config` will hold a `Config.proxy: ProxyConfig` and populate it from `.npmrc` + env in the follow-up commit. Basic-auth userinfo embedded in the proxy URL is stripped and percent-decoded before being forwarded via `Proxy::basic_auth`, matching pnpm's `decodeURIComponent(user):decodeURIComponent(pass)` step. The percent-decoder is a 15-line inline helper rather than a new direct `percent-encoding` dep, since it only runs against the two halves of a proxy userinfo. Unlike JavaScript's `decodeURIComponent`, which throws on malformed sequences, the helper keeps invalid `%XX` escapes verbatim — the safer behavior in a config path where the alternative would be rejecting a half-broken password. `parse_proxy_url` retries failed parses with an `http://` prefix to support shorthand values like `proxy.example:8080`, matching pnpm's `parseProxyUrl`. Rust's `url` parser is permissive enough to accept the shorthand as scheme + opaque path, so the parser also rejects any first- attempt parse that lacks a host — forcing the retry through that authority-aware path. Invalid proxy URLs surface as `ProxyError::InvalidProxy` with diagnostic code `ERR_PNPM_INVALID_PROXY`, matching upstream's error code. Failure is detected eagerly at client-build time (same as pnpm's `getProxyAgent`) rather than lazily per-request. Enables reqwest's `socks` feature so socks4/socks4a/socks5 URLs are honored — pnpm supports the same set via its socks-client wrapper. The existing `new_for_installs()` is preserved as a thin wrapper around `for_installs(&ProxyConfig::default())` so test fixtures and the benchmark harness keep their call sites unchanged. Tests port the unit-testable describe blocks from `network/fetch/test/dispatcher.test.ts`: per-URL routing, basic-auth decoding, noProxy reverse-dot-prefix match, bypass-all literal, invalid URL diagnostic code, and SOCKS-URL parse smoke. Two mockito integration tests cover end-to-end HTTP proxy forwarding (with decoded `Proxy-Authorization`) and the noProxy-bypass path. * feat(config): parse proxy keys from .npmrc with env-var fallback cascade Adds `Config.proxy: ProxyConfig` (the type lives in `pacquet-network`, see preceding commit) and extends `NpmrcAuth` to capture the four proxy keys (`https-proxy`, `http-proxy`, `proxy`, `no-proxy`, `noproxy`) plus the env-var fallback cascade pnpm 11 runs in `config/reader/src/index.ts:591-600` (SHA 94240bc). The cascade now runs unconditionally from `Config::current` — even when no `.npmrc` is present — so the env fallback fires the same way it does in pnpm. The new `NpmrcAuth::apply_proxy_cascade::<Api: EnvVar>` is generic over the project-wide `EnvVar` capability trait (introduced by pnpm#339), so cascade unit tests inject the env without taking `EnvGuard`'s global lock. The existing `apply_to` test helper now runs the full three-phase sequence (`apply_registry_and_warn` → `apply_proxy_cascade` → `build_auth_headers`). `no-proxy=true` (literal) is upstream's `noProxy: string | true` "bypass every proxy" shape and is parsed as `NoProxySetting::Bypass`. Comma-separated host lists become `NoProxySetting::List`, trimmed with empties dropped — the network layer reverse-dot-prefix-matches against `List` entries when applying the cascade. The cascade is invoked from `Config::current` between `apply_registry_and_warn` (phase 1) and `build_auth_headers` (phase 2) of the existing auth flow. Phase placement is incidental — the proxy cascade is independent of the registry and creds layers — but slotting it there keeps every `.npmrc`-consuming step in one block of the function for the reader. Tests cover the parse arms (each proxy key, the `no-proxy`/`noproxy` last-wins alias), the cascade branches (legacy `proxy` → https slot, http inheriting resolved https, env fallback only when .npmrc unset, .npmrc winning over env, `PROXY` env fallback, lowercase-only env), and the `noProxy: true` → `Bypass` parse. A `static_env!` macro keeps each test's env-table inline. A real-`std::env::var` smoke test in `lib.rs` exercises the path through `Config::current` under `EnvGuard`. The `Config` literal in `crates/package-manager/src/install_package_from_registry/tests.rs` gains the `proxy` field (defaults to `ProxyConfig::default()`). * feat(cli): wire proxy config through State::init Switches `crates/cli/src/state.rs` from `ThrottledClient::new_for_installs()` to `ThrottledClient::for_installs(&config.proxy)` so the install client honors the `.npmrc` / env proxy cascade landed in the preceding two commits. Proxy build failures surface as a new `InitStateError::Proxy` variant carrying `ProxyError` (transparently diagnosed as `ERR_PNPM_INVALID_PROXY`). Drops the `Load` prefix on `InitStateError`'s variants (`LoadManifest` → `Manifest`, `LoadLockfile` → `Lockfile`) so clippy's `enum_variant_names` lint stops firing once a third `Load*`-prefixed variant pushes the type past its shared-prefix threshold. The variants are still self-descriptive inside `InitStateError::*`; no public consumers exist outside `state.rs`. Folds in `cargo fmt` reflows of three test files (`crates/config/src/npmrc_auth/tests.rs`, `crates/network/src/lib.rs`, `crates/network/src/tests.rs`) — trivial line-joins on lines that just fit under the 100-column budget.
pull Bot
pushed a commit
to dwongdev/pnpm
that referenced
this pull request
May 14, 2026
) Closes pnpm#482. ## Summary Ports pnpm v11's TLS + `local-address` `.npmrc` keys onto pacquet (SHA [`94240bc046`](https://github.com/pnpm/pnpm/blob/94240bc046/network/fetch/src/dispatcher.ts)), the natural pair to the proxy support that landed in pnpm#476. Three layers: - **`feat(network)`** (e9ed56c9): adds `TlsConfig` next to `ProxyConfig` in `pacquet-network`, with `ca: Vec<String>`, `cert`/`key`, `strict_ssl: Option<bool>`, and `local_address: Option<IpAddr>`. `ThrottledClient::for_installs` gains a `&TlsConfig` parameter; the unified error surface is the new `ForInstallsError` enum carrying either `ProxyError` or `TlsError`. CAs route through `Certificate::from_pem`, client identities through `Identity::from_pkcs8_pem` (the only PKCS path reqwest exposes on the native-tls backend pacquet builds with). `strict_ssl` defaults to `true` at build site, matching pnpm's per-emit-site `strictSsl ?? true` rather than a config-layer default. - **`feat(config)`** (e8dcd87e): extends `NpmrcAuth` with the six new keys (`ca`, `cafile`, `cert`, `key`, `strict-ssl`, `local-address`) and adds `apply_tls_and_local_address` to populate `Config.tls`. `cafile` reads from disk and splits on `-----END CERTIFICATE-----` to mirror pnpm's [`loadCAFile`](https://github.com/pnpm/pnpm/blob/94240bc046/config/reader/src/loadNpmrcFiles.ts#L249-L265). Unreadable `cafile` is silently treated as unset. Invalid `strict-ssl` and `local-address` values drop silently. - **`feat(cli)`** (1759f9d2): one-line swap in `State::init` to pass `&config.tls` instead of `TlsConfig::default()`. Folds in two CI-parity fixups: the self-signed test cert moves to a shared `.pem` fixture under `crates/network/tests/fixtures/` (typos linter false positives on base64 DER), and four reqwest intra-doc links become plain backticks. ## Parity policy Faithful to pnpm — see the [research brief](pnpm/pacquet#482) on the issue. Highlights: - **No new error codes.** pnpm doesn't define `ERR_PNPM_INVALID_CA` etc.; invalid PEMs surface as raw `tls.connect` errors at request time upstream. Pacquet validates eagerly via `Certificate::from_pem` / `Identity::from_pkcs8_pem` (pushing the failure to per-request time would silently degrade every install behind a broken `ca`) but deliberately omits a `code(...)` attribute on `TlsError` so reviewers can see at a glance it's a pacquet-only diagnostic, not a pnpm error code. - **Silent `cafile`-not-found.** Matches pnpm's `catch {}` swallow in `loadCAFile`. - **No env-var fallback.** pnpm reads only `.npmrc`; Node's implicit `NODE_EXTRA_CA_CERTS` / `NODE_TLS_REJECT_UNAUTHORIZED` honoring doesn't apply to pacquet's reqwest stack. - **`strict-ssl: false` disables both chain-of-trust and hostname verification**, matching Node's `rejectUnauthorized=false` short-circuit (pacquet uses reqwest's `danger_accept_invalid_certs(true)` which has the same combined semantics). ## Reviewer flags - **PKCS#8-only client keys.** Reqwest's native-tls backend exposes only `Identity::from_pkcs8_pem`; legacy PKCS#1 keys (`-----BEGIN RSA PRIVATE KEY-----`) and PKCS#12 bundles are not supported by this constructor. Documented at the `apply_tls` callsite with the `openssl pkcs8 -topk8 -nocrypt` conversion command. Switching to rustls-tls would broaden the supported formats but is out of scope here. - **Per-registry TLS overrides** (`//host:cafile=`, `//host:ca=`, `//host:cert=`, `//host:key=`) are **not** included. Same shape as the existing scoped-auth handling but a sizeable feature on its own; flagged in pnpm#482 as a follow-up.
github-actions Bot
pushed a commit
to Eyalm321/pnpm
that referenced
this pull request
May 18, 2026
…m#476) * feat(network): add ThrottledClient::for_installs with proxy support Ports pnpm v11's `getDispatcher` (`network/fetch/src/dispatcher.ts` at SHA 94240bc) onto reqwest, with the resolved proxy configuration modeled by the new `ProxyConfig` + `NoProxySetting` types in `pacquet-network`. HTTPS targets route through `https_proxy`; HTTP targets through `http_proxy`; the `no_proxy` field short-circuits both via a reverse-dot-segment-prefix matcher that mirrors upstream's `checkNoProxy` semantics (`npmjs.org` matches `registry.npmjs.org` but not `evilnpmjs.org`). The proxy types live in `pacquet-network` rather than `pacquet-config` because `pacquet-config` already depends on `pacquet-network` for the auth-headers plumbing (pnpm#337), so the reverse direction would form a cycle. The downstream `pacquet-config` will hold a `Config.proxy: ProxyConfig` and populate it from `.npmrc` + env in the follow-up commit. Basic-auth userinfo embedded in the proxy URL is stripped and percent-decoded before being forwarded via `Proxy::basic_auth`, matching pnpm's `decodeURIComponent(user):decodeURIComponent(pass)` step. The percent-decoder is a 15-line inline helper rather than a new direct `percent-encoding` dep, since it only runs against the two halves of a proxy userinfo. Unlike JavaScript's `decodeURIComponent`, which throws on malformed sequences, the helper keeps invalid `%XX` escapes verbatim — the safer behavior in a config path where the alternative would be rejecting a half-broken password. `parse_proxy_url` retries failed parses with an `http://` prefix to support shorthand values like `proxy.example:8080`, matching pnpm's `parseProxyUrl`. Rust's `url` parser is permissive enough to accept the shorthand as scheme + opaque path, so the parser also rejects any first- attempt parse that lacks a host — forcing the retry through that authority-aware path. Invalid proxy URLs surface as `ProxyError::InvalidProxy` with diagnostic code `ERR_PNPM_INVALID_PROXY`, matching upstream's error code. Failure is detected eagerly at client-build time (same as pnpm's `getProxyAgent`) rather than lazily per-request. Enables reqwest's `socks` feature so socks4/socks4a/socks5 URLs are honored — pnpm supports the same set via its socks-client wrapper. The existing `new_for_installs()` is preserved as a thin wrapper around `for_installs(&ProxyConfig::default())` so test fixtures and the benchmark harness keep their call sites unchanged. Tests port the unit-testable describe blocks from `network/fetch/test/dispatcher.test.ts`: per-URL routing, basic-auth decoding, noProxy reverse-dot-prefix match, bypass-all literal, invalid URL diagnostic code, and SOCKS-URL parse smoke. Two mockito integration tests cover end-to-end HTTP proxy forwarding (with decoded `Proxy-Authorization`) and the noProxy-bypass path. * feat(config): parse proxy keys from .npmrc with env-var fallback cascade Adds `Config.proxy: ProxyConfig` (the type lives in `pacquet-network`, see preceding commit) and extends `NpmrcAuth` to capture the four proxy keys (`https-proxy`, `http-proxy`, `proxy`, `no-proxy`, `noproxy`) plus the env-var fallback cascade pnpm 11 runs in `config/reader/src/index.ts:591-600` (SHA 94240bc). The cascade now runs unconditionally from `Config::current` — even when no `.npmrc` is present — so the env fallback fires the same way it does in pnpm. The new `NpmrcAuth::apply_proxy_cascade::<Api: EnvVar>` is generic over the project-wide `EnvVar` capability trait (introduced by pnpm#339), so cascade unit tests inject the env without taking `EnvGuard`'s global lock. The existing `apply_to` test helper now runs the full three-phase sequence (`apply_registry_and_warn` → `apply_proxy_cascade` → `build_auth_headers`). `no-proxy=true` (literal) is upstream's `noProxy: string | true` "bypass every proxy" shape and is parsed as `NoProxySetting::Bypass`. Comma-separated host lists become `NoProxySetting::List`, trimmed with empties dropped — the network layer reverse-dot-prefix-matches against `List` entries when applying the cascade. The cascade is invoked from `Config::current` between `apply_registry_and_warn` (phase 1) and `build_auth_headers` (phase 2) of the existing auth flow. Phase placement is incidental — the proxy cascade is independent of the registry and creds layers — but slotting it there keeps every `.npmrc`-consuming step in one block of the function for the reader. Tests cover the parse arms (each proxy key, the `no-proxy`/`noproxy` last-wins alias), the cascade branches (legacy `proxy` → https slot, http inheriting resolved https, env fallback only when .npmrc unset, .npmrc winning over env, `PROXY` env fallback, lowercase-only env), and the `noProxy: true` → `Bypass` parse. A `static_env!` macro keeps each test's env-table inline. A real-`std::env::var` smoke test in `lib.rs` exercises the path through `Config::current` under `EnvGuard`. The `Config` literal in `crates/package-manager/src/install_package_from_registry/tests.rs` gains the `proxy` field (defaults to `ProxyConfig::default()`). * feat(cli): wire proxy config through State::init Switches `crates/cli/src/state.rs` from `ThrottledClient::new_for_installs()` to `ThrottledClient::for_installs(&config.proxy)` so the install client honors the `.npmrc` / env proxy cascade landed in the preceding two commits. Proxy build failures surface as a new `InitStateError::Proxy` variant carrying `ProxyError` (transparently diagnosed as `ERR_PNPM_INVALID_PROXY`). Drops the `Load` prefix on `InitStateError`'s variants (`LoadManifest` → `Manifest`, `LoadLockfile` → `Lockfile`) so clippy's `enum_variant_names` lint stops firing once a third `Load*`-prefixed variant pushes the type past its shared-prefix threshold. The variants are still self-descriptive inside `InitStateError::*`; no public consumers exist outside `state.rs`. Folds in `cargo fmt` reflows of three test files (`crates/config/src/npmrc_auth/tests.rs`, `crates/network/src/lib.rs`, `crates/network/src/tests.rs`) — trivial line-joins on lines that just fit under the 100-column budget.
github-actions Bot
pushed a commit
to Eyalm321/pnpm
that referenced
this pull request
May 18, 2026
) Closes pnpm#482. ## Summary Ports pnpm v11's TLS + `local-address` `.npmrc` keys onto pacquet (SHA [`94240bc046`](https://github.com/pnpm/pnpm/blob/94240bc046/network/fetch/src/dispatcher.ts)), the natural pair to the proxy support that landed in pnpm#476. Three layers: - **`feat(network)`** (e9ed56c9): adds `TlsConfig` next to `ProxyConfig` in `pacquet-network`, with `ca: Vec<String>`, `cert`/`key`, `strict_ssl: Option<bool>`, and `local_address: Option<IpAddr>`. `ThrottledClient::for_installs` gains a `&TlsConfig` parameter; the unified error surface is the new `ForInstallsError` enum carrying either `ProxyError` or `TlsError`. CAs route through `Certificate::from_pem`, client identities through `Identity::from_pkcs8_pem` (the only PKCS path reqwest exposes on the native-tls backend pacquet builds with). `strict_ssl` defaults to `true` at build site, matching pnpm's per-emit-site `strictSsl ?? true` rather than a config-layer default. - **`feat(config)`** (e8dcd87e): extends `NpmrcAuth` with the six new keys (`ca`, `cafile`, `cert`, `key`, `strict-ssl`, `local-address`) and adds `apply_tls_and_local_address` to populate `Config.tls`. `cafile` reads from disk and splits on `-----END CERTIFICATE-----` to mirror pnpm's [`loadCAFile`](https://github.com/pnpm/pnpm/blob/94240bc046/config/reader/src/loadNpmrcFiles.ts#L249-L265). Unreadable `cafile` is silently treated as unset. Invalid `strict-ssl` and `local-address` values drop silently. - **`feat(cli)`** (1759f9d2): one-line swap in `State::init` to pass `&config.tls` instead of `TlsConfig::default()`. Folds in two CI-parity fixups: the self-signed test cert moves to a shared `.pem` fixture under `crates/network/tests/fixtures/` (typos linter false positives on base64 DER), and four reqwest intra-doc links become plain backticks. ## Parity policy Faithful to pnpm — see the [research brief](pnpm/pacquet#482) on the issue. Highlights: - **No new error codes.** pnpm doesn't define `ERR_PNPM_INVALID_CA` etc.; invalid PEMs surface as raw `tls.connect` errors at request time upstream. Pacquet validates eagerly via `Certificate::from_pem` / `Identity::from_pkcs8_pem` (pushing the failure to per-request time would silently degrade every install behind a broken `ca`) but deliberately omits a `code(...)` attribute on `TlsError` so reviewers can see at a glance it's a pacquet-only diagnostic, not a pnpm error code. - **Silent `cafile`-not-found.** Matches pnpm's `catch {}` swallow in `loadCAFile`. - **No env-var fallback.** pnpm reads only `.npmrc`; Node's implicit `NODE_EXTRA_CA_CERTS` / `NODE_TLS_REJECT_UNAUTHORIZED` honoring doesn't apply to pacquet's reqwest stack. - **`strict-ssl: false` disables both chain-of-trust and hostname verification**, matching Node's `rejectUnauthorized=false` short-circuit (pacquet uses reqwest's `danger_accept_invalid_certs(true)` which has the same combined semantics). ## Reviewer flags - **PKCS#8-only client keys.** Reqwest's native-tls backend exposes only `Identity::from_pkcs8_pem`; legacy PKCS#1 keys (`-----BEGIN RSA PRIVATE KEY-----`) and PKCS#12 bundles are not supported by this constructor. Documented at the `apply_tls` callsite with the `openssl pkcs8 -topk8 -nocrypt` conversion command. Switching to rustls-tls would broaden the supported formats but is out of scope here. - **Per-registry TLS overrides** (`//host:cafile=`, `//host:ca=`, `//host:cert=`, `//host:key=`) are **not** included. Same shape as the existing scoped-auth handling but a sizeable feature on its own; flagged in pnpm#482 as a follow-up.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hello lovely humans,
js-yaml just published its new version 3.7.0.
This version is not covered by your current version range.
Without accepting this pull request your project will work just like it did before. There might be a bunch of new features, fixes and perf improvements that the maintainers worked on for you though.
I recommend you look into these changes and try to get onto the latest version of js-yaml.
Given that you have a decent test suite, a passing build is a strong indicator that you can take advantage of these changes by merging the proposed change into your project. Otherwise this branch is a great starting point for you to work on the update.
Do you have any ideas how I could improve these pull requests? Did I report anything you think isn’t right?
Are you unsure about how things are supposed to work?
There is a collection of frequently asked questions and while I’m just a bot, there is a group of people who are happy to teach me new things. Let them know.
Good luck with your project ✨
You rock!
🌴
The new version differs by 6 commits .
279655f3.7.0 releasede8a3ec4browser files rebuild39c5f2cMerge pull request #304 from dplepage/fix-quote-strippingcb14c0bFix parsing of quotes followed by newlines.2bf232bMerge pull request #300 from monken/master2c6e0aesupport polymorphism for tagsSee the full diff.
This pull request was created by greenkeeper.io.
Tired of seeing this sponsor message? ⚡
greenkeeper upgrade