Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: npm/pacote
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v21.3.0
Choose a base ref
...
head repository: npm/pacote
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: v21.3.1
Choose a head ref
  • 3 commits
  • 6 files changed
  • 4 contributors

Commits on Feb 10, 2026

  1. chore: fix test for ssri ignoring invalid hashes (#447) 

    npm/ssri#160 filtered out invalid hashes
    @wraithgar
    wraithgar authored Feb 10, 2026
    Configuration menu
    Copy the full SHA
    91847c4 View commit details
    Browse the repository at this point in the history

  2. fix: ensure that resolved git ref matches expected sha (#439) 

    In npm/rfcs#525 about ignoring `integrity` values in lockfiles it was
stated:
> the sha is already what gets stored in the resolved field today

This is only true for resolutions from non-commits to commits.

A dependency like `git://...#4b559c4c663a23f988f6be5094c9a45faf6231bc`
will be stored using the same "reference" in `resolved` even when it
cloned a branch or a tag that resolved to a different sha.

The update is only done if it hasn't been resolved yet, which is already
the case if a full "commit" was specified:

https://github.com/npm/pacote/blob/4b559c4c663a23f988f6be5094c9a45faf6231bc/lib/git.js#L263-L265

This also applies to `npm ci` after reading `package-lock.json` as it
will use the same resolution.

This will compare the newly returned commit-hash with a previously set
`resolvedSha` and prevent that from happening.

Co-authored-by: pacotedev <[email protected]>
    @klassiker
    klassiker and pacotedev authored Feb 10, 2026
    Configuration menu
    Copy the full SHA
    96e571a View commit details
    Browse the repository at this point in the history

  3. chore: release 21.3.1 (#448) 

    🤖 I have created a release *beep* *boop*
---


## [21.3.1](v21.3.0...v21.3.1)
(2026-02-10)
### Bug Fixes
*
[`96e571a`](96e571a)
[#439](#439) ensure that resolved git
ref matches expected sha (#439) (@klassiker, pacotedev)
### Chores
*
[`91847c4`](91847c4)
[#447](#447) fix test for ssri
ignoring invalid hashes (#447) (@wraithgar)

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
    @github-actions
    github-actions[bot] authored Feb 10, 2026
    Configuration menu
    Copy the full SHA
    18d36e6 View commit details
    Browse the repository at this point in the history
Loading