update to 10.28.2

pnpm.changes

@@ -1,3 +1,266 @@
+-------------------------------------------------------------------
+Tue Jan 27 06:31:09 UTC 2026 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.28.2:
+  * Patch Changes
+    - Security fix: prevent path traversal in directories.bin
+      field.
+    - When pnpm installs a file: or git: dependency, it now
+      validates that symlinks point within the package directory.
+      Symlinks to paths outside the package root are skipped to
+      prevent local data from being leaked into node_modules.
+      This fixes a security issue where a malicious package could
+      create symlinks to sensitive files (e.g., /etc/passwd,
+      ~/.ssh/id_rsa) and have their contents copied when the
+      package is installed.
+      Note: This only affects file: and git: dependencies. Registry
+      packages (npm) have symlinks stripped during publish and are
+      not affected.
+    - Fixed optional dependencies to request full metadata from the
+      registry to get the libc field, which is required for proper
+      platform compatibility checks #9950.
+- update to 10.28.1:
+  * Patch Changes
+    - Fixed installation of config dependencies from private
+      registries.
+      Added support for object type in configDependencies when the
+      tarball URL returned from package metadata differs from the
+      computed URL #10431.
+    - Fix path traversal vulnerability in binary fetcher ZIP
+      extraction
+      - Validate ZIP entry paths before extraction to prevent
+        writing files outside target directory
+      - Validate BinaryResolution.prefix (basename) to prevent
+        directory escape via crafted prefix
+      - Both attack vectors now throw ERR_PNPM_PATH_TRAVERSAL error
+    - Support plain http:// and https:// URLs ending with .git as
+      git repository dependencies.
+      Previously, URLs like
+      https://gitea.example.org/user/repo.git#commit were not
+      recognized as git repositories because they lacked the git+
+      prefix (e.g., git+https://). This caused issues when
+      installing dependencies from self-hosted git servers like
+      Gitea or Forgejo that don't provide tarball downloads.
+      Changes:
+      - The git resolver now runs before the tarball resolver,
+        ensuring git URLs are handled by the correct resolver
+      - The git resolver now recognizes plain http:// and https://
+        URLs ending in .git as git repositories
+      - Removed the isRepository check from the tarball resolver
+        since it's no longer needed with the new resolver order
+      Fixes #10468
+    - pnpm run -r and pnpm run --filter now fail with a non-zero
+      exit code when no packages have the specified script.
+      Previously, this only failed when all packages were selected.
+      Use --if-present to suppress this error #6844.
+    - Fixed a path traversal vulnerability in tarball extraction on
+      Windows. The path normalization was only checking for ./ but
+      not .\. Since backslashes are directory separators on
+      Windows, malicious packages could use paths like
+      foo\..\..\.npmrc to write files outside the package
+      directory.
+    - When running "pnpm exec" from a subdirectory of a project,
+      don't change the current working directory to the root of the
+      project #5759.
+    - Fixed a path traversal vulnerability in pnpm's bin linking.
+      Bin names starting with @ bypassed validation, and after
+      scope normalization, path traversal sequences like ../../
+      remained intact.
+    - Revert Try to avoid making network calls with preferOffline
+      #10334.
+    - Fix --save-peer to write valid semver ranges to
+      peerDependencies for protocol-based installs (e.g. jsr:) by
+      deriving from resolved versions when available and falling
+      back to * if none is available #10417.
+    - Do not exclude the root workspace project, when it is
+      explicitly selected via a filter #10465.
+
+-------------------------------------------------------------------
+Mon Jan 19 09:13:44 UTC 2026 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.28.0:
+  * Minor Changes
+    - Add support for a hook called beforePacking that can be used
+      to customize the package.json contents at publish time #3816.
+    - In some cases, a filtered install (i.e. pnpm install --filter
+      ...) was slower than running pnpm install without any filter
+      arguments. This performance regression is now fixed. Filtered
+      installs should be as fast or faster than a full install
+      #10408.
+  * Patch Changes
+    - Do not add a symlink to the project into the store's project
+      registry if the store is in a subdirectory of the project
+      #10411.
+    - It should be possible to declare the requiredScripts setting
+      in pnpm-workspace.yaml #10261.
+- update to 10.27.0:
+  * Minor Changes
+    - Adding trustPolicyIgnoreAfter allows you to ignore trust
+      policy checks for packages published more than a specified
+      time ago#10352.
+    - Added project registry for global virtual store prune
+      support.
+    - Projects using the store are now registered via symlinks in
+      {storeDir}/v10/projects/. This enables pnpm store prune to
+      track which packages are still in use by active projects and
+      safely remove unused packages from the global virtual store.
+    - Semi-breaking. Changed the location of unscoped packages in
+      the virtual global store. They will now be stored under a
+      directory named @ to maintain a uniform 4-level directory
+      depth.
+    - Added mark-and-sweep garbage collection for global virtual
+      store.
+    - pnpm store prune now removes unused packages from the global
+      virtual store's links/ directory. The algorithm:
+      - Scans all registered projects for symlinks pointing to the
+        store
+      - Walks transitive dependencies to mark reachable packages
+      - Removes any package directories not marked as reachable
+    - This includes support for workspace monorepos - all
+      node_modules directories within a project (including those in
+      workspace packages) are scanned.
+  * Patch Changes
+    - Throw an error if the value of the tokenHelper or
+      <url>:tokenHelper setting contains an environment variable.
+    - Git dependencies with build scripts should respect the
+      dangerouslyAllowAllBuilds settings #10376.
+    - Skip the package manager check when running with --global and
+      a project packageManager is configured, and warn that the
+      check is skipped.
+    - pnpm store prune should not fail if the dlx cache directory
+      has files, not only directories #10384
+    - Fixed a bug (#9759) where pnpm add would incorrectly modify a
+      catalog entry in pnpm-workspace.yaml to its exact version.
+- update to 10.26.2:
+  * Patch Changes
+    - Improve error message when a package version exists but does
+      not meet the minimumReleaseAge constraint. The error now
+      clearly states that the version exists and shows a
+      human-readable time since release (e.g., "released 6 hours
+      ago") #10307.
+    - Fix installation of Git dependencies using annotated tags
+      #10335.
+    - Previously, pnpm would store the annotated tag object's SHA
+      in the lockfile instead of the actual commit SHA. This caused
+      ERR_PNPM_GIT_CHECKOUT_FAILED errors because the checked-out
+      commit hash didn't match the stored tag object hash.
+    - Binaries of runtime engines (Node.js, Deno, Bun) are written
+      to node_modules/.bin before lifecycle scripts (install,
+      postinstall, prepare) are executed #10244.
+    - Try to avoid making network calls with preferOffline #10334.
+- update to 10.26.1:
+  * Patch Changes
+    - Don't fail on pnpm add, when blockExoticSubdeps is set to
+      true #10324.
+    - Always resolve git references to full commits and ensure HEAD
+      points to the commit after checkout #10310.
+
+-------------------------------------------------------------------
+Mon Dec 15 22:06:15 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
+
+- update to 10.26.0
+  * Minor Changes
+    - Semi-breaking. Block git-hosted dependencies from running
+      prepare scripts unless explicitly allowed in onlyBuiltDependencies #10288.
+    - Semi-breaking. Compute integrity hash for HTTP tarball
+      dependencies when fetching, storing it in the lockfile to
+      prevent servers from serving altered content on subsequent installs #10287.
+    - Added a new setting blockExoticSubdeps that prevents the
+      resolution of exotic protocols in transitive dependencies.
+    - Added support for allowBuilds, which is a new field that
+      can be used instead of onlyBuiltDependencies and
+      ignoredBuiltDependencies. The new allowBuilds field in your
+      pnpm-workspace.yaml uses a map of package matchers to
+      explicitly allow (true) or disallow (false) script execution.
+      This allows for a single, easy-to-manage source of truth for
+      your build permissions.
+  * Patch Changes
+    - Show deprecation in table/list formats when latest version
+      is deprecated #8658.
+    - Remove the injectWorkspacePackages setting from the
+    lockfile on the deploy command #10294.
+    - Normalize the tarball URLs before saving them to the
+      lockfile. URLs should not contain default ports, like :80 for
+      http and :443 for https #10273.
+    - When a dependency is installed via a direct URL that
+      redirects to another URL and is immutable, the original URL
+      is normalized and saved to package.json #10197.
+
+-------------------------------------------------------------------
+Sat Dec 13 12:41:20 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.25.0:
+  * Minor Changes
+    - Allow loading certificates from cert, ca, and key for
+      specific registry URLs. E.g.,
+      //registry.example.com/:ca=-----BEGIN CERTIFICATE-----....
+      Previously this was only working via certfile, cafile, and
+      keyfile.
+      These properties are supported in .npmrc, but were ignored by
+      pnpm, this will make pnpm read and use them as well.
+      Related PR: #10230.
+    - Added a new flag called --bare to pnpm init for creating a
+      package.json with the bare minimum of required fields #10226.
+  * Patch Changes
+    - Improved reporting of ignored dependency scripts #10276.
+    - pnpm install should build any dependencies that were added to
+      onlyBuiltDependencies and were not built yet #10256.
+    - pnpm publish -r --force should allow to run publish over
+      already existing versions in the registry #10272.
+    - Don't fail with a ERR_PNPM_MISSING_TIME error if a package
+      that is excluded from trust policy checks is missing the time
+      field in the metadata.
+
+-------------------------------------------------------------------
+Sat Dec 13 12:35:54 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.24.0:
+  * Minor Changes
+    - Increased network concurrency on machines with many CPU
+      cores. pnpm now automatically selects a network concurrency
+      between 16 and 64, based on the number of pnpm workers
+      (calculated as workers × 3). This improves performance on
+      high-core systems #10068.
+  * Patch Changes
+    - trustPolicy should ignore the trust evidences of prerelease
+      versions, when installing a non-prerelease version.
+    - Handle ENOENT errors thrown by fs.linkSync(), which can occur
+      in containerized environments (OverlayFS) instead of EXDEV.
+      The operation now gracefully falls back to fs.copyFileSync()
+      in these cases #10217.
+    - Reverted: pnpm self-update should download pnpm from the
+      configured npm registry #10205.
+    - Packages that don't have a package.json file (like Node.js)
+      should not be reimported from the store on every install.
+      Another file from the package should be checked in order to
+      verify its presence in node_modules.
+    - Correctly read auth tokens for URLs that contain underscores
+      #17.
+
+-------------------------------------------------------------------
+Sun Nov 23 09:07:44 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.23.0:
+  * Minor Changes
+    - Added --lockfile-only option to pnpm list #10020.
+  * Patch Changes
+    - pnpm self-update should download pnpm from the configured npm
+      registry #10205.
+    - pnpm self-update should always install the non-executable
+      pnpm package (pnpm in the registry) and never the @pnpm/exe
+      package, when installing v11 or newer. We currently cannot
+      ship @pnpm/exe as pkg doesn't work with ESM #10190.
+    - Node.js runtime is not added to "dependencies" on pnpm add,
+      if there's a engines.runtime setting declared in package.json
+      #10209.
+    - The installation should fail if an optional dependency cannot
+      be installed due to a trust policy check failure #10208.
+    - pnpm list and pnpm why now display npm: protocol for aliased
+      packages (e.g., foo npm:is-odd@3.0.1) #8660.
+    - Don't add an extra slash to the Node.js mirror URL #10204.
+    - pnpm store prune should not fail if the store contains
+      Node.js packages #10131.
+
 -------------------------------------------------------------------
 Tue Nov 18 18:33:18 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 

pnpm.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package pnpm
 #
-# Copyright (c) 2025 SUSE LLC and contributors
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
 %global __nodejs_provides %{nil}
 %global __nodejs_requires %{nil}
 Name:           pnpm
-Version:        10.22.0
+Version:        10.28.2
 Release:        0
 Summary:        Fast, disk space efficient package manager
 License:        MIT