feat: add cnpm to corepack

[elrrrrrrr]

add cnpm to corepack, closes #331

1. ✍️ update config.json and add registry information for cnpm.
2. 🪝 Add a post-install hook to install cnpm-related dependencies.

Fixes: https://github.com/nodejs/corepack/issues/331

[aduh95]

2. 🪝 Add a post-install hook to install cnpm-related dependencies.

Could it be possible to drop that and download ready-to-be-used code instead?

[elrrrrrrr]

Just a gentle ping 🙏🏻 @aduh95 @arcanis @merceyz If there's anything more needed from my side, please let me know. Eagerly awaiting your feedback

[anonrig]

cc @nodejs/security-wg

[joyeecheung]

Can't review the code per-se myself, but I can also confirm that cnpm is a trust-worthy alternative primarily sponsored by Alibaba to help Node.js developers in China work around the network issues in the public network in China & create private registries within a company.

[arcanis]

I'm not familiar with cnpm, so couple of questions:

• What makes cnpm more useful than setting a custom registry in one's configuration? Why does a whole package manager need to be built around that (rather than configure the local mirror)?

• Does it mean that the cnpm default registry is subject to local CN legislation? Is it potentially a problem to provide that in the default Node.js installs (note that I'd have the same question if we were to change, say, pnpm to a EU mirror)?

• Is it a wrapper around npm with a different registry? I see you implemented a similar install strategy as pnpm; are there other differencies?

[elrrrrrrr]

@arcanis

Thank you for your interest and questions about cnpm. I am pleased to provide you with the following clarifications:

Why does a whole package manager need to be built around

Indeed, we offer a complete read-only mirror service capability. Developers can directly configure the registry address and use yarn, pnpm, or any package manager of their choice. However, we still provide an independent client, mainly to handle the following scenarios:

• Binary Mirror: We implement a binary mirror, as detailed at https://github.com/cnpm/binary-mirror-config, to accelerate the download of binary files, such as Puppeteer (https://github.com/puppeteer/puppeteer/issues/10131). All binaries
• npminstall protocol: The npminstall protocol has evolved over time and now has several different versions. It is still under maintenance. Additionally, we are compatible with the npm mode and npm-generated package-lock.json by default.

Does it mean that the cnpm default registry is subject to local CN legislation

Like all websites accessible within China, cnpm aligns with the country's internet and data regulations. For over 10 years, it has been reliably serving users while adhering to Mainland China's regulatory requirements. This compliance ensures that cnpm's default registry undergoes thorough network filing and security scanning, aligning with local policy standards. Our commitment is to provide reliable and compliant services to developers, not just in China but globally, always mindful of the legal nuances in different regions.

Are there other differencies?

cnpm includes npm to ensure maximum compatibility. In the corporate environment, we also offer some extended capabilities. We continue to advance related open-source work, including:

• Providing faster dependency resolution. Changes on the registry side have been released, allowing the registry to directly parse semver expressions: https://registry.npmmirror.com/node/>=16 < 20
• Offering the fastest dependency installer, rapid, available at https://github.com/cnpm/rapid. (currently beta)
• Installing custom node runtime environments for projects through the package manager.

These features, in addition to changes on the registry side, also require client-side adaptation.

Please let me know if you have any further questions or need more information. 🙏🏻

[aladdin-add]

Whether or not to support setting registry to https://registry.npmmirror.com/ when not using cnpm?