nodejs/pnpm
SHA256
6
0
Fork 0
forked from pool/pnpm
Code Pull Requests Activity
Files
main
pnpm/pnpm.changes

1175 lines
53 KiB
Plaintext
Raw Permalink Blame History

-------------------------------------------------------------------
Wed Aug 20 06:53:38 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.15.0:
* Minor Changes
- Added the cleanupUnusedCatalogs configuration. When set to
true, pnpm will remove unused catalog entries during
installation #9793.
- Automatically load pnpmfiles from config dependencies that
are named @*/pnpm-plugin-* #9780.
- pnpm config get now prints an INI string for an object value
#9797.
- pnpm config get now accepts property paths (e.g. pnpm config
get catalog.react, pnpm config get .catalog.react, pnpm
config get
'packageExtensions["@babel/parser"].peerDependencies["@babel/types"]'),
and pnpm config set now accepts dot-leading or subscripted
keys (e.g. pnpm config set .ignoreScripts true).
- pnpm config get --json now prints a JSON serialization of
config value, and pnpm config set --json now parses the input
value as JSON.
* Patch Changes
- Semi-breaking. When automatically installing missing peer
dependencies, prefer versions that are already present in the
direct dependencies of the root workspace package #9835.
- When executing the pnpm create command, must verify whether
the node version is supported even if a cache already exists
#9775.
- When making requests for the non-abbreviated packument, add
*/* to the Accept header to avoid getting a 406 error on AWS
CodeArtifact #9862.
- The standalone exe version of pnpm works with glibc 2.26
again #9734.
- Fix a regression in which pnpm dlx pkg --help doesn't pass
--help to pkg #9823.
-------------------------------------------------------------------
Fri Aug 1 12:52:14 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.14.0:
* Minor Changes
- Added support for JavaScript runtime installation
(Related PR: #9755.)
Declare Node.js, Deno, or Bun in devEngines.runtime (inside
package.json) and let pnpm download and pin it automatically.
Usage example:
{
"devEngines": {
"runtime": {
"name": "node",
"version": "^24.4.0",
"onFail": "download" // we only support the "download" value for now
}
}
}
How it works:
- pnpm install resolves your specified range to the latest
matching runtime version.
- The exact version (and checksum) is saved in the lockfile.
- Scripts use the local runtime, ensuring consistency across
environments.
Why this is better:
- This new setting supports also Deno and Bun (vs. our
Node-only settings useNodeVersion and
executionEnv.nodeVersion)
- Supports version ranges (not just a fixed version).
- The resolved version is stored in the pnpm lockfile, along
with an integrity checksum for future validation of the
Node.js content's validity.
- It can be used on any workspace project (like
executionEnv.nodeVersion). So, different projects in a
workspace can use different runtimes.
- For now devEngines.runtime setting will install the runtime
locally, which we will improve in future versions of pnpm
by using a shared location on the computer.
- Add --cpu, --libc, and --os to pnpm install, pnpm add, and
pnpm dlx to customize supportedArchitectures via the CLI
#7510.
* Patch Changes
- Fix a bug in which pnpm add downloads packages whose libc
differ from pnpm.supportedArchitectures.libc.
- The integrities of the downloaded Node.js artifacts are
verified #9750.
- Allow dlx to parse CLI flags and options between the dlx
command and the command to run or between the dlx command and
-- #9719.
- pnpm install --prod should removing hoisted dev dependencies
#9782.
- Fix an edge case bug causing local tarballs to not re-link
into the virtual store. This bug would happen when changing
the contents of the tarball without renaming the file and
running a filtered install.
- Fix a bug causing pnpm install to incorrectly assume the
lockfile is up to date after changing a local tarball that
has peers dependencies.
-------------------------------------------------------------------
Wed Jul 9 11:02:45 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.13.1:
* Patch Changes
- Run user defined pnpmfiles after pnpmfiles of plugins.
- update to 10.13.0:
* Minor Changes
- Added the possibility to load multiple pnpmfiles. The pnpmfile
setting can now accept a list of pnpmfile locations #9702.
- pnpm will now automatically load the pnpmfile.cjs file from any
config dependency named @pnpm/plugin-* or pnpm-plugin-* #9729.
- The order in which config dependencies are initialized should
not matter — they are initialized in alphabetical order. If a
specific order is needed, the paths to the pnpmfile.cjs files in
the config dependencies can be explicitly listed using the
pnpmfile setting in pnpm-workspace.yaml.
* Patch Changes
- When patching dependencies installed via pkg.pr.new, treat them
as Git tarball URLs #9694.
- Prevent conflicts between local projects' config and the global
config in dangerouslyAllowAllBuilds, onlyBuiltDependencies,
onlyBuiltDependenciesFile, and neverBuiltDependencies #9628.
- Sort keys in pnpm-workspace.yaml with deep #9701.
- The pnpm rebuild command should not add pkgs included in
ignoredBuiltDependencies to ignoredBuilds in
node_modules/.modules.yaml #9338.
- Replaced shell-quote with shlex for quoting command arguments
#9381.
-------------------------------------------------------------------
Mon Jun 30 05:15:22 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.12.4:
* Patch Changes
- Fix pnpm licenses command for local dependencies #9583.
- Fix a bug in which pnpm ls --filter=not-exist --json prints
nothing instead of an empty array #9672.
- Fix a deadlock that sometimes happens during peer dependency
resolution #9673.
- Running pnpm install after pnpm fetch should hoist all
dependencies that need to be hoisted.
- Fixes a regression introduced in v10.12.2 by #9648; resolves
#9689.
-------------------------------------------------------------------
Tue Jun 24 11:02:21 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.12.3:
* Patch Changes
- Restore hoisting of optional peer dependencies when installing
with an outdated lockfile. Regression introduced in v10.12.2 by
#9648; resolves #9685.
-------------------------------------------------------------------
Mon Jun 23 04:46:30 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.12.2:
* Patch Changes
- Fixed hoisting with enableGlobalVirtualStore set to true #9648.
- Fix the --help and -h flags not working as expected for the pnpm
create command.
- The dependency package path output by the pnpm licenses list
--json command is incorrect.
- Fix a bug in which pnpm deploy fails due to overridden
dependencies having peer dependencies causing
ERR_PNPM_OUTDATED_LOCKFILE #9595.
-------------------------------------------------------------------
Sun Jun 8 14:55:22 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.12.1 (10.2.0 was yanked):
* Minor Changes
- Experimental. Added support for global virtual stores. When
enabled, node_modules contains only symlinks to a central
virtual store, rather to node_modules/.pnpm. By default, this
central store is located at <store-path>/links (you can find
the store path by running pnpm store path).
In the central virtual store, each package is hard linked
into a directory whose name is the hash of its dependency
graph. This allows multiple projects on the system to symlink
shared dependencies from this central location, significantly
improving installation speed when a warm cache is available.
This is conceptually similar to how NixOS manages packages,
using dependency graph hashes to create isolated and
reusable package directories.
To enable the global virtual store, set
enableGlobalVirtualStore: true in your root
pnpm-workspace.yaml, or globally via:
pnpm config -g set enable-global-virtual-store true
NOTE: In CI environments, where caches are typically cold,
this setting may slow down installation. pnpm automatically
disables the global virtual store when running in CI.
Related PR: #8190
- The pnpm update command now supports updating catalog:
protocol dependencies and writes new specifiers to
pnpm-workspace.yaml.
- A new catalogMode setting is available for controlling if and
how dependencies are added to the default catalog. It can be
configured to several modes:
- strict: Only allows dependency versions from the catalog.
Adding a dependency outside the catalog's version range
will cause an error.
- prefer: Prefers catalog versions, but will fall back to
direct dependencies if no compatible version is found.
- manual (default): Does not automatically add dependencies
to the catalog.
- Added two new CLI options (--save-catalog and
--save-catalog-name=<name>) to pnpm add to save new
dependencies as catalog entries. catalog: or catalog:<name>
will be added to package.json and the package specifier will
be added to the catalogs or catalog[<name>] object in
pnpm-workspace.yaml #9425.
- Semi-breaking. The keys used for side-effects caches have
changed. If you have a side-effects cache generated by a
previous version of pnpm, the new version will not use it and
will create a new cache instead #9605.
- Added a new setting called ci for explicitly telling pnpm if
the current environment is a CI or not.
* Patch Changes
- Sort versions printed by pnpm patch using semantic versioning
rules.
- Improve the way the error message displays mismatched
specifiers. Show differences instead of 2 whole objects
#9598.
- Revert #9574 to fix a regression #9596.
-------------------------------------------------------------------
Mon Jun 2 15:39:10 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.11.1:
* Patch Changes
- Fix an issue in which pnpm deploy --legacy creates unexpected
directories when the root package.json has a workspace
package as a peer dependency #9550.
- Dependencies specified via a URL that redirects will only be
locked to the target if it is immutable, fixing a regression
when installing from GitHub releases. (#9531)
- Installation should not exit with an error if
strictPeerDependencies is true but all issues are ignored by
peerDependencyRules #9505.
- Use pnpm_config_ env variables instead of npm_config_ #9571.
- Fix a regression (in v10.9.0) causing the --lockfile-only
flag on pnpm update to produce a different pnpm-lock.yaml
than an update without the flag.
- Let pnpm deploy work in repos with overrides when
inject-workspace-packages=true #9283.
- Fixed the problem of path loss caused by parsing URL address.
Fixes a regression shipped in pnpm v10.11 via #9502.
- pnpm -r --silent run should not print out section #9563.
-------------------------------------------------------------------
Tue May 20 12:10:08 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- add Requires for nodejs(abi) >= 18
-------------------------------------------------------------------
Wed May 14 04:42:39 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.11.0:
* Minor Changes
- A new setting added for pnpm init to create a package.json
with type=module, when init-type is module. Works as a flag
for the init command too #9463.
- Added support for Nushell to pnpm setup #6476.
- Added two new flags to the pnpm audit command, --ignore and
--ignore-unfixable #8474.
Ignore all vulnerabilities that have no solution:
> pnpm audit --ignore-unfixable
Provide a list of CVE's to ignore those specifically, even if
they have a resolution.
> pnpm audit --ignore=CVE-2021-1234 --ignore=CVE-2021-5678
- Added support for recursively running pack in every project
of a workspace #4351.
Now you can run pnpm -r pack to pack all packages in the
workspace.
* Patch Changes
- pnpm version management should work, when
dangerouslyAllowAllBuilds is set to true #9472.
- pnpm link should work from inside a workspace #9506.
- Set the default workspaceConcurrency to
Math.min(os.availableParallelism(), 4) #9493.
- Installation should not exit with an error if
strictPeerDependencies is true but all issues are ignored by
peerDependencyRules #9505.
- Read updateConfig from pnpm-workspace.yaml #9500.
- Add support for recursive pack
- Remove url.parse usage to fix warning on Node.js 24 #9492.
- pnpm run should be able to run commands from the workspace
root, if ignoreScripts is set tot true #4858.
-------------------------------------------------------------------
Sun May 11 18:09:28 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
- update to 10.10.0:
* Allow loading the preResolution, importPackage, and fetchers
hooks from local pnpmfile.
* Fix cd command, when shellEmulator is true #7838.
* Sort keys in pnpm-workspace.yaml #9453.
* Pass the npm_package_json environment variable to the
executed scripts #9452.
* Fixed a mistake in the description of the --reporter=silent
option.
-------------------------------------------------------------------
Mon Apr 21 11:04:21 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.9.0:
* Minor Changes
- Added support for installing JSR packages. You can now
install JSR packages using the following syntax:
add jsr:<pkg_name>
or with a version range:
pnpm add jsr:<pkg_name>@<range>
For example, running:
pnpm add jsr:@foo/bar
will add the following entry to your package.json:
{
"dependencies": {
"@foo/bar": "jsr:^0.1.2"
}
}
When publishing, this entry will be transformed into a format
compatible with npm, older versions of Yarn, and previous
pnpm versions:
{
"dependencies": {
"@foo/bar": "npm:@jsr/foo__bar@^0.1.2"
}
}
Related issue: #8941.
Note: The @jsr scope defaults to https://npm.jsr.io/ if the
@jsr:registry setting is not defined.
- Added a new setting, dangerouslyAllowAllBuilds, for
automatically running any scripts of dependencies without the
need to approve any builds. It was already possible to allow
all builds by adding this to pnpm-workspace.yaml:
neverBuiltDependencies: []
dangerouslyAllowAllBuilds has the same effect but also allows
to be set globally via:
pnpm config set dangerouslyAllowAllBuilds true
It can also be set when running a command:
pnpm install --dangerously-allow-all-builds
* Patch Changes
- Fix a false negative in verifyDepsBeforeRun when nodeLinker
is hoisted and there is a workspace package without
dependencies and node_modules directory #9424.
- Explicitly drop verifyDepsBeforeRun support for nodeLinker:
pnp. Combining verifyDepsBeforeRun and nodeLinker: pnp will
now print a warning.
-------------------------------------------------------------------
Mon Apr 14 13:21:23 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- udate to 10.8.1:
* Patch Changes
- Removed bright white highlighting, which didn't look good on
some light themes #9389.
- If there is no pnpm related configuration in package.json,
onlyBuiltDependencies will be written to pnpm-workspace.yaml
file #9404.
- The patch file path saved by the pnpm patch-commit and
patch-remove commands should be a relative path #9403.
-------------------------------------------------------------------
Tue Apr 8 04:50:08 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.8:
* Minor Changes
Experimental. A new hook is supported for updating
configuration settings. The hook can be provided via
.pnpmfile.cjs. For example:
module.exports = {
hooks: {
updateConfig: (config) => ({
...config,
nodeLinker: "hoisted",
}),
},
};
Now you can use the pnpm add command with the --config flag
to install new configurational dependencies #9377.
* Patch Changes
- Do not hang indefinitely, when there is a glob that starts
with !/ in pnpm-workspace.yaml. This fixes a regression
introduced by #9169.
- pnpm audit --fix should update the overrides in
pnpm-workspace.yaml.
- pnpm link should update overrides in pnpm-workspace.yaml, not
in package.json #9365.
-------------------------------------------------------------------
Tue Apr 1 12:34:12 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.7.1:
* Patch Changes
- pnpm config set should convert the settings to their correct
type before adding them to pnpm-workspace.yaml #9355.
- pnpm config get should read auth related settings via npm CLI
#9345.
- Replace leading ~/ in a path in .npmrc with the home directory
#9217.
-------------------------------------------------------------------
Wed Mar 26 11:44:45 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.7:
* Minor Changes
- pnpm config get and list also show settings set in
pnpm-workspace.yaml files #9316.
- It should be possible to use env variables in
pnpm-workspace.yaml setting names and value.
- Add an ability to patch dependencies by version ranges. Exact
versions override version ranges, which in turn override
name-only patches. Version range * is the same as name-only,
except that patch application failure will not be ignored.
For example:
patchedDependencies:
foo: patches/foo-1.patch
foo@^2.0.0: patches/foo-2.patch
foo@2.1.0: patches/foo-3.patch
The above configuration would apply patches/foo-3.patch to
foo@2.1.0, patches/foo-2.patch to all foo versions which
satisfy ^2.0.0 except 2.1.0, and patches/foo-1.patch to the
remaining foo versions.
[!WARNING]
The version ranges should not overlap. If you want to
specialize a sub range, make sure to exclude it from the
other keys. For example:
# pnpm-workspace.yaml
patchedDependencies:
# the specialized sub range
'foo@2.2.0-2.8.0': patches/foo.2.2.0-2.8.0.patch
# the more general patch, excluding the sub range above
'foo@>=2.0.0 <2.2.0 || >2.8.0': 'patches/foo.gte2.patch
In most cases, however, it's sufficient to just define an
exact version to override the range.
- pnpm config set --location=project saves the setting to a
pnpm-workspace.yaml file if no .npmrc file is present in the
directory #9316.
- Rename pnpm.allowNonAppliedPatches to
pnpm.allowUnusedPatches. The old name is still supported but
it would print a deprecation warning message.
- Add pnpm.ignorePatchFailures to manage whether pnpm would
ignore patch application failures.
- If ignorePatchFailures is not set, pnpm would throw an
error when patches with exact versions or version ranges
fail to apply, and it would ignore failures from name-only
patches.
- If ignorePatchFailures is explicitly set to false, pnpm
would throw an error when any type of patch fails to apply.
- If ignorePatchFailures is explicitly set to true, pnpm
would print a warning when any type of patch fails to
apply.
* Patch Changes
- Remove dependency paths from audit output to prevent
out-of-memory errors #9280.
-------------------------------------------------------------------
Wed Mar 19 14:58:30 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.6.5:
* Patch Changes
- Remove warnings after having explicitly approved no builds
#9296.
- When installing different dependency packages, should retain
the ignoredBuilds field in the .modules.yaml file #9240.
- Fix usages of the catalog: protocol in injected local
workspace packages. This previously errored with
ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER. #8715
- Setting workspace-concurrency to less than or equal to 0
should work #9297.
-------------------------------------------------------------------
Mon Mar 17 14:11:33 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.6.4:
* Patch Changes
- Fix pnpm dlx with --allow-build flag #9263.
- Invalid Node.js version in use-node-version should not cause
pnpm itself to break #9276.
- The max amount of workers running for linking packages from
the store has been reduced to 4 to achieve optimal results
#9286. The workers are performing many file system
operations, so increasing the number of CPUs doesn't help
performance after some point.
-------------------------------------------------------------------
Thu Mar 13 18:19:39 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.6.3:
* Patch Changes
- pnpm install --prod=false should not crash, when executed in
a project with a pnpm-workspace.yaml file #9233. This fixes
regression introduced via #9211.
- Add the missing node-options config to recursive run #9180.
- Removed a branching code path that only executed when
dedupe-peer-dependents=false. We believe this internal
refactor will not result in behavior changes, but we expect
it to make future pnpm versions behave more consistently for
projects that override dedupe-peer-dependents to false. There
should be less unique bugs from turning off
dedupe-peer-dependents.
See details in #9259.
-------------------------------------------------------------------
Mon Mar 10 06:55:55 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.6.2:
* Patch Changes
- pnpm self-update should always update the version in the
packageManager field of package.json.
- Fix running pnpm CLI from pnpm CLI on Windows when the CLI is
bundled to an executable #8971.
- pnpm patch-commit will now use the same filesystem as the
store directory to compare and create patch files.
- Don't show info output when --loglevel=error is used.
- peerDependencyRules should be set in pnpm-workspace.yaml to
take effect.
-------------------------------------------------------------------
Fri Mar 7 06:35:02 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.6.1:
* Patch Changes
- The pnpm CLI process should not stay hanging, when --silent
reporting is used.
- When --loglevel is set to error, don't show installation
summary, execution time, and big tarball download progress.
- Don't ignore pnpm.patchedDependencies from package.json
#9226.
- When executing the approve-builds command, if package.json
contains onlyBuiltDependencies or ignoredBuiltDependencies,
the selected dependency package will continue to be written
into package.json.
- When a package version cannot be found in the package
metadata, print the registry from which the package was
fetched.
-------------------------------------------------------------------
Thu Mar 6 13:03:35 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.6.0:
* Minor Changes
- pnpm-workspace.yaml can now hold all the settings that .npmrc
accepts. The settings should use camelCase #9211.
pnpm-workspace.yaml example:
verifyDepsBeforeRun: install
optimisticRepeatInstall: true
publicHoistPattern:
- "*types*"
- "!@types/react"
- Projects using a file: dependency on a local tarball file
(i.e. .tgz, .tar.gz, .tar) will see a performance improvement
during installation. Previously, using a file: dependency on
a tarball caused the lockfile resolution step to always run.
The lockfile will now be considered up-to-date if the tarball
is unchanged.
* Patch Changes
- pnpm self-update should not leave a directory with a broken
pnpm installation if the installation fails.
- fast-glob replace with tinyglobby to reduce the size of the
pnpm CLI dependencies #9169.
- pnpm deploy should not remove fields from the deployed
package's package.json file #9215.
- pnpm self-update should not read the pnpm settings from the
package.json file in the current working directory.
- Fix pnpm deploy creating a package.json without the imports
and license field #9193.
- pnpm update -i should list only packages that have newer
versions #9206.
- Fix a bug causing entries in the catalogs section of the
pnpm-lock.yaml file to be removed when
dedupe-peer-dependents=false on a filtered install. #9112
-------------------------------------------------------------------
Thu Feb 27 05:44:17 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.5.2:
* The pnpm config set command should change the global .npmrc
file by default.
This was a regression introduced by #9151 and shipped in pnpm
v10.5.0.
-------------------------------------------------------------------
Wed Feb 26 13:36:14 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 10.5.1:
* Throw an error message if a pnpm-workspaces.yaml or
pnpm-workspaces.yml file is found instead of a
pnpm-workspace.yaml #9170.
* Fix the update of pnpm-workspace.yaml by the pnpm
approve-builds command #9168.
* Normalize generated link paths in package.json #9163
* Specifying overrides in pnpm-workspace.yaml should work.
* pnpm dlx should ignore settings from the package.json file in
the current working directory #9178.
-------------------------------------------------------------------
Tue Feb 25 22:39:13 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
- update to 10.5.0:
* The pnpm.* settings from package.json can now be specified in
the pnpm-workspace.yaml file instead #9121.
* Added support for automatically syncing files of injected
workspace packages after pnpm run #9081. Use the sync-injected
-deps-after-scripts setting to specify which scripts build
the workspace package. This tells pnpm when syncing is needed.
The setting should be defined in a .npmrc file at the root of
the workspace.
* The packages field in pnpm-workspace.yaml became optional.
* pnpm link with no parameters should work as if --global is
specified #9151
* Allow scope registry CLI option without --config. prefix such
as --@scope:registry=https://scope.example.com/npm #9089
* pnpm link <path> should calculate relative path from the root
of the workspace directory #9132
* Fix a bug causing catalog snapshots to be removed from the
pnpm-lock.yaml file when using --fix-lockfile and --filter. #8639
* Fix a bug causing catalog protocol dependencies to not re-
resolve on a filtered install #8638
-------------------------------------------------------------------
Mon Feb 17 21:32:43 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
- update to 10.4.1:
* Throws an error when the value provided by the --allow-build
option overlaps with the pnpm.ignoredBuildDependencies list #9105.
* Print pnpm's version after the execution time at the end of the console output.
* Print warning about ignored builds of dependencies on repeat install #9106.
* Setting init-package-manager should work.
- includes 10.4.0:
* pnpm approve-builds --global works now for allowing
dependencies of globally installed packages to run
postinstall scripts.
* The pnpm add command now supports a new flag, --allow-build,
which allows building the specified dependencies.
* pnpm approve-builds should work after two consecutive pnpm install runs #9083.
* Fix instruction for updating pnpm with corepack #9101.
* The pnpm version specified by packageManager cannot start with v.
-------------------------------------------------------------------
Tue Feb 11 23:18:18 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
- update to 10.3.0:
* Added a new setting called strict-dep-builds. When enabled,
the installation will exit with a non-zero exit code if any
dependencies have unreviewed build scripts (aka postinstall scripts) #9071.
* Fix a false negative of verify-deps-before-run after pnpm
install --production|--no-optional #9019.
* Print the warning about blocked installation scripts at the
end of the installation output and make it more prominent.
-------------------------------------------------------------------
Sat Feb 8 21:55:32 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
- update to 10.2.1:
* Don't read a package from side-effects cache if it isn't
allowed to be built #9042.
* pnpm approve-builds should work, when executed from a
subdirectory of a workspace #9042.
* pnpm deploy --legacy should work without injected dependencies
* Add information about how to deploy without "injected
dependencies" to the "pnpm deploy" error message.
- includes 10.2.0:
* Packages executed via pnpm dlx and pnpm create are allowed to
be built (run postinstall scripts) by default.
* Quote args for scripts with shell-quote to support new lines
(on POSIX only) #8980.
* Fix a bug in which pnpm deploy fails to read the correct
projectId when the deploy source is the same as the workspace directory #9001.
* Proxy settings should be respected, when resolving Git-hosted
dependencies #6530.
* Prevent overrides from adding invalid version ranges to
peerDependencies by keeping the peerDependencies and
overriding them with prod dependencies #8978.
* Sort the package names in the "pnpm.onlyBuiltDependencies"
list saved by pnpm approve-builds.
-------------------------------------------------------------------
Fri Jan 31 00:43:45 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
- update to 10.1.0:
* Added a new command for printing the list of dependencies
with ignored build scripts: pnpm ignored-builds #8963.
* Added a new command for approving dependencies for running
scripts during installation: pnpm approve-builds #8963.
* Added a new setting called optimistic-repeat-install. When
enabled, a fast check will be performed before proceeding to
installation. This way a repeat install or an install on a
project with everything up-to-date becomes a lot faster. But
some edge cases might arise, so we keep it disabled by
default for now #8977.
* Added a new field "pnpm.ignoredBuiltDependencies" for
explicitly listing packages that should not be built. When a
package is in the list, pnpm will not print an info message
about that package not being built #8935.
* Verify that the package name is valid when executing the
publish command.
* When running pnpm install, the preprepare and postprepare
scripts of the project should be executed #8989.
* Allow workspace: and catalog: to be part of wider version
range in peerDependencies.
* pnpm deploy should inherit the pnpm object from the root
package.json #8991.
* Make sure that the deletion of a node_modules in a sub-
project of a monorepo is detected as out-of-date #8959.
* Fix infinite loop caused by lifecycle scripts using pnpm to
execute other scripts during pnpm install with
verify-deps-before-run=install #8954.
* Replace strip-ansi with the built-in util.
stripVTControlCharacters #9009.
* Do not print patched dependencies as ignored dependencies
that require a build #8952.
-------------------------------------------------------------------
Fri Jan 10 00:08:03 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
- update to 10.0.0:
* Lifecycle scripts of dependencies are not executed during
installation by default! This is a breaking change aimed at
increasing security. In order to allow lifecycle scripts of
specific dependencies, they should be listed in the pnpm
onlyBuiltDependencies field of package.json #8897
* The pnpm link command now adds overrides to the root package.json. #8653
* Secure hashing with SHA256
* Configuration updates
* Changes to the global store
* The # character is now escaped in directory names within
node_modules/.pnpm. #8557
* Running pnpm add --global pnpm or pnpm add --global @pnpm/exe
now fails with an error message, directing you to use pnpm
self-update instead. #8728
* Dependencies added via a URL now record the final resolved
URL in the lockfile, ensuring that any redirects are fully
captured. #8833
* The pnpm deploy command now only works in workspaces that
have inject-workspace-packages=true. This limitation is
introduced to allow us to create a proper lockfile for the
deployed project using the workspace lockfile.
* Removed conversion from lockfile v6 to v9. If you need v6-to-
v9 conversion, use pnpm CLI v9.
* pnpm test now passes all parameters after the test keyword
directly to the underlying script. This matches the behavior
of pnpm run test. Previously you needed to use the -- prefix. #8619
* node-gyp updated to version 11.
* pnpm deploy now tries creating a dedicated lockfile from a
shared lockfile for deployment. It will fallback to
deployment without a lockfile if there is no shared lockfile
or force-legacy-deploy is set to true.
* Added support for a new type of dependencies called
"configurational dependencies". These dependencies are
installed before all the other types of dependencies (befor
"dependencies", "devDependencies", "optionalDependencies").
* New verify-deps-before-run setting. This setting controls how
pnpm checks node_modules before running scripts #8836
* On repeated installs, pnpm performs a quick check to ensure
node_modules is up to date. #8838
* pnpm add integrates with default workspace catalog: #8640
* pnpm dlx now resolves packages to their exact versions and
uses these exact versions for cache keys. This ensures pnpm
dlx always installs the latest requested packages #8811
* No node_modules validation on certain commands. Commands that
should not modify node_modules (e.g., pnpm install --lockfile-
only) no longer validate or purge node_modules. #8657
* for full changes, see https://github.com/pnpm/pnpm/releases/tag/v10.0.0
-------------------------------------------------------------------
Mon Jan 6 05:41:24 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 9.15.3:
* Fixed the Regex used to find the package manifest during
packing #8938.
* pnpm update --filter <pattern> --latest <pkg> should only
change the specified package for the specified workspace, when
dedupe-peer-dependents is set to true #8877.
* Exclude .DS_Store file at patch-commit #8922.
* Fix a bug in which pnpm patch is unable to bring back old patch
without specifying @version suffix #8919.
-------------------------------------------------------------------
Mon Dec 30 07:25:14 UTC 2024 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
- update to 9.15.2:
* Fixed publish/pack error with workspace dependencies with
relative paths #8904. It was broken in v9.4.0 (398472c).
* Use double quotes in the command suggestion by pnpm patch on
Windows #7546.
* Do not fall back to SSH, when resolving a git-hosted package if
git ls-remote works via HTTPS #8906.
* Improve how packages with blocked lifecycle scripts are
reported during installation. Always print the list of ignored
scripts at the end of the output. Include a hint about how to
allow the execution of those packages.
-------------------------------------------------------------------
Sun Dec 22 21:17:02 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.15.1:
* pnpm remove should not link dependencies from the workspace,
when link-workspace-packages is set to false #7674
* Installation with hoisted node_modules should not fail, when
a dependency has itself in its own peer dependencies #8854
-------------------------------------------------------------------
Sat Dec 7 19:23:19 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.15.0:
* Metadata directory version bumped to force fresh cache after
we shipped a fix to the metadata write function. This change
is backward compatible as install doesn't require a metadata cache
* pnpm update --global should not crash if there are no any
global packages installed #7898
* Fix an exception when running pnpm update --interactive if
catalogs are used.
-------------------------------------------------------------------
Sat Nov 30 20:15:39 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.14.4:
* Don't ever save mutated metadata to the metadata cache
- includes 9.14.3:
* Some commands should ignore the packageManager field check of
package.json #7959
-------------------------------------------------------------------
Wed Nov 20 22:44:41 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.14.2:
pnpm publish --json should work #8788
- includes 9.14.1:
* Added support for pnpm pack --json to print packed tarball
and contents in JSON format #8765
* pnpm exec should print a meaningful error message when no
command is provided #8752
* pnpm setup should remove the CLI from the target location
before moving the new binary #8173
* Fix ERR_PNPM_TARBALL_EXTRACT error while installing a
dependency from GitHub having a slash in branch name #7697
* Don't crash if the use-node-version setting is used and the
system has no Node.js installed #8769
* Convert settings in local .npmrc files to their correct types.
For instance, child-concurrency should be a number, not a string #5075
* pnpm should fail if a project requires a different package
manager even if manage-package-manager-versions is set to true
* pnpm init should respect the --dir option #8768
- includes 9.14.0:
* chore: use verify-deps-before-run
* fix(init): --dir option should be respected (#8768)
* feat: support json format output in pnpm pack (#8765)
* fix: pnpm exec should specify command (#8774)
* fix: proper types of settings in local .npmrc files (#8775)
* fix: ERR_PNPM_TARBALL_EXTRACT when the URL's hash contains a slash
* fix: the CLI should fail if a different package manager is
required by the project
* fix: ETXTBSY error on running setup (#8780)
* feat: add linux-riscv64 build (#8779)
* fix: remove link to X from update notifier (#8773)
* docs: update sponsors
* fix: upgrade cross-sapwn (#8782)
* fix: don't crash when use-node-version is set and there is no node.js
* docs: update changesets
-------------------------------------------------------------------
Sat Nov 16 19:08:45 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.13.2:
* Detection of circular peer dependencies should not crash with
aliased dependencies #8759. Fixes a regression introduced in
the previous version.
* Fix race condition of symlink creations caused by multiple
parallel dlx processes.
-------------------------------------------------------------------
Thu Nov 14 19:00:27 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.13.1:
* Fixed some edge cases where resolving circular peer
dependencies caused a dead lock #8720
-------------------------------------------------------------------
Wed Nov 13 22:13:33 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.13.0:
* The self-update now accepts a version specifier to install a
specific version of pnpm.
* Fix Cannot read properties of undefined (reading 'name') that
is printed while trying to render the missing peer
dependencies warning message #8538
-------------------------------------------------------------------
Fri Nov 8 20:35:11 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.12.3:
* Don't purge node_modules, when typing "n" in the prompt that
asks whether to remove node_modules before installation #8655
* Fix a bug causing pnpm to infinitely spawn itself when manage-
package-manager-versions=true is set and the .tools directory is corrupt
* Use crypto.hash, when available, for improved performance #8629
* Fixed a race condition in temporary file creation in the
store by including worker thread ID in filename. Previously,
multiple worker threads could attempt to use the same
temporary file. Temporary files now include both process ID
and thread ID for uniqueness #8703
* All commands should read settings from the package.json at
the root of the workspace #8667
* When manage-package-manager-versions is set to true, errors
spawning a self-managed version of pnpm will now be shown
(instead of being silent)
* Pass the find command to npm, it is an alias for npm search
- includes 9.12.2:
* When checking whether a file in the store has executable
permissions, the new approach checks if at least one of the
executable bits (owner, group, and others) is set to 1.
Previously, a file was incorrectly considered executable only
when all the executable bits were set to 1. This fix ensures
that files with any executable permission, regardless of the
user class, are now correctly identified as executable #8546
-------------------------------------------------------------------
Tue Oct 8 19:17:38 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.12.1:
* pnpm update --latest should not update the automatically
installed peer dependencies #6657
* pnpm publish should be able to publish from a local tarball #7950
* Prevent EBUSY errors caused by creating symlinks in parallel
dlx processes #8604
* Fix maximum call stack size exceeded error related to
circular workspace dependencies #8599
-------------------------------------------------------------------
Fri Oct 4 18:59:40 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.12.0:
* Fix peer dependency resolution dead lock #8570. This change
might change some of the keys in the snapshots field inside
pnpm-lock.yaml but it should happen very rarely.
* pnpm outdated command supports now a --sort-by=name option
for sorting outdated dependencies by package name #8523
* Added the ability for overrides to remove dependencies by
specifying "-" as the field value #8572
* Fixed an issue where pnpm list --json pkg showed "private":
false for a private package #8519
* Packages with libc that differ from pnpm.
supportedArchitectures.libc are not downloaded #7362
* Prevent ENOENT errors caused by running store prune in parallel #8586
* Add issues alias to pnpm bugs #8596
-------------------------------------------------------------------
Sat Sep 21 19:23:32 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.11.0:
* Experimental: added pnpm cache commands for inspecting the
metadata cache #8512
* Fix a regression in which pnpm deploy with node-linker=hoisted
produces an empty node_modules directory #6682
* pnpm deploy should work in workspace with shared-workspace-lockfile=false #8475
* Don't print a warning when linking packages globally #4761
-------------------------------------------------------------------
Wed Sep 11 00:17:17 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.10.0:
* Support for a new CLI flag, --exclude-peers, added to the
list and why commands. When --exclude-peers is used, peer
dependencies are not printed in the results, but dependencies
of peer dependencies are still scanned #8506.
* Added a new setting to package.json at pnpm.auditConfig.
ignoreGhsas for ignoring vulnerabilities by their GHSA code #6838.
* Throw an exception if pnpm switches to the same version of itself.
* Reduce memory usage during peer dependencies resolution.
-------------------------------------------------------------------
Mon Sep 2 11:54:31 UTC 2024 - Virinas-code <Virinas-code@opensuse.org>
- update to version 9.9.0:
* https://github.com/pnpm/pnpm/compare/v9.8.0...v9.9.0
* Minor breaking change. We had to optimize how we resolve peer
dependencies in order to fix some infinite loops and
out-of-memory errors during peer dependencies resolution.
* pnpm deploy should write the node_modules/.modules.yaml to the
node_modules directory within the deploy directory #7731
* Don't override a symlink in node_modules if it already points
to the right location pnpm/symlink-dir#54
- changes from 9.8.0:
* https://github.com/pnpm/pnpm/compare/v9.7.1...v9.8.0
* Added a new command for upgrading pnpm itself when it isn't
managed by Corepack: pnpm self-update. This command will work,
when pnpm was installed via the standalone script from the pnpm
installation page #8424
* CLI tools installed in the root of the workspace should be
added to the PATH, when running scripts and use-node-version is
set
* pnpm setup should never switch to another version of pnpm
* Ignore non-string value in the os, cpu, libc fields, which
checking optional dependencies #8431
* Remember the state of edit dir, allow running pnpm patch-commit
the second time without having to re-run pnpm patch
- changes from 9.7.1:
* https://github.com/pnpm/pnpm/compare/v9.7.0...v9.7.1
* Fixed passing public-hoist-pattern and hoist-pattern via env
variables #8339
* pnpm setup no longer creates Batch/Powershell scripts on Linux
and macOS #8418
* When dlx uses cache, use the real directory path not the
symlink to the cache #8421
* pnpm exec now supports executionEnv #8356
* Remove warnings for non-root pnpm field, add warnings for
non-root pnpm subfields that aren't executionEnv #8143
* Replace semver in "peerDependency" with workspace protocol
#8355
* Fix a bug in patch-commit in which relative path is rejected
#8405
* Update Node.js in @pnpm/exe to v20
- changes from 9.7.0:
* https://github.com/pnpm/pnpm/compare/v9.6.0...v9.7.0
* Added pnpm version management. If the
manage-package-manager-versions setting is set to true, pnpm
will switch to the version specified in the packageManager
field of package.json #8363
* Added the ability to apply patch to all versions #8337
* Change the default edit dir location when running pnpm patch
from a temporary directory to
node_modules/.pnpm_patches/pkg[@version] to allow the code
editor to open the edit dir in the same file tree as the main
project #8379.
* Substitute environment variables in config keys #6679
* pnpm install should run node-gyp rebuild if the project has a
binding.gyp file even if the project doesn't have an install
script #8293
* Print warnings to stderr #8342
* Peer dependencies of optional peer dependencies should be
automatically installed #8323
-------------------------------------------------------------------
Thu Jul 25 20:35:23 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.6.0:
* Support specifying node version (via pnpm.executionEnv.nodeVersion
in package.json) for running lifecycle scripts per each package
in a workspace #6720
* Overrides now support the catalogs: protocol #8303
* The pnpm deploy command now supports the catalog: protocol #8298
* The pnpm outdated command now supports the catalog: protocol #8304
* Correct the error message when trying to run pnpm patch
without node_modules/.modules.yaml #8257
* Silent reporting fixed with the pnpm exec command #7608
* Add registries information to the calculation of dlx cache hash #8299
-------------------------------------------------------------------
Tue Jul 9 20:03:51 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.5.0:
* Added support for catalogs #8122
* Read authentication information from .npmrc in the current
directory when running dlx #7996
* Updated @pnpm/tabtab to v0.5.4, enabling zsh autocomplete
lazy loading #8236
* Installation with filtering will now work, when dedupe-peer-
dependents is set to true #6300
* Fixed dlx not actually using the Node.js version specified by
--use-node-version.
-------------------------------------------------------------------
Sat Jul 6 01:49:11 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.4.0:
* Some registries allow the exact same content to be published
under different package names and/or versions. This breaks
the validity checks of packages in the store. To avoid errors
when verifying the names and versions of such packages in the
store, you may now set the strict-store-pkg-content-check
setting to false #4724
* Fix package-manager-strict-version missing in config #8195
* If install is performed on a subset of workspace projects,
always create an up-to-date lockfile first. So, a partial
install can be performed only on a fully resolved (non-partial)
lockfile #8165
* Handle workspace protocol with any semver range specifier,
when used in peer dependencies #7578
-------------------------------------------------------------------
Fri Jun 14 21:08:00 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.3.0:
* Semi-breaking. Dependency key names in the lockfile are
shortened if they are longer than 1000 characters. We don't
expect this change to affect many users. Affected users most
probably can't run install successfully at the moment. This
change is required to fix some edge cases in which installation
fails with an out-of-memory error or "Invalid string length
(RangeError: Invalid string length)" error. The max allowed
length of the dependency key can be controlled with the peers-
suffix-max-length setting #8177.
* Set reporter-hide-prefix to true by default for pnpm exec. In
order to show prefix, the user now has to explicitly set reporter
-hide-prefix=false #8174.
- changes from 9.2.0:
* If package-manager-strict-version is set to true, pnpm will
fail if its version doesn't exactly match the version in the
"packageManager" field of package.json.
* Update @yarnpkg/pnp to the latest version, fixing issue with
node: imports #8161.
* Deduplicate bin names to prevent race condition and corrupted
bin scripts #7833.
* pnpm doesn't fail if its version doesn't match the one
specified in the "packageManager" field of package.json #8087.
* exec now also streams prefixed output when --recursive or
--parallel is specified just as run does #8065.
- changes from 9.1.4:
* Improved the performance of the resolution stage by changing
how missing peer dependencies are detected #8144.
- changes from 9.1.3:
* Fix a bug in which a dependency that is both optional for one
package but non-optional for another is omitted when optional=false #8066.
* Clear resolution cache before starting peer dependencies resolution #8109.
* Reduce memory usage by peer dependencies resolution #8072.
-------------------------------------------------------------------
Tue May 21 18:26:46 UTC 2024 - draskmont@protonmail.com
- update to version 9.1.2
- require nodejs >= 18
-------------------------------------------------------------------
Sat Apr 27 21:34:30 UTC 2024 - Avindra Goolcharan <avindra@opensuse.org>
- update to version 9.0.6:
* Lockfiles that have git-hosted dependencies specified should
be correctly converted to the new lockfile format #7990.
* Don't upgrade the lockfile format on pnpm install
--frozen-lockfile #7991.
- includes version 9.0.5:
* Lockfiles with local or git-hosted dependencies are now
successfully converted to the new lockfile format #7955.
* Resolve peer dependencies correctly, when they have
prerelease versions #7977.
* Fix aliased dependencies resolution on repeat install with
existing lockfile, when the aliased dependency doesn't
specify a version or range #7957.
* The lockfile should be saved in the new format even if it is
up-to-date.
- run spec-cleaner
-------------------------------------------------------------------
Sat Apr 20 18:22:54 UTC 2024 - draskmont@protonmail.com
- update to version 9.0.4
- Added shell completion subpackages for bash, zsh and fish
- Removed python2 dependency
- Prevent packaging of executable files for other OS.
- Cleaned up specfile:
* Removed some unused tags, macros and redudant requirements
* Added licensing header
* Fixed rpmlint errors and warnings
- Removed unused _service file
- Restored changelog
-------------------------------------------------------------------
Thu Jan 25 15:03:16 UTC 2024 - Marcel Kuehlhorn <tux93@opensuse.org>
- update to version 8.14.3
* https://github.com/pnpm/pnpm/compare/v8.4.0...v8.14.3
-------------------------------------------------------------------
Mon Jan 14 09:20:53 UTC 2019 - John Vandenberg <jayvdb@gmail.com>
- initial revision for pnpm 2.25.1
View Git Blame Copy Permalink