feat: add lockfile-include-tarball-url option

.changeset/proud-items-fold.md

@@ -0,0 +1,8 @@
+---
+"@pnpm/config": patch
+"@pnpm/core": patch
+"@pnpm/plugin-commands-installation": patch
+"@pnpm/resolve-dependencies": patch
+---
+
+feat: add lockfile-include-tarball-url option to save tarballs urls in lockfile when adding new packages #5054.

packages/config/src/Config.ts

@@ -35,6 +35,7 @@ export interface Config {
   saveOptional?: boolean
   savePeer?: boolean
   saveWorkspaceProtocol?: boolean | 'rolling'
+  lockfileIncludeTarballUrl?: boolean
   scriptShell?: string
   stream?: boolean
   pnpmExecPath: string

packages/config/src/index.ts

@@ -69,6 +69,7 @@ export const types = Object.assign({
   lockfile: Boolean,
   'lockfile-dir': String,
   'lockfile-directory': String, // TODO: deprecate
+  'lockfile-include-tarball-url': Boolean,
   'lockfile-only': Boolean,
   loglevel: ['silent', 'error', 'warn', 'info', 'debug'],
   maxsockets: Number,
@@ -197,6 +198,7 @@ export default async (
     'hoist-pattern': ['*'],
     'ignore-workspace-root-check': false,
     'link-workspace-packages': true,
+    'lockfile-include-tarball-url': false,
     'modules-cache-max-age': 7 * 24 * 60, // 7 days
     'node-linker': 'isolated',
     'package-lock': npmDefaults['package-lock'],

packages/core/src/install/extendInstallOptions.ts

@@ -33,6 +33,7 @@ export interface StrictInstallOptions {
   ignorePackageManifest: boolean
   preferFrozenLockfile: boolean
   saveWorkspaceProtocol: boolean | 'rolling'
+  lockfileIncludeTarballUrl: boolean
   preferWorkspacePackages: boolean
   preserveWorkspaceProtocol: boolean
   scriptsPrependNodePath: boolean | 'warn-only'
@@ -155,6 +156,7 @@ const defaults = async (opts: InstallOptions) => {
     rawConfig: {},
     registries: DEFAULT_REGISTRIES,
     saveWorkspaceProtocol: true,
+    lockfileIncludeTarballUrl: false,
     scriptsPrependNodePath: false,
     shamefullyHoist: false,
     shellEmulator: false,

packages/core/src/install/index.ts

@@ -810,6 +810,7 @@ const _installInContext: InstallFunction = async (projects, ctx, opts) => {
       wantedLockfile: ctx.wantedLockfile,
       workspacePackages: opts.workspacePackages,
       patchedDependencies: opts.patchedDependencies,
+      lockfileIncludeTarballUrl: opts.lockfileIncludeTarballUrl,
     }
   )
   if (!opts.include.optionalDependencies || !opts.include.devDependencies || !opts.include.dependencies) {

packages/plugin-commands-installation/src/install.ts

@@ -268,6 +268,7 @@ export type InstallCommandOptions = Pick<Config,
 | 'savePrefix'
 | 'saveProd'
 | 'saveWorkspaceProtocol'
+| 'lockfileIncludeTarballUrl'
 | 'selectedProjectsGraph'
 | 'sideEffectsCache'
 | 'sideEffectsCacheReadonly'

packages/plugin-commands-installation/src/installDeps.ts

@@ -62,6 +62,7 @@ export type InstallDepsOptions = Pick<Config,
 | 'savePrefix'
 | 'saveProd'
 | 'saveWorkspaceProtocol'
+| 'lockfileIncludeTarballUrl'
 | 'scriptsPrependNodePath'
 | 'scriptShell'
 | 'selectedProjectsGraph'

packages/plugin-commands-installation/src/recursive.ts

@@ -64,6 +64,7 @@ type RecursiveOptions = CreateStoreControllerOptions & Pick<Config,
 | 'savePrefix'
 | 'saveProd'
 | 'saveWorkspaceProtocol'
+| 'lockfileIncludeTarballUrl'
 | 'sharedWorkspaceLockfile'
 | 'tag'
 > & {

packages/plugin-commands-installation/src/update/index.ts

@@ -40,6 +40,7 @@ export function rcOptionsTypes () {
     'lockfile-directory',
     'lockfile-only',
     'lockfile',
+    'lockfile-include-tarball-url',
     'network-concurrency',
     'noproxy',
     'npmPath',

packages/plugin-commands-installation/test/add.ts

@@ -5,6 +5,7 @@ import prepare, { preparePackages } from '@pnpm/prepare'
 import { REGISTRY_MOCK_PORT } from '@pnpm/registry-mock'
 import loadJsonFile from 'load-json-file'
 import tempy from 'tempy'
+import { TarballResolution } from '@pnpm/lockfile-types'
 
 const REGISTRY_URL = `http://localhost:${REGISTRY_MOCK_PORT}`
 const tmp = tempy.directory()
@@ -329,3 +330,17 @@ test('pnpm add automatically installs missing peer dependencies', async () => {
   const lockfile = await project.readLockfile()
   expect(Object.keys(lockfile.packages).length).toBe(5)
 })
+
+test('pnpm add - tarball URL is saved to lockfile when lockfile-include-tarball-url=true', async () => {
+  const project = prepare()
+  await add.handler({
+    ...DEFAULT_OPTIONS,
+    lockfileIncludeTarballUrl: true,
+    dir: process.cwd(),
+    linkWorkspacePackages: false,
+  }, ['abc@1.0.0'])
+
+  const lockfile = await project.readLockfile()
+  expect(Object.keys(lockfile.packages['/abc/1.0.0'].resolution)).toContain('tarball')
+  expect((lockfile.packages['/abc/1.0.0'].resolution as TarballResolution).tarball).toBe(`${REGISTRY_URL}/abc/-/abc-1.0.0.tgz`)
+})

packages/resolve-dependencies/src/index.ts

@@ -82,6 +82,7 @@ export default async function (
     defaultUpdateDepth: number
     preserveWorkspaceProtocol: boolean
     saveWorkspaceProtocol: 'rolling' | boolean
+    lockfileIncludeTarballUrl?: boolean
   }
 ) {
   const _toResolveImporter = toResolveImporter.bind(null, {
@@ -212,7 +213,7 @@ export default async function (
     }
   }
 
-  const { newLockfile, pendingRequiresBuilds } = updateLockfile(dependenciesGraph, opts.wantedLockfile, opts.virtualStoreDir, opts.registries) // eslint-disable-line:prefer-const
+  const { newLockfile, pendingRequiresBuilds } = updateLockfile(dependenciesGraph, opts.wantedLockfile, opts.virtualStoreDir, opts.registries, opts.lockfileIncludeTarballUrl) // eslint-disable-line:prefer-const
 
   if (opts.forceFullResolution && opts.wantedLockfile != null) {
     for (const [depPath, pkg] of Object.entries(dependenciesGraph)) {

packages/resolve-dependencies/src/updateLockfile.ts

@@ -23,7 +23,8 @@ export default function (
   depGraph: DependenciesGraph,
   lockfile: Lockfile,
   prefix: string,
-  registries: Registries
+  registries: Registries,
+  lockfileIncludeTarballUrl?: boolean
 ): {
     newLockfile: Lockfile
     pendingRequiresBuilds: string[]
@@ -44,6 +45,7 @@ export default function (
       registry: dp.getRegistryByPackageName(registries, depNode.name),
       updatedDeps,
       updatedOptionalDeps,
+      lockfileIncludeTarballUrl,
     })
   }
   const warn = (message: string) => logger.warn({ message, prefix })
@@ -64,13 +66,15 @@ function toLockfileDependency (
     updatedOptionalDeps: Array<{alias: string, depPath: string}>
     depGraph: DependenciesGraph
     prevSnapshot?: PackageSnapshot
+    lockfileIncludeTarballUrl?: boolean
   }
 ): PackageSnapshot {
   const lockfileResolution = toLockfileResolution(
     { id: pkg.id, name: pkg.name, version: pkg.version },
     opts.depPath,
     pkg.resolution,
-    opts.registry
+    opts.registry,
+    opts.lockfileIncludeTarballUrl
   )
   const newResolvedDeps = updateResolvedDeps(
     opts.prevSnapshot?.dependencies ?? {},
@@ -227,13 +231,21 @@ function toLockfileResolution (
   },
   depPath: string,
   resolution: Resolution,
-  registry: string
+  registry: string,
+  lockfileIncludeTarballUrl?: boolean
 ): LockfileResolution {
   /* eslint-disable @typescript-eslint/dot-notation */
   if (dp.isAbsolute(depPath) || resolution.type !== undefined || !resolution['integrity']) {
     return resolution as LockfileResolution
   }
   const base = registry !== resolution['registry'] ? { registry: resolution['registry'] } : {}
+  if (lockfileIncludeTarballUrl) {
+    return {
+      ...base,
+      integrity: resolution['integrity'],
+      tarball: resolution['tarball'],
+    }
+  }
   // Sometimes packages are hosted under non-standard tarball URLs.
   // For instance, when they are hosted on npm Enterprise. See https://github.com/pnpm/pnpm/issues/867
   // Or in other weird cases, like https://github.com/pnpm/pnpm/issues/1072