feat!: replace bundled pnpm binary with npm + lockfile bootstrap

Remove the 9MB bundled pnpm.cjs/worker.js and instead use npm ci with committed package-lock.json files (~5KB) to install a bootstrap pnpm, which then installs the target version with integrity verification via the project's pnpm-lock.yaml. Also switch from ncc to esbuild and modernize to ESM. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-17 07:46:13 +08:00 · 2026-03-16 01:52:34 +01:00
parent fc06bc1257
commit dc312cdfd7
10 changed files with 882 additions and 237466 deletions
--- a/src/install-pnpm/bootstrap/exe-lock.json
+++ b/src/install-pnpm/bootstrap/exe-lock.json
@@ -0,0 +1,147 @@
+{
+  "name": "bootstrap-exe",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "@pnpm/exe": "latest"
+      }
+    },
+    "node_modules/@pnpm/exe": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/exe/-/exe-10.32.1.tgz",
+      "integrity": "sha512-baEtwHeZwmZAdBuuDDL6tbdGg5KpxhPxr3QFfYTGXvY6ws+Z1bN0mQ7ZjcaXBSC1HuLpVXnZ6NsBiaZ2DMv4vg==",
+      "hasInstallScript": true,
+      "license": "MIT",
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      },
+      "optionalDependencies": {
+        "@pnpm/linux-arm64": "10.32.1",
+        "@pnpm/linux-x64": "10.32.1",
+        "@pnpm/macos-arm64": "10.32.1",
+        "@pnpm/macos-x64": "10.32.1",
+        "@pnpm/win-arm64": "10.32.1",
+        "@pnpm/win-x64": "10.32.1"
+      }
+    },
+    "node_modules/@pnpm/linux-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-arm64/-/linux-arm64-10.32.1.tgz",
+      "integrity": "sha512-6uB0B+XvunQwHGzIMk2JCkl4Ur6BtM4XbJSwB/mgpWmXDoX/KTJmgx2lodcTjgJSGSySCHfIVuTR9sj/F2D4EA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/linux-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/linux-x64/-/linux-x64-10.32.1.tgz",
+      "integrity": "sha512-AM2tv23Fg7h+nV+adqA/SkZKUysSIEetHfBwYFl8ArgdgkqbGoQy0rAOdKYQBb920CqfexXfI8OA8kPCzRxYng==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "linux"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/macos-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-arm64/-/macos-arm64-10.32.1.tgz",
+      "integrity": "sha512-Zr4JkhRbtGVsYgbuGZO0dq/6FPOn072Pdo0ubmqWtc14cUATKgAJD7efG03yqr3MLgtwFHgdtUzZ1WsaYAtUTA==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/macos-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/macos-x64/-/macos-x64-10.32.1.tgz",
+      "integrity": "sha512-Yk6q3oFDu//OniXJxfTSHo+aew1LX81FcbzJAtEkcCeTQ0SLbQT6J3QiOMNikp8n8IjNhsy+bn2bdkUxaw+akA==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "darwin"
+      ],
+      "bin": {
+        "pnpm": "pnpm"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/win-arm64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-arm64/-/win-arm64-10.32.1.tgz",
+      "integrity": "sha512-P8rsP5IUetpYjr2iwggoswL2qUukYrJoToXWuMyo8immn58CsYxaXsHVQ1Oq1R3XMfmGGWTXLsiJuQ7H991MRg==",
+      "cpu": [
+        "arm64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "bin": {
+        "pnpm": "pnpm.exe"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    },
+    "node_modules/@pnpm/win-x64": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/@pnpm/win-x64/-/win-x64-10.32.1.tgz",
+      "integrity": "sha512-i24GwbtBO8ojrhp8WWimX7NgZs0UKH1171oRt6qcRL+a+FxE0Eggv2y0KP7ZI7F3+LZMarwr3tnYsZryfciUOg==",
+      "cpu": [
+        "x64"
+      ],
+      "license": "MIT",
+      "optional": true,
+      "os": [
+        "win32"
+      ],
+      "bin": {
+        "pnpm": "pnpm.exe"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    }
+  }
+}
--- a/src/install-pnpm/bootstrap/pnpm-lock.json
+++ b/src/install-pnpm/bootstrap/pnpm-lock.json
@@ -0,0 +1,28 @@
+{
+  "name": "bootstrap-pnpm",
+  "lockfileVersion": 3,
+  "requires": true,
+  "packages": {
+    "": {
+      "dependencies": {
+        "pnpm": "latest"
+      }
+    },
+    "node_modules/pnpm": {
+      "version": "10.32.1",
+      "resolved": "https://registry.npmjs.org/pnpm/-/pnpm-10.32.1.tgz",
+      "integrity": "sha512-pwaTjw6JrBRWtlY+q07fHR+vM2jRGR/FxZeQ6W3JGORFarLmfWE94QQ9LoyB+HMD5rQNT/7KnfFe8a1Wc0jyvg==",
+      "license": "MIT",
+      "bin": {
+        "pnpm": "bin/pnpm.cjs",
+        "pnpx": "bin/pnpx.cjs"
+      },
+      "engines": {
+        "node": ">=18.12"
+      },
+      "funding": {
+        "url": "https://opencollective.com/pnpm"
+      }
+    }
+  }
+}
--- a/src/install-pnpm/run.ts
+++ b/src/install-pnpm/run.ts
@@ -3,21 +3,40 @@ import { spawn } from 'child_process'
 import { rm, writeFile, mkdir, copyFile } from 'fs/promises'
 import { readFileSync } from 'fs'
 import path from 'path'
-import { execPath } from 'process'
 import util from 'util'
 import { Inputs } from '../inputs'
 import { parse as parseYaml } from 'yaml'
+import pnpmLock from './bootstrap/pnpm-lock.json'
+import exeLock from './bootstrap/exe-lock.json'
+
+const BOOTSTRAP_PNPM_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { pnpm: pnpmLock.packages['node_modules/pnpm'].version } })
+const BOOTSTRAP_EXE_PACKAGE_JSON = JSON.stringify({ private: true, dependencies: { '@pnpm/exe': exeLock.packages['node_modules/@pnpm/exe'].version } })

 export async function runSelfInstaller(inputs: Inputs): Promise<number> {
  const { version, dest, packageJsonFile, standalone } = inputs
  const { GITHUB_WORKSPACE } = process.env

-  // prepare self install
+  // Step 1: Install bootstrap pnpm via npm (integrity verified by committed lockfile)
+  const bootstrapDir = path.join(dest, '..', '.pnpm-bootstrap')
+  await rm(bootstrapDir, { recursive: true, force: true })
+  await mkdir(bootstrapDir, { recursive: true })
+
+  const lockfile = standalone ? exeLock : pnpmLock
+  const packageJson = standalone ? BOOTSTRAP_EXE_PACKAGE_JSON : BOOTSTRAP_PNPM_PACKAGE_JSON
+  await writeFile(path.join(bootstrapDir, 'package.json'), packageJson)
+  await writeFile(path.join(bootstrapDir, 'package-lock.json'), JSON.stringify(lockfile))
+
+  const npmExitCode = await runCommand('npm', ['ci', '--ignore-scripts'], { cwd: bootstrapDir })
+  if (npmExitCode !== 0) {
+    return npmExitCode
+  }
+
+  const bootstrapPnpm = path.join(bootstrapDir, 'node_modules', '.bin', 'pnpm')
+
+  // Step 2: Use bootstrap pnpm to install the target version (verified via project's pnpm-lock.yaml)
  await rm(dest, { recursive: true, force: true })
-  // create dest directory after removal
  await mkdir(dest, { recursive: true })
  const pkgJson = path.join(dest, 'package.json')
-  // we have ensured the dest directory exists, we can write the file directly
  await writeFile(pkgJson, JSON.stringify({ private: true }))

  // copy .npmrc if it exists to install from custom registry
@@ -32,23 +51,35 @@ export async function runSelfInstaller(inputs: Inputs): Promise<number> {

  // prepare target pnpm
  const target = await readTarget({ version, packageJsonFile, standalone })
-  const cp = spawn(execPath, [path.join(__dirname, 'pnpm.cjs'), 'install', target, '--no-lockfile'], {
-    cwd: dest,
-    stdio: ['pipe', 'inherit', 'inherit'],
-  })
-
-  const exitCode = await new Promise<number>((resolve, reject) => {
-    cp.on('error', reject)
-    cp.on('close', resolve)
-  })
+  const installArgs = ['install', target]
+  if (GITHUB_WORKSPACE) {
+    installArgs.push('--lockfile-dir', GITHUB_WORKSPACE)
+  } else {
+    installArgs.push('--no-lockfile')
+  }
+  const exitCode = await runCommand(bootstrapPnpm, installArgs, { cwd: dest })
  if (exitCode === 0) {
    const pnpmHome = path.join(dest, 'node_modules/.bin')
    addPath(pnpmHome)
    exportVariable('PNPM_HOME', pnpmHome)
+
+    // Clean up bootstrap directory
+    await rm(bootstrapDir, { recursive: true, force: true }).catch(() => {})
  }
  return exitCode
 }

+function runCommand(cmd: string, args: string[], opts: { cwd: string }): Promise<number> {
+  return new Promise<number>((resolve, reject) => {
+    const cp = spawn(cmd, args, {
+      cwd: opts.cwd,
+      stdio: ['pipe', 'inherit', 'inherit'],
+    })
+    cp.on('error', reject)
+    cp.on('close', resolve)
+  })
+}
+
 async function readTarget(opts: {
  readonly version?: string | undefined
  readonly packageJsonFile: string