10.25 -> 10.26

pnpm.changes

@@ -1,3 +1,109 @@
+-------------------------------------------------------------------
+Mon Dec 15 22:06:15 UTC 2025 - Avindra Goolcharan <avindra@opensuse.org>
+
+- update to 10.26.0
+  * Minor Changes
+    - Semi-breaking. Block git-hosted dependencies from running
+      prepare scripts unless explicitly allowed in onlyBuiltDependencies #10288.
+    - Semi-breaking. Compute integrity hash for HTTP tarball
+      dependencies when fetching, storing it in the lockfile to
+      prevent servers from serving altered content on subsequent installs #10287.
+    - Added a new setting blockExoticSubdeps that prevents the
+      resolution of exotic protocols in transitive dependencies.
+    - Added support for allowBuilds, which is a new field that
+      can be used instead of onlyBuiltDependencies and
+      ignoredBuiltDependencies. The new allowBuilds field in your
+      pnpm-workspace.yaml uses a map of package matchers to
+      explicitly allow (true) or disallow (false) script execution.
+      This allows for a single, easy-to-manage source of truth for
+      your build permissions.
+  * Patch Changes
+    - Show deprecation in table/list formats when latest version
+      is deprecated #8658.
+    - Remove the injectWorkspacePackages setting from the
+    lockfile on the deploy command #10294.
+    - Normalize the tarball URLs before saving them to the
+      lockfile. URLs should not contain default ports, like :80 for
+      http and :443 for https #10273.
+    - When a dependency is installed via a direct URL that
+      redirects to another URL and is immutable, the original URL
+      is normalized and saved to package.json #10197.
+
+-------------------------------------------------------------------
+Sat Dec 13 12:41:20 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.25.0:
+  * Minor Changes
+    - Allow loading certificates from cert, ca, and key for
+      specific registry URLs. E.g.,
+      //registry.example.com/:ca=-----BEGIN CERTIFICATE-----....
+      Previously this was only working via certfile, cafile, and
+      keyfile.
+      These properties are supported in .npmrc, but were ignored by
+      pnpm, this will make pnpm read and use them as well.
+      Related PR: #10230.
+    - Added a new flag called --bare to pnpm init for creating a
+      package.json with the bare minimum of required fields #10226.
+  * Patch Changes
+    - Improved reporting of ignored dependency scripts #10276.
+    - pnpm install should build any dependencies that were added to
+      onlyBuiltDependencies and were not built yet #10256.
+    - pnpm publish -r --force should allow to run publish over
+      already existing versions in the registry #10272.
+    - Don't fail with a ERR_PNPM_MISSING_TIME error if a package
+      that is excluded from trust policy checks is missing the time
+      field in the metadata.
+
+-------------------------------------------------------------------
+Sat Dec 13 12:35:54 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.24.0:
+  * Minor Changes
+    - Increased network concurrency on machines with many CPU
+      cores. pnpm now automatically selects a network concurrency
+      between 16 and 64, based on the number of pnpm workers
+      (calculated as workers × 3). This improves performance on
+      high-core systems #10068.
+  * Patch Changes
+    - trustPolicy should ignore the trust evidences of prerelease
+      versions, when installing a non-prerelease version.
+    - Handle ENOENT errors thrown by fs.linkSync(), which can occur
+      in containerized environments (OverlayFS) instead of EXDEV.
+      The operation now gracefully falls back to fs.copyFileSync()
+      in these cases #10217.
+    - Reverted: pnpm self-update should download pnpm from the
+      configured npm registry #10205.
+    - Packages that don't have a package.json file (like Node.js)
+      should not be reimported from the store on every install.
+      Another file from the package should be checked in order to
+      verify its presence in node_modules.
+    - Correctly read auth tokens for URLs that contain underscores
+      #17.
+
+-------------------------------------------------------------------
+Sun Nov 23 09:07:44 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
+
+- update to 10.23.0:
+  * Minor Changes
+    - Added --lockfile-only option to pnpm list #10020.
+  * Patch Changes
+    - pnpm self-update should download pnpm from the configured npm
+      registry #10205.
+    - pnpm self-update should always install the non-executable
+      pnpm package (pnpm in the registry) and never the @pnpm/exe
+      package, when installing v11 or newer. We currently cannot
+      ship @pnpm/exe as pkg doesn't work with ESM #10190.
+    - Node.js runtime is not added to "dependencies" on pnpm add,
+      if there's a engines.runtime setting declared in package.json
+      #10209.
+    - The installation should fail if an optional dependency cannot
+      be installed due to a trust policy check failure #10208.
+    - pnpm list and pnpm why now display npm: protocol for aliased
+      packages (e.g., foo npm:is-odd@3.0.1) #8660.
+    - Don't add an extra slash to the Node.js mirror URL #10204.
+    - pnpm store prune should not fail if the store contains
+      Node.js packages #10131.
+
 -------------------------------------------------------------------
 Tue Nov 18 18:33:18 UTC 2025 - Johannes Kastl <opensuse_buildservice@ojkastl.de>
 

pnpm.spec

@@ -23,7 +23,7 @@
 %global __nodejs_provides %{nil}
 %global __nodejs_requires %{nil}
 Name:           pnpm
-Version:        10.22.0
+Version:        10.26.0
 Release:        0
 Summary:        Fast, disk space efficient package manager
 License:        MIT