Couple of tweaks

packages/acceptance-tests/pkg-tests-specs/sources/features/npmMinimalAgeGate.test.ts

@@ -44,21 +44,18 @@ describe(`Features`, () => {
         makeTemporaryEnv({}, {
           npmMinimalAgeGate: ONE_DAY_IN_MINUTES,
           npmPreapprovedPackages: [`release-date@^1.0.0`],
-          // we are checking a transitive dependencies version, which the pnp will throw an error for
-          // disabling these checks for the purpose of this test
-          pnpFallbackMode: `all`,
-          pnpMode: `loose`,
         }, async ({run, source}) => {
           await run(`add`, `release-date@^1.0.0`);
 
-          await expect(source(`require('release-date/package.json')`)).resolves.toMatchObject({
+          await expect(source(`require('release-date')`)).resolves.toMatchObject({
             name: `release-date`,
             version: `1.1.1`,
-          });
-
-          await expect(source(`require('release-date-transitive/package.json')`)).resolves.toMatchObject({
-            name: `release-date-transitive`,
-            version: `1.1.0`,
+            dependencies: {
+              [`release-date-transitive`]: {
+                name: `release-date-transitive`,
+                version: `1.1.0`,
+              },
+            },
           });
         }),
       );

packages/docusaurus/static/configuration/yarnrc.json

@@ -495,7 +495,7 @@
         "type": "string"
       },
       "default": [],
-      "examples": ["@scoped-package/*", "package", "package*", "package@^1.0.0", "[email protected]", "package@npm:1.0.0", "package@npm:^1.0.0"]
+      "examples": ["@scoped-package/*", "package", "package*", "package@^1.0.0", "[email protected]"]
     },
     "pnpmStoreFolder": {
       "_package": "@yarnpkg/plugin-pnpm",

packages/plugin-npm/sources/NpmSemverResolver.ts

@@ -6,7 +6,7 @@ import semver
 
 import {NpmSemverFetcher}                                                                                        from './NpmSemverFetcher';
 import {PROTOCOL}                                                                                                from './constants';
-import {checkPackageGates}                                                                                       from './npmConfigUtils';
+import {isPackageApproved}                                                                                       from './npmConfigUtils';
 import * as npmHttpUtils                                                                                         from './npmHttpUtils';
 
 const NODE_GYP_IDENT = structUtils.makeIdent(null, `node-gyp`);
@@ -58,7 +58,7 @@ export class NpmSemverResolver implements Resolver {
       try {
         const candidate = new semverUtils.SemVer(version);
         if (range.test(candidate)) {
-          if (!checkPackageGates({configuration: opts.project.configuration, descriptor, version, publishTimes: registryData.time}))
+          if (!isPackageApproved({configuration: opts.project.configuration, ident: descriptor, version, publishTimes: registryData.time}))
             return miscUtils.mapAndFilter.skip;
 
           return candidate;

packages/plugin-npm/sources/NpmTagResolver.ts

@@ -5,7 +5,7 @@ import semver
 
 import {NpmSemverFetcher}                                                                      from './NpmSemverFetcher';
 import {PROTOCOL}                                                                              from './constants';
-import {checkPackageGates}                                                                     from './npmConfigUtils';
+import {isPackageApproved}                                                                     from './npmConfigUtils';
 import * as npmHttpUtils                                                                       from './npmHttpUtils';
 
 export class NpmTagResolver implements Resolver {
@@ -55,11 +55,19 @@ export class NpmTagResolver implements Resolver {
 
     const versions = Object.keys(registryData.versions);
     const times = registryData.time;
+
     let version = distTags[tag];
-    if (tag === `latest` && !checkPackageGates({configuration: opts.project.configuration, descriptor, version, publishTimes: times}))
-      version = semver.rsort(versions)
-        .filter(nextVersion => semver.lt(nextVersion, version))
-        .find(nextVersion => checkPackageGates({configuration: opts.project.configuration, descriptor, version: nextVersion, publishTimes: times})) ?? distTags[tag];
+
+    if (tag === `latest` && !isPackageApproved({configuration: opts.project.configuration, ident: descriptor, version, publishTimes: times})) {
+      const nextVersion = semver.rsort(versions).find(candidateVersion => {
+        return semver.lt(candidateVersion, version) && isPackageApproved({configuration: opts.project.configuration, ident: descriptor, version: candidateVersion, publishTimes: times});
+      });
+
+      if (!nextVersion)
+        throw new ReportError(MessageName.REMOTE_NOT_FOUND, `The version for tag "${tag}" is quarantined, and no lower version is available`);
+
+      version = nextVersion;
+    }
 
     const versionLocator = structUtils.makeLocator(descriptor, `${PROTOCOL}${version}`);
 

packages/plugin-npm/sources/npmConfigUtils.ts

@@ -1,7 +1,5 @@
-import {Configuration, Manifest, Ident, structUtils, Descriptor} from '@yarnpkg/core';
-import micromatch                                                from 'micromatch';
-
-import {PROTOCOL}                                                from './constants';
+import {Configuration, Manifest, Ident, structUtils, semverUtils} from '@yarnpkg/core';
+import micromatch                                                 from 'micromatch';
 
 export enum RegistryType {
   AUDIT_REGISTRY = `npmAuditRegistry`,
@@ -98,30 +96,54 @@ export function getAuthConfiguration(registry: string, {configuration, ident}: {
   return registryConfiguration || configuration;
 }
 
-export type CheckPackageGatesOptions = {
-  configuration: Configuration;
-  descriptor: Descriptor;
-  version: string;
-  publishTimes: Record<string, string>;
-};
-
-export function checkPackageGates({configuration, descriptor, version, publishTimes}: CheckPackageGatesOptions) {
-  const range = descriptor.range.slice(PROTOCOL.length);
+function shouldBeQuarantined({configuration, version, publishTimes}: IsPackageApprovedOptions) {
   const minimalAgeGate = configuration.get(`npmMinimalAgeGate`);
-  const stringifiedIdent = structUtils.stringifyIdent(descriptor);
-  const stringifiedDescriptor = structUtils.stringifyDescriptor({...descriptor, range});
+
   if (minimalAgeGate) {
-    const preapprovedPackages = configuration.get(`npmPreapprovedPackages`);
-    const shouldExclude = preapprovedPackages.some(exclude =>
-      [stringifiedIdent, stringifiedDescriptor].includes(exclude) || micromatch.isMatch(stringifiedIdent, exclude),
-    );
-    if (!shouldExclude) {
-      const versionTime = new Date(publishTimes[version]);
-      const ageMinutes = (new Date().getTime() - versionTime.getTime()) / 60 / 1000;
-      if (ageMinutes < minimalAgeGate) {
-        return false;
-      }
+    const versionTime = new Date(publishTimes[version]);
+    const ageMinutes = (new Date().getTime() - versionTime.getTime()) / 60 / 1000;
+    if (ageMinutes < minimalAgeGate) {
+      return true;
     }
   }
+
+  return false;
+}
+
+function checkIdent(ident: Ident, version: string, entry: string) {
+  const validator = structUtils.tryParseDescriptor(entry);
+  if (!validator)
+    return false;
+
+  if (validator.identHash !== ident.identHash && !micromatch.isMatch(structUtils.stringifyIdent(ident), structUtils.stringifyIdent(validator)))
+    return false;
+
+  if (validator.range === `unknown`)
+    return true;
+
+  const validatorRange = semverUtils.validRange(validator.range);
+  if (!validatorRange)
+    return false;
+
+  if (!validatorRange.test(version))
+    return false;
+
   return true;
 }
+
+export type IsPackageApprovedOptions = {
+  configuration: Configuration;
+  ident: Ident;
+  version: string;
+  publishTimes: Record<string, string>;
+};
+
+function isPreapproved({configuration, ident, version}: IsPackageApprovedOptions) {
+  return configuration.get(`npmPreapprovedPackages`).some(entry => {
+    return checkIdent(ident, version, entry);
+  });
+}
+
+export function isPackageApproved(params: IsPackageApprovedOptions) {
+  return !shouldBeQuarantined(params) || isPreapproved(params);
+}