Skip to content

Add pnpm plugin for node_modules pruning and validation#21

Open
exo-nikita wants to merge 2 commits into
masterfrom
claude/add-pnpm-lockfile-plugin-klAwW
Open

Add pnpm plugin for node_modules pruning and validation#21
exo-nikita wants to merge 2 commits into
masterfrom
claude/add-pnpm-lockfile-plugin-klAwW

Conversation

@exo-nikita
Copy link
Copy Markdown
Collaborator

@exo-nikita exo-nikita commented May 16, 2026

Summary

This PR adds a new pnpm plugin to Stasis that validates and prunes node_modules directories based on a lockfile manifest. The plugin ensures that only files explicitly listed in stasis.lock.json are present, with hash verification to detect tampering or corruption.

Key Changes

  • New pnpm plugin (src/pnpm.cjs): Provides hooks and utilities for managing pnpm-based node_modules trees

    • prune() function: Walks node_modules, validates file hashes against lockfile, removes unlisted files, and cleans up empty directories
    • afterAllResolved() hook: Integrates with pnpm's .pnpmfile.cjs to enforce configuration constraints
    • assertGlobalVirtualStoreDisabled(): Validates that pnpm's global virtual store is disabled (required for correct operation)
    • sha512integrity(): Computes SHA-512 integrity hashes for file verification

  • CLI command (bin/stasis.js): Added stasis prune [path] command to invoke the pruning functionality from the command line

  • Comprehensive test suite (tests/pnpm.test.js): 8 tests covering:

    • File validation, hash verification, and removal of untracked files
    • Preservation of package.json files
    • Error handling for hash mismatches, missing files, and missing lockfile
    • Configuration validation for enableGlobalVirtualStore
    • Empty directory cleanup

  • Documentation (doc/file-formats.md): Added section explaining the pnpm plugin usage, configuration, and behavior

  • Package exports (package.json): Exported the pnpm plugin as @exodus/stasis/pnpm

Implementation Details

  • The plugin walks the node_modules tree non-recursively using a stack to avoid symlink issues (pnpm uses symlinks extensively)
  • All package.json files are preserved regardless of lockfile entries
  • Files are validated via SHA-512 hash comparison before removal
  • Empty intermediate directories are pruned bottom-up after file removal
  • The plugin enforces that enableGlobalVirtualStore is disabled via environment variable checks
  • Comprehensive error messages with file samples for missing files (up to 5 examples shown)

https://claude.ai/code/session_01HmfdTNRR9un7aqRgH3HDDV

claude added 2 commits May 16, 2026 07:06
@claude
Add pnpm plugin that prunes node_modules to stasis.lock.json contents
99103db 
The plugin exposes `hooks` for `.pnpmfile.cjs` and a `prune` helper (also
wired as `stasis prune`) that walks node_modules, keeps every
package.json, keeps and sha512-validates every file listed in
stasis.lock.json, and removes everything else. Both entry points refuse
to operate unless `enableGlobalVirtualStore` is false.
@claude
Move pnpm plugin docs out of file-formats.md
5792d2b
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@exo-nikita @claude