fix!: save the whole tarball URL, when it doesn't use the standard format #6265
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
pnpm doesn't store the URLs to package tarballs, when the package tarball URL may be calculated automatically using the registry, package name and version.
For instance, if we know that the package is hosted in the
https://registry.npmjs.org
registry and the name of the package isis-odd
and the version of the package is1.0.0
, then we know that we can download the tarball from:However, if the registry uses a different URL format for storing the tarballs, then we can't calculate it automatically and in this case we need to store that tarball URL in the lockfile. Currently, we don't store the whole URL in the lockfile, just the URL path. So, for instance, if the tarball was hosted at
https://registry.npmjs.org/tar/is-odd@1.0.0.tgz
, then we would add this to the lockfile:The disadvantage of this approach is that if someone changes the registry and tries to run
pnpm install
, installation will probably fail with a 404 error because the other registry may use a different tarball URL.