Skip to content

pm: honor yarn supportedArchitectures, mTLS cert/key, npmAlwaysAuth#48

Merged
colinhacks merged 2 commits into
mainfrom
yarn-config-compat-fixes
Jun 21, 2026
Merged

pm: honor yarn supportedArchitectures, mTLS cert/key, npmAlwaysAuth#48
colinhacks merged 2 commits into
mainfrom
yarn-config-compat-fixes

Conversation

@colinhacks

@colinhacks colinhacks commented Jun 21, 2026

Copy link
Copy Markdown
Contributor

Reads three previously-ignored .yarnrc.yml settings and routes them through the existing engine machinery, plus a bundled one-line trust-list fix to unblock CI on a single pin advance. Bumps the vendor/aube pin to e7aaafc (on nub-fork).

Yarn config (B-3 / B-9 / B-12)

  • supportedArchitectures — translated to the JSON-object supportedArchitectures setting (the same channel packageExtensions uses) and unioned into the resolver's platform filter at install time, so optional/platform deps are filtered for the declared os/cpu/libc. The nub-side FATAL gate that aborted on this key is removed — the arch-filter resolver is built and now fed for yarn, same as the pnpm path.
  • httpsCertFilePath / httpsKeyFilePath (top-level and per-host networkSettings) — the referenced PEM files are loaded and emitted as the inline cert/key the registry client's mTLS identity consumer already takes.
  • npmAlwaysAuth (top-level, per-registry, per-scope) — translated to always-auth; the registry client now attaches the home registry's token to requests on a different origin (e.g. tarballs on a separate CDN) when set, instead of sending them unauthenticated.

All three are additive reads gated on the user's explicit yarn config; the default (no setting) path is unchanged.

Bundled CI unblock: nanoid trust-downgrade

nanoid@3.3.14 was published to npm without trust evidence after an earlier version carried a trusted publisher, so trustPolicy=no-downgrade (the aube default) rejects it with ERR_NUB_TRUST_DOWNGRADE (exit 23) at nub install — which breaks the daily-driver on main and every open PR. nanoid is added to DEFAULT_TRUST_POLICY_EXCLUDES alongside the other provenance-churn packages. Bundled here so a single pin advance fixes both concerns at once; the other PRs rebase onto this after merge.

Verification

  • aube: 7 new yarn-config unit tests + the trust-list test (39 trust tests) pass; cargo build clean.
  • nub: cargo clippy --all-targets --all-features -- -D warnings clean, cargo fmt --check clean, cargo test -p nub-cli unsupported_config green.
  • e2e: a .yarnrc.yml with a supportedArchitectures block no longer aborts nub install. The daily-driver install step now passes against the new pin (it exits 23 on main due to nanoid); main + npm_config_trust_policy=off runs the full daily-driver green, confirming nanoid is the sole install-stage blocker.

Docs: the yarn compat tables (yarn.mdx, install/index.mdx) now mark the three yarn settings as supported.

Bumps the vendor/aube pin to 12b18db, which reads three previously-ignored
.yarnrc.yml settings and routes them through the existing engine machinery:

- supportedArchitectures filters optional/platform deps for the declared
  os/cpu/libc (same resolver path the pnpm value uses).
- httpsCertFilePath / httpsKeyFilePath load the mTLS client cert/key.
- npmAlwaysAuth attaches the registry token to cross-origin tarball requests.

Removes the nub-side supportedArchitectures FATAL gate (the arch-filter
resolver is built and now fed for yarn) and updates the yarn compat docs.

Refs the pm-compat fix lane (B-3 / B-9 / B-12).
Copilot AI review requested due to automatic review settings June 21, 2026 16:08
@vercel

vercel Bot commented Jun 21, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nub Ready Ready Preview, Comment Jun 21, 2026 5:19pm

Request Review

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot was unable to review this pull request because the user who requested the review has reached their quota limit.

nanoid@3.3.14 published without trust evidence trips trustPolicy=no-downgrade
(ERR_NUB_TRUST_DOWNGRADE) at install, which breaks the daily-driver CI on
main and this PR. Bundled here so a single pin advance fixes both — see the
PR body.
@colinhacks colinhacks merged commit 71f6687 into main Jun 21, 2026
30 checks passed
@colinhacks colinhacks deleted the yarn-config-compat-fixes branch June 21, 2026 18:22
@colinhacks

Copy link
Copy Markdown
Contributor Author

Shipped in v0.1.10: https://github.com/nubjs/nub/releases/tag/v0.1.10

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants