We currently save index files by the integrity of the package. We also save the name and version of the package as specified in the package.json inside the package's tarball. However, sometimes the name and version don't match the real name and version in the registry. As a result, we have this issue: #4724
Instead of saving the index file by package integrity, we should save it by package integrity + real package name (not the one found in the bundled package.json file) + real package version.
We could also move all the index files into a different directory to make it easier to search for them.
Describe the drawbacks of your solutionIndex file duplication when different packages have the same tarball (very rare).
Describe alternatives you've consideredAll other alternatives would sacrifice security and/or reliability. If we would remove the name/version from the index file, a broken lockfile could make pnpm to install a tarball of a different package from the store.
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4