diff --git a/patchinfo.20251126142846164969.93181000773252/_patchinfo b/patchinfo.20251126142846164969.93181000773252/_patchinfo new file mode 100644 index 0000000..91d802a --- /dev/null +++ b/patchinfo.20251126142846164969.93181000773252/_patchinfo @@ -0,0 +1,1131 @@ + + + + michals + moderate + security + Security update for pnpm + This update for pnpm fixes the following issues: + +Changes in pnpm: + +- update to 10.22.0: + * Minor Changes + - Added support for trustPolicyExclude #10164. + You can now list one or more specific packages or versions + that pnpm should allow to install, even if those packages + don't satisfy the trust policy requirement. For example: + + trustPolicy: no-downgrade + trustPolicyExclude: + - chokidar@4.0.3 + - webpack@4.47.0 || 5.102.1 + + - Allow to override the engines field on publish by the + publishConfig.engines field. + * Patch Changes + - Don't crash when two processes of pnpm are hardlinking the + contents of a directory to the same destination + simultaneously #10179. + +- update to 10.21.0: + * Minor Changes + - Node.js Runtime Installation for Dependencies. Added support + for automatic Node.js runtime installation for dependencies. + pnpm will now install the Node.js version required by a + dependency if that dependency declares a Node.js runtime in + the "engines" field. For example: + + { + "engines": { + "runtime": { + "name": "node", + "version": "^24.11.0", + "onFail": "download" + } + } + } + + If the package with the Node.js runtime dependency is a CLI + app, pnpm will bind the CLI app to the required Node.js + version. This ensures that, regardless of the globally + installed Node.js instance, the CLI will use the compatible + version of Node.js. + If the package has a postinstall script, that script will be + executed using the specified Node.js version. + Related PR: #10141 + - Added a new setting: trustPolicy. + When set to no-downgrade, pnpm will fail installation if a + package’s trust level has decreased compared to previous + releases — for example, if it was previously published by a + trusted publisher but now only has provenance or no trust + evidence. + This helps prevent installing potentially compromised + versions of a package. + Related issue: #8889. + - Added support for pnpm config get globalconfig to retrieve + the global config file path #9977. + * Patch Changes + - When a user runs pnpm update on a dependency that is not + directly listed in package.json, none of the direct + dependencies should be updated #10155. + - Don't crash when two processes of pnpm are hardlinking the + contents of a directory to the same destination + simultaneously #10160. + - Setting gitBranchLockfile and related settings via + pnpm-workspace.yaml should work #9651. + +- update to 10.20.0: + * Minor Changes + - Support --all option in pnpm --help to list all commands + #8628. + * Patch Changes + - When the latest version doesn't satisfy the maturity + requirement configured by minimumReleaseAge, pick the highest + version that is mature enough, even if it has a different + major version #10100. + - create command should not verify patch info. + - Set managePackageManagerVersions to false, when switching to + a different version of pnpm CLI, in order to avoid subsequent + switches #10063. +- update to 10.19.0: + * Minor Changes + - You can now allow specific versions of dependencies to run + postinstall scripts. onlyBuiltDependencies now accepts + package names with lists of trusted versions. For example: + Related PR: #10104. + + onlyBuiltDependencies: + - nx@21.6.4 || 21.6.5 + - esbuild@0.25.1 + + - Added support for exact versions in minimumReleaseAgeExclude + #9985. + You can now list one or more specific versions that pnpm + should allow to install, even if those versions don’t satisfy + the maturity requirement set by minimumReleaseAge. For + example: + + minimumReleaseAge: 1440 + minimumReleaseAgeExclude: + - nx@21.6.5 + - webpack@4.47.0 || 5.102.1 + +- update to 10.18.3: + * Patch Changes + - Fix a bug where pnpm would infinitely recurse when using + verifyDepsBeforeInstall: install and pre/post install scripts + that called other pnpm scripts #10060. + - Fixed scoped registry keys (e.g., @scope:registry) being + parsed as property paths in pnpm config get when + --location=project is used #9362. + - Remove pnpm-specific CLI options before passing to npm + publish to prevent "Unknown cli config" warnings #9646. + - Fixed EISDIR error when bin field points to a directory + #9441. + - Preserve version and hasBin for variations packages #10022. + - Fixed pnpm config set --location=project incorrectly handling + keys with slashes (auth tokens, registry settings) #9884. + - When both pnpm-workspace.yaml and .npmrc exist, pnpm config + set --location=project now writes to pnpm-workspace.yaml + (matching read priority) #10072. + - Prevent a table width error in pnpm outdated --long #10040. + - Sync bin links after injected dependencies are updated by + build scripts. This ensures that binaries created during + build processes are properly linked and accessible to + consuming projects #10057. +- update to 10.18.2: + * Patch Changes + - pnpm outdated --long should work #10040. + - Replace ndjson with split2. Reduce the bundle size of pnpm + CLI #10054. + - pnpm dlx should request the full metadata of packages, when + minimumReleaseAge is set #9963. + - pnpm version switching should work when the pnpm home + directory is in a symlinked directory #9715. + - Fix EPIPE errors when piping output to other commands #10027. +- update to 10.18.1: + * Patch Changes + - Don't print a warning, when --lockfile-only is used #8320. + - pnpm setup creates a command shim to the pnpm executable. + This is needed to be able to run pnpm self-update on Windows + #5700. + - When using pnpm catalogs and running a normal pnpm install, + pnpm produced false positive warnings for "skip adding to the + default catalog because it already exists". This warning now + only prints when using pnpm add --save-catalog as originally + intended. +- update to 10.18.0: + * Minor Changes + - Added network performance monitoring to pnpm by implementing + warnings for slow network requests, including both metadata + fetches and tarball downloads. + Added configuration options for warning thresholds: + fetchWarnTimeoutMs and fetchMinSpeedKiBps. + Warning messages are displayed when requests exceed time + thresholds or fall below speed minimums + Related PR: #10025. + * Patch Changes + - Retry filesystem operations on EAGAIN errors #9959. + - Outdated command respects minimumReleaseAge configuration + #10030. + - Correctly apply the cleanupUnusedCatalogs configuration when + removing dependent packages. + - Don't fail with a meaningless error when scriptShell is set + to false #8748. + - pnpm dlx should not fail when minimumReleaseAge is set + #10037. + +- update to 10.17.1: + * Patch Changes + - When a version specifier cannot be resolved because the versions + don't satisfy the minimumReleaseAge setting, print this + information out in the error message #9974. + - Fix state.json creation path when executing pnpm patch in a + workspace project #9733. + - When minimumReleaseAge is set and the latest tag is not mature + enough, prefer a non-deprecated version as the new latest #9987. + +- update to 10.17: + * Minor Changes + - The minimumReleaseAgeExclude setting now supports patterns. + For instance: + + minimumReleaseAge: 1440 + minimumReleaseAgeExclude: + - "@eslint/*" + +* Patch Changes + - Don't ignore the minimumReleaseAge check, when the package is + requested by exact version and the packument is loaded from + cache #9978. + - When minimumReleaseAge is set and the active version under a + dist-tag is not mature enough, do not downgrade to a + prerelease version in case the original version wasn't a + prerelease one #9979. +- update to 10.16.1: + * Patch Changes + - The full metadata cache should be stored not at the same + location as the abbreviated metadata. This fixes a bug where + pnpm was loading the abbreviated metadata from cache and + couldn't find the "time" field as a result #9963. + - Forcibly disable ANSI color codes when generating patch diff + #9914. +- update to 10.16: + * Minor Changes + - There have been several incidents recently where popular + packages were successfully attacked. To reduce the risk of + installing a compromised version, we are introducing a new + setting that delays the installation of newly released + dependencies. In most cases, such attacks are discovered + quickly and the malicious versions are removed from the + registry within an hour. + - The new setting is called minimumReleaseAge. It specifies the + number of minutes that must pass after a version is published + before pnpm will install it. For example, setting + minimumReleaseAge: 1440 ensures that only packages released + at least one day ago can be installed. + - If you set minimumReleaseAge but need to disable this + restriction for certain dependencies, you can list them under + the minimumReleaseAgeExclude setting. For instance, with the + following configuration pnpm will always install the latest + version of webpack, regardless of its release time: + + minimumReleaseAgeExclude: + - webpack + + - Added support for finders #9946. + In the past, pnpm list and pnpm why could only search for + dependencies by name (and optionally version). For example: + + pnpm why minimist + + prints the chain of dependencies to any installed instance of + minimist: + + verdaccio 5.20.1 + ├─┬ handlebars 4.7.7 + │ └── minimist 1.2.8 + └─┬ mv 2.1.1 + └─┬ mkdirp 0.5.6 + └── minimist 1.2.8 + + What if we want to search by other properties of a + dependency, not just its name? For instance, find all + packages that have react@17 in their peer dependencies? + This is now possible with "finder functions". Finder + functions can be declared in .pnpmfile.cjs and invoked with + the --find-by=<function name> flag when running pnpm list or + pnpm why. + Let's say we want to find any dependencies that have React 17 + in peer dependencies. We can add this finder to our + .pnpmfile.cjs: + + module.exports = { + finders: { + react17: (ctx) => { + return ctx.readManifest().peerDependencies?.react === "^17.0.0"; + }, + }, + }; + + Now we can use this finder function by running: + + pnpm why --find-by=react17 + + pnpm will find all dependencies that have this React in peer + dependencies and print their exact locations in the + dependency graph. + + @apollo/client 4.0.4 + ├── @graphql-typed-document-node/core 3.2.0 + └── graphql-tag 2.12.6 + + It is also possible to print out some additional information + in the output by returning a string from the finder. For + example, with the following finder: + + module.exports = { + finders: { + react17: (ctx) => { + const manifest = ctx.readManifest(); + if (manifest.peerDependencies?.react === "^17.0.0") { + return `license: ${manifest.license}`; + } + return false; + }, + }, + }; + + Every matched package will also print out the license from + its package.json: + + @apollo/client 4.0.4 + ├── @graphql-typed-document-node/core 3.2.0 + │ license: MIT + └── graphql-tag 2.12.6 + license: MIT + + * Patch Changes + - Fix deprecation warning printed when executing pnpm with + Node.js 24 #9529. + - Throw an error if nodeVersion is not set to an exact semver + version #9934. + - pnpm publish should be able to publish a .tar.gz file #9927. + - Canceling a running process with Ctrl-C should make pnpm run + return a non-zero exit code #9626. +- update to 10.15.1: + * Patch Changes + - Fix .pnp.cjs crash when importing subpath #9904. + - When resolving peer dependencies, pnpm looks whether the peer + dependency is present in the root workspace project's + dependencies. This change makes it so that the peer + dependency is correctly resolved even from aliased npm-hosted + dependencies or other types of dependencies #9913. + +- update to 10.15.0: + * Minor Changes + - Added the cleanupUnusedCatalogs configuration. When set to + true, pnpm will remove unused catalog entries during + installation #9793. + - Automatically load pnpmfiles from config dependencies that + are named @*/pnpm-plugin-* #9780. + - pnpm config get now prints an INI string for an object value + #9797. + - pnpm config get now accepts property paths (e.g. pnpm config + get catalog.react, pnpm config get .catalog.react, pnpm + config get + 'packageExtensions["@babel/parser"].peerDependencies["@babel/types"]'), + and pnpm config set now accepts dot-leading or subscripted + keys (e.g. pnpm config set .ignoreScripts true). + - pnpm config get --json now prints a JSON serialization of + config value, and pnpm config set --json now parses the input + value as JSON. + * Patch Changes + - Semi-breaking. When automatically installing missing peer + dependencies, prefer versions that are already present in the + direct dependencies of the root workspace package #9835. + - When executing the pnpm create command, must verify whether + the node version is supported even if a cache already exists + #9775. + - When making requests for the non-abbreviated packument, add + */* to the Accept header to avoid getting a 406 error on AWS + CodeArtifact #9862. + - The standalone exe version of pnpm works with glibc 2.26 + again #9734. + - Fix a regression in which pnpm dlx pkg --help doesn't pass + --help to pkg #9823. + +- update to 10.14.0: + * Minor Changes + - Added support for JavaScript runtime installation + (Related PR: #9755.) + Declare Node.js, Deno, or Bun in devEngines.runtime (inside + package.json) and let pnpm download and pin it automatically. + Usage example: + + { + "devEngines": { + "runtime": { + "name": "node", + "version": "^24.4.0", + "onFail": "download" // we only support the "download" value for now + } + } + } + How it works: + - pnpm install resolves your specified range to the latest + matching runtime version. + - The exact version (and checksum) is saved in the lockfile. + - Scripts use the local runtime, ensuring consistency across + environments. + Why this is better: + - This new setting supports also Deno and Bun (vs. our + Node-only settings useNodeVersion and + executionEnv.nodeVersion) + - Supports version ranges (not just a fixed version). + - The resolved version is stored in the pnpm lockfile, along + with an integrity checksum for future validation of the + Node.js content's validity. + - It can be used on any workspace project (like + executionEnv.nodeVersion). So, different projects in a + workspace can use different runtimes. + - For now devEngines.runtime setting will install the runtime + locally, which we will improve in future versions of pnpm + by using a shared location on the computer. + - Add --cpu, --libc, and --os to pnpm install, pnpm add, and + pnpm dlx to customize supportedArchitectures via the CLI + #7510. + * Patch Changes + - Fix a bug in which pnpm add downloads packages whose libc + differ from pnpm.supportedArchitectures.libc. + - The integrities of the downloaded Node.js artifacts are + verified #9750. + - Allow dlx to parse CLI flags and options between the dlx + command and the command to run or between the dlx command and + -- #9719. + - pnpm install --prod should removing hoisted dev dependencies + #9782. + - Fix an edge case bug causing local tarballs to not re-link + into the virtual store. This bug would happen when changing + the contents of the tarball without renaming the file and + running a filtered install. + - Fix a bug causing pnpm install to incorrectly assume the + lockfile is up to date after changing a local tarball that + has peers dependencies. + +- update to 10.13.1: + * Patch Changes + - Run user defined pnpmfiles after pnpmfiles of plugins. +- update to 10.13.0: + * Minor Changes + - Added the possibility to load multiple pnpmfiles. The pnpmfile + setting can now accept a list of pnpmfile locations #9702. + - pnpm will now automatically load the pnpmfile.cjs file from any + config dependency named @pnpm/plugin-* or pnpm-plugin-* #9729. + - The order in which config dependencies are initialized should + not matter — they are initialized in alphabetical order. If a + specific order is needed, the paths to the pnpmfile.cjs files in + the config dependencies can be explicitly listed using the + pnpmfile setting in pnpm-workspace.yaml. + * Patch Changes + - When patching dependencies installed via pkg.pr.new, treat them + as Git tarball URLs #9694. + - Prevent conflicts between local projects' config and the global + config in dangerouslyAllowAllBuilds, onlyBuiltDependencies, + onlyBuiltDependenciesFile, and neverBuiltDependencies #9628. + - Sort keys in pnpm-workspace.yaml with deep #9701. + - The pnpm rebuild command should not add pkgs included in + ignoredBuiltDependencies to ignoredBuilds in + node_modules/.modules.yaml #9338. + - Replaced shell-quote with shlex for quoting command arguments + #9381. + +- update to 10.12.4: + * Patch Changes + - Fix pnpm licenses command for local dependencies #9583. + - Fix a bug in which pnpm ls --filter=not-exist --json prints + nothing instead of an empty array #9672. + - Fix a deadlock that sometimes happens during peer dependency + resolution #9673. + - Running pnpm install after pnpm fetch should hoist all + dependencies that need to be hoisted. + - Fixes a regression introduced in v10.12.2 by #9648; resolves + #9689. + +- update to 10.12.3: + * Patch Changes + - Restore hoisting of optional peer dependencies when installing + with an outdated lockfile. Regression introduced in v10.12.2 by + #9648; resolves #9685. + +- update to 10.12.2: + * Patch Changes + - Fixed hoisting with enableGlobalVirtualStore set to true #9648. + - Fix the --help and -h flags not working as expected for the pnpm + create command. + - The dependency package path output by the pnpm licenses list + --json command is incorrect. + - Fix a bug in which pnpm deploy fails due to overridden + dependencies having peer dependencies causing + ERR_PNPM_OUTDATED_LOCKFILE #9595. + +- update to 10.12.1 (10.2.0 was yanked): + * Minor Changes + - Experimental. Added support for global virtual stores. When + enabled, node_modules contains only symlinks to a central + virtual store, rather to node_modules/.pnpm. By default, this + central store is located at <store-path>/links (you can find + the store path by running pnpm store path). + In the central virtual store, each package is hard linked + into a directory whose name is the hash of its dependency + graph. This allows multiple projects on the system to symlink + shared dependencies from this central location, significantly + improving installation speed when a warm cache is available. + This is conceptually similar to how NixOS manages packages, + using dependency graph hashes to create isolated and + reusable package directories. + To enable the global virtual store, set + enableGlobalVirtualStore: true in your root + pnpm-workspace.yaml, or globally via: + pnpm config -g set enable-global-virtual-store true + NOTE: In CI environments, where caches are typically cold, + this setting may slow down installation. pnpm automatically + disables the global virtual store when running in CI. + Related PR: #8190 + - The pnpm update command now supports updating catalog: + protocol dependencies and writes new specifiers to + pnpm-workspace.yaml. + - A new catalogMode setting is available for controlling if and + how dependencies are added to the default catalog. It can be + configured to several modes: + - strict: Only allows dependency versions from the catalog. + Adding a dependency outside the catalog's version range + will cause an error. + - prefer: Prefers catalog versions, but will fall back to + direct dependencies if no compatible version is found. + - manual (default): Does not automatically add dependencies + to the catalog. + - Added two new CLI options (--save-catalog and + --save-catalog-name=<name>) to pnpm add to save new + dependencies as catalog entries. catalog: or catalog:<name> + will be added to package.json and the package specifier will + be added to the catalogs or catalog[<name>] object in + pnpm-workspace.yaml #9425. + - Semi-breaking. The keys used for side-effects caches have + changed. If you have a side-effects cache generated by a + previous version of pnpm, the new version will not use it and + will create a new cache instead #9605. + - Added a new setting called ci for explicitly telling pnpm if + the current environment is a CI or not. + * Patch Changes + - Sort versions printed by pnpm patch using semantic versioning + rules. + - Improve the way the error message displays mismatched + specifiers. Show differences instead of 2 whole objects + #9598. + - Revert #9574 to fix a regression #9596. + +- update to 10.11.1: + * Patch Changes + - Fix an issue in which pnpm deploy --legacy creates unexpected + directories when the root package.json has a workspace + package as a peer dependency #9550. + - Dependencies specified via a URL that redirects will only be + locked to the target if it is immutable, fixing a regression + when installing from GitHub releases. (#9531) + - Installation should not exit with an error if + strictPeerDependencies is true but all issues are ignored by + peerDependencyRules #9505. + - Use pnpm_config_ env variables instead of npm_config_ #9571. + - Fix a regression (in v10.9.0) causing the --lockfile-only + flag on pnpm update to produce a different pnpm-lock.yaml + than an update without the flag. + - Let pnpm deploy work in repos with overrides when + inject-workspace-packages=true #9283. + - Fixed the problem of path loss caused by parsing URL address. + Fixes a regression shipped in pnpm v10.11 via #9502. + - pnpm -r --silent run should not print out section #9563. + +- update to 10.11.0: + * Minor Changes + - A new setting added for pnpm init to create a package.json + with type=module, when init-type is module. Works as a flag + for the init command too #9463. + - Added support for Nushell to pnpm setup #6476. + - Added two new flags to the pnpm audit command, --ignore and + --ignore-unfixable #8474. + Ignore all vulnerabilities that have no solution: + > pnpm audit --ignore-unfixable + Provide a list of CVE's to ignore those specifically, even if + they have a resolution. + > pnpm audit --ignore=CVE-2021-1234 --ignore=CVE-2021-5678 + - Added support for recursively running pack in every project + of a workspace #4351. + Now you can run pnpm -r pack to pack all packages in the + workspace. + * Patch Changes + - pnpm version management should work, when + dangerouslyAllowAllBuilds is set to true #9472. + - pnpm link should work from inside a workspace #9506. + - Set the default workspaceConcurrency to + Math.min(os.availableParallelism(), 4) #9493. + - Installation should not exit with an error if + strictPeerDependencies is true but all issues are ignored by + peerDependencyRules #9505. + - Read updateConfig from pnpm-workspace.yaml #9500. + - Add support for recursive pack + - Remove url.parse usage to fix warning on Node.js 24 #9492. + - pnpm run should be able to run commands from the workspace + root, if ignoreScripts is set tot true #4858. + +- update to 10.10.0: + * Allow loading the preResolution, importPackage, and fetchers + hooks from local pnpmfile. + * Fix cd command, when shellEmulator is true #7838. + * Sort keys in pnpm-workspace.yaml #9453. + * Pass the npm_package_json environment variable to the + executed scripts #9452. + * Fixed a mistake in the description of the --reporter=silent + option. + +- update to 10.9.0: + * Minor Changes + - Added support for installing JSR packages. You can now + install JSR packages using the following syntax: + add jsr:<pkg_name> + or with a version range: + pnpm add jsr:<pkg_name>@<range> + For example, running: + pnpm add jsr:@foo/bar + will add the following entry to your package.json: + { + "dependencies": { + "@foo/bar": "jsr:^0.1.2" + } + } + When publishing, this entry will be transformed into a format + compatible with npm, older versions of Yarn, and previous + pnpm versions: + { + "dependencies": { + "@foo/bar": "npm:@jsr/foo__bar@^0.1.2" + } + } + Related issue: #8941. + Note: The @jsr scope defaults to https://npm.jsr.io/ if the + @jsr:registry setting is not defined. + - Added a new setting, dangerouslyAllowAllBuilds, for + automatically running any scripts of dependencies without the + need to approve any builds. It was already possible to allow + all builds by adding this to pnpm-workspace.yaml: + neverBuiltDependencies: [] + dangerouslyAllowAllBuilds has the same effect but also allows + to be set globally via: + pnpm config set dangerouslyAllowAllBuilds true + It can also be set when running a command: + pnpm install --dangerously-allow-all-builds + * Patch Changes + - Fix a false negative in verifyDepsBeforeRun when nodeLinker + is hoisted and there is a workspace package without + dependencies and node_modules directory #9424. + - Explicitly drop verifyDepsBeforeRun support for nodeLinker: + pnp. Combining verifyDepsBeforeRun and nodeLinker: pnp will + now print a warning. + +- udate to 10.8.1: + * Patch Changes + - Removed bright white highlighting, which didn't look good on + some light themes #9389. + - If there is no pnpm related configuration in package.json, + onlyBuiltDependencies will be written to pnpm-workspace.yaml + file #9404. + - The patch file path saved by the pnpm patch-commit and + patch-remove commands should be a relative path #9403. + +- update to 10.8: + * Minor Changes + Experimental. A new hook is supported for updating + configuration settings. The hook can be provided via + .pnpmfile.cjs. For example: + + module.exports = { + hooks: { + updateConfig: (config) => ({ + ...config, + nodeLinker: "hoisted", + }), + }, + }; + + Now you can use the pnpm add command with the --config flag + to install new configurational dependencies #9377. + * Patch Changes + - Do not hang indefinitely, when there is a glob that starts + with !/ in pnpm-workspace.yaml. This fixes a regression + introduced by #9169. + - pnpm audit --fix should update the overrides in + pnpm-workspace.yaml. + - pnpm link should update overrides in pnpm-workspace.yaml, not + in package.json #9365. + +- update to 10.7.1: + * Patch Changes + - pnpm config set should convert the settings to their correct + type before adding them to pnpm-workspace.yaml #9355. + - pnpm config get should read auth related settings via npm CLI + #9345. + - Replace leading ~/ in a path in .npmrc with the home directory + #9217. + +- update to 10.7: + * Minor Changes + - pnpm config get and list also show settings set in + pnpm-workspace.yaml files #9316. + - It should be possible to use env variables in + pnpm-workspace.yaml setting names and value. + - Add an ability to patch dependencies by version ranges. Exact + versions override version ranges, which in turn override + name-only patches. Version range * is the same as name-only, + except that patch application failure will not be ignored. + For example: + + patchedDependencies: + foo: patches/foo-1.patch + foo@^2.0.0: patches/foo-2.patch + foo@2.1.0: patches/foo-3.patch + + The above configuration would apply patches/foo-3.patch to + foo@2.1.0, patches/foo-2.patch to all foo versions which + satisfy ^2.0.0 except 2.1.0, and patches/foo-1.patch to the + remaining foo versions. + [!WARNING] + The version ranges should not overlap. If you want to + specialize a sub range, make sure to exclude it from the + other keys. For example: + + # pnpm-workspace.yaml + patchedDependencies: + # the specialized sub range + 'foo@2.2.0-2.8.0': patches/foo.2.2.0-2.8.0.patch + # the more general patch, excluding the sub range above + 'foo@>=2.0.0 <2.2.0 || >2.8.0': 'patches/foo.gte2.patch + + In most cases, however, it's sufficient to just define an + exact version to override the range. + - pnpm config set --location=project saves the setting to a + pnpm-workspace.yaml file if no .npmrc file is present in the + directory #9316. + - Rename pnpm.allowNonAppliedPatches to + pnpm.allowUnusedPatches. The old name is still supported but + it would print a deprecation warning message. + - Add pnpm.ignorePatchFailures to manage whether pnpm would + ignore patch application failures. + - If ignorePatchFailures is not set, pnpm would throw an + error when patches with exact versions or version ranges + fail to apply, and it would ignore failures from name-only + patches. + - If ignorePatchFailures is explicitly set to false, pnpm + would throw an error when any type of patch fails to apply. + - If ignorePatchFailures is explicitly set to true, pnpm + would print a warning when any type of patch fails to + apply. + * Patch Changes + - Remove dependency paths from audit output to prevent + out-of-memory errors #9280. + +- update to 10.6.5: + * Patch Changes + - Remove warnings after having explicitly approved no builds + #9296. + - When installing different dependency packages, should retain + the ignoredBuilds field in the .modules.yaml file #9240. + - Fix usages of the catalog: protocol in injected local + workspace packages. This previously errored with + ERR_PNPM_SPEC_NOT_SUPPORTED_BY_ANY_RESOLVER. #8715 + - Setting workspace-concurrency to less than or equal to 0 + should work #9297. + +- update to 10.6.4: + * Patch Changes + - Fix pnpm dlx with --allow-build flag #9263. + - Invalid Node.js version in use-node-version should not cause + pnpm itself to break #9276. + - The max amount of workers running for linking packages from + the store has been reduced to 4 to achieve optimal results + #9286. The workers are performing many file system + operations, so increasing the number of CPUs doesn't help + performance after some point. + +- update to 10.6.3: + * Patch Changes + - pnpm install --prod=false should not crash, when executed in + a project with a pnpm-workspace.yaml file #9233. This fixes + regression introduced via #9211. + - Add the missing node-options config to recursive run #9180. + - Removed a branching code path that only executed when + dedupe-peer-dependents=false. We believe this internal + refactor will not result in behavior changes, but we expect + it to make future pnpm versions behave more consistently for + projects that override dedupe-peer-dependents to false. There + should be less unique bugs from turning off + dedupe-peer-dependents. + See details in #9259. + +- update to 10.6.2: + * Patch Changes + - pnpm self-update should always update the version in the + packageManager field of package.json. + - Fix running pnpm CLI from pnpm CLI on Windows when the CLI is + bundled to an executable #8971. + - pnpm patch-commit will now use the same filesystem as the + store directory to compare and create patch files. + - Don't show info output when --loglevel=error is used. + - peerDependencyRules should be set in pnpm-workspace.yaml to + take effect. + +- update to 10.6.1: + * Patch Changes + - The pnpm CLI process should not stay hanging, when --silent + reporting is used. + - When --loglevel is set to error, don't show installation + summary, execution time, and big tarball download progress. + - Don't ignore pnpm.patchedDependencies from package.json + #9226. + - When executing the approve-builds command, if package.json + contains onlyBuiltDependencies or ignoredBuiltDependencies, + the selected dependency package will continue to be written + into package.json. + - When a package version cannot be found in the package + metadata, print the registry from which the package was + fetched. + +- update to 10.6.0: + * Minor Changes + - pnpm-workspace.yaml can now hold all the settings that .npmrc + accepts. The settings should use camelCase #9211. + pnpm-workspace.yaml example: + + verifyDepsBeforeRun: install + optimisticRepeatInstall: true + publicHoistPattern: + - "*types*" + - "!@types/react" + + - Projects using a file: dependency on a local tarball file + (i.e. .tgz, .tar.gz, .tar) will see a performance improvement + during installation. Previously, using a file: dependency on + a tarball caused the lockfile resolution step to always run. + The lockfile will now be considered up-to-date if the tarball + is unchanged. + * Patch Changes + - pnpm self-update should not leave a directory with a broken + pnpm installation if the installation fails. + - fast-glob replace with tinyglobby to reduce the size of the + pnpm CLI dependencies #9169. + - pnpm deploy should not remove fields from the deployed + package's package.json file #9215. + - pnpm self-update should not read the pnpm settings from the + package.json file in the current working directory. + - Fix pnpm deploy creating a package.json without the imports + and license field #9193. + - pnpm update -i should list only packages that have newer + versions #9206. + - Fix a bug causing entries in the catalogs section of the + pnpm-lock.yaml file to be removed when + dedupe-peer-dependents=false on a filtered install. #9112 + +- update to 10.5.2: + * The pnpm config set command should change the global .npmrc + file by default. + This was a regression introduced by #9151 and shipped in pnpm + v10.5.0. + +- update to 10.5.1: + * Throw an error message if a pnpm-workspaces.yaml or + pnpm-workspaces.yml file is found instead of a + pnpm-workspace.yaml #9170. + * Fix the update of pnpm-workspace.yaml by the pnpm + approve-builds command #9168. + * Normalize generated link paths in package.json #9163 + * Specifying overrides in pnpm-workspace.yaml should work. + * pnpm dlx should ignore settings from the package.json file in + the current working directory #9178. + +- update to 10.5.0: + * The pnpm.* settings from package.json can now be specified in + the pnpm-workspace.yaml file instead #9121. + * Added support for automatically syncing files of injected + workspace packages after pnpm run #9081. Use the sync-injected + -deps-after-scripts setting to specify which scripts build + the workspace package. This tells pnpm when syncing is needed. + The setting should be defined in a .npmrc file at the root of + the workspace. + * The packages field in pnpm-workspace.yaml became optional. + * pnpm link with no parameters should work as if --global is + specified #9151 + * Allow scope registry CLI option without --config. prefix such + as --@scope:registry=https://scope.example.com/npm #9089 + * pnpm link <path> should calculate relative path from the root + of the workspace directory #9132 + * Fix a bug causing catalog snapshots to be removed from the + pnpm-lock.yaml file when using --fix-lockfile and --filter. #8639 + * Fix a bug causing catalog protocol dependencies to not re- + resolve on a filtered install #8638 + +- update to 10.4.1: + * Throws an error when the value provided by the --allow-build + option overlaps with the pnpm.ignoredBuildDependencies list #9105. + * Print pnpm's version after the execution time at the end of the console output. + * Print warning about ignored builds of dependencies on repeat install #9106. + * Setting init-package-manager should work. +- includes 10.4.0: + * pnpm approve-builds --global works now for allowing + dependencies of globally installed packages to run + postinstall scripts. + * The pnpm add command now supports a new flag, --allow-build, + which allows building the specified dependencies. + * pnpm approve-builds should work after two consecutive pnpm install runs #9083. + * Fix instruction for updating pnpm with corepack #9101. + * The pnpm version specified by packageManager cannot start with v. + +- update to 10.3.0: + * Added a new setting called strict-dep-builds. When enabled, + the installation will exit with a non-zero exit code if any + dependencies have unreviewed build scripts (aka postinstall scripts) #9071. + * Fix a false negative of verify-deps-before-run after pnpm + install --production|--no-optional #9019. + * Print the warning about blocked installation scripts at the + end of the installation output and make it more prominent. + +- update to 10.2.1: + * Don't read a package from side-effects cache if it isn't + allowed to be built #9042. + * pnpm approve-builds should work, when executed from a + subdirectory of a workspace #9042. + * pnpm deploy --legacy should work without injected dependencies + * Add information about how to deploy without "injected + dependencies" to the "pnpm deploy" error message. +- includes 10.2.0: + * Packages executed via pnpm dlx and pnpm create are allowed to + be built (run postinstall scripts) by default. + * Quote args for scripts with shell-quote to support new lines + (on POSIX only) #8980. + * Fix a bug in which pnpm deploy fails to read the correct + projectId when the deploy source is the same as the workspace directory #9001. + * Proxy settings should be respected, when resolving Git-hosted + dependencies #6530. + * Prevent overrides from adding invalid version ranges to + peerDependencies by keeping the peerDependencies and + overriding them with prod dependencies #8978. + * Sort the package names in the "pnpm.onlyBuiltDependencies" + list saved by pnpm approve-builds. + +- update to 10.1.0: + * Added a new command for printing the list of dependencies + with ignored build scripts: pnpm ignored-builds #8963. + * Added a new command for approving dependencies for running + scripts during installation: pnpm approve-builds #8963. + * Added a new setting called optimistic-repeat-install. When + enabled, a fast check will be performed before proceeding to + installation. This way a repeat install or an install on a + project with everything up-to-date becomes a lot faster. But + some edge cases might arise, so we keep it disabled by + default for now #8977. + * Added a new field "pnpm.ignoredBuiltDependencies" for + explicitly listing packages that should not be built. When a + package is in the list, pnpm will not print an info message + about that package not being built #8935. + * Verify that the package name is valid when executing the + publish command. + * When running pnpm install, the preprepare and postprepare + scripts of the project should be executed #8989. + * Allow workspace: and catalog: to be part of wider version + range in peerDependencies. + * pnpm deploy should inherit the pnpm object from the root + package.json #8991. + * Make sure that the deletion of a node_modules in a sub- + project of a monorepo is detected as out-of-date #8959. + * Fix infinite loop caused by lifecycle scripts using pnpm to + execute other scripts during pnpm install with + verify-deps-before-run=install #8954. + * Replace strip-ansi with the built-in util. + stripVTControlCharacters #9009. + * Do not print patched dependencies as ignored dependencies + that require a build #8952. + +- update to 10.0.0: + * Lifecycle scripts of dependencies are not executed during + installation by default! This is a breaking change aimed at + increasing security. In order to allow lifecycle scripts of + specific dependencies, they should be listed in the pnpm + onlyBuiltDependencies field of package.json #8897 + * The pnpm link command now adds overrides to the root package.json. #8653 + * Secure hashing with SHA256 + * Configuration updates + * Changes to the global store + * The # character is now escaped in directory names within + node_modules/.pnpm. #8557 + * Running pnpm add --global pnpm or pnpm add --global @pnpm/exe + now fails with an error message, directing you to use pnpm + self-update instead. #8728 + * Dependencies added via a URL now record the final resolved + URL in the lockfile, ensuring that any redirects are fully + captured. #8833 + * The pnpm deploy command now only works in workspaces that + have inject-workspace-packages=true. This limitation is + introduced to allow us to create a proper lockfile for the + deployed project using the workspace lockfile. + * Removed conversion from lockfile v6 to v9. If you need v6-to- + v9 conversion, use pnpm CLI v9. + * pnpm test now passes all parameters after the test keyword + directly to the underlying script. This matches the behavior + of pnpm run test. Previously you needed to use the -- prefix. #8619 + * node-gyp updated to version 11. + * pnpm deploy now tries creating a dedicated lockfile from a + shared lockfile for deployment. It will fallback to + deployment without a lockfile if there is no shared lockfile + or force-legacy-deploy is set to true. + * Added support for a new type of dependencies called + "configurational dependencies". These dependencies are + installed before all the other types of dependencies (befor + "dependencies", "devDependencies", "optionalDependencies"). + * New verify-deps-before-run setting. This setting controls how + pnpm checks node_modules before running scripts #8836 + * On repeated installs, pnpm performs a quick check to ensure + node_modules is up to date. #8838 + * pnpm add integrates with default workspace catalog: #8640 + * pnpm dlx now resolves packages to their exact versions and + uses these exact versions for cache keys. This ensures pnpm + dlx always installs the latest requested packages #8811 + * No node_modules validation on certain commands. Commands that + should not modify node_modules (e.g., pnpm install --lockfile- + only) no longer validate or purge node_modules. #8657 + * for full changes, see https://github.com/pnpm/pnpm/releases/tag/v10.0.0 + +- update to 9.15.3: + * Fixed the Regex used to find the package manifest during + packing #8938. + * pnpm update --filter <pattern> --latest <pkg> should only + change the specified package for the specified workspace, when + dedupe-peer-dependents is set to true #8877. + * Exclude .DS_Store file at patch-commit #8922. + * Fix a bug in which pnpm patch is unable to bring back old patch + without specifying @version suffix #8919. + +- update to 9.15.2: + * Fixed publish/pack error with workspace dependencies with + relative paths #8904. It was broken in v9.4.0 (398472c). + * Use double quotes in the command suggestion by pnpm patch on + Windows #7546. + * Do not fall back to SSH, when resolving a git-hosted package if + git ls-remote works via HTTPS #8906. + * Improve how packages with blocked lifecycle scripts are + reported during installation. Always print the list of ignored + scripts at the end of the output. Include a hint about how to + allow the execution of those packages. + +- update to version 9.15.1: + * pnpm remove should not link dependencies from the workspace, + when link-workspace-packages is set to false #7674 + * Installation with hoisted node_modules should not fail, when + a dependency has itself in its own peer dependencies #8854 + +- update to version 9.15.0: + * Metadata directory version bumped to force fresh cache after + we shipped a fix to the metadata write function. This change + is backward compatible as install doesn't require a metadata cache + * pnpm update --global should not crash if there are no any + global packages installed #7898 + * Fix an exception when running pnpm update --interactive if + catalogs are used. + +- update to version 9.14.4: + * Don't ever save mutated metadata to the metadata cache +- includes 9.14.3: + * Some commands should ignore the packageManager field check of + package.json #7959 + +- update to version 9.14.2: + pnpm publish --json should work #8788 +- includes 9.14.1: + * Added support for pnpm pack --json to print packed tarball + and contents in JSON format #8765 + * pnpm exec should print a meaningful error message when no + command is provided #8752 + * pnpm setup should remove the CLI from the target location + before moving the new binary #8173 + * Fix ERR_PNPM_TARBALL_EXTRACT error while installing a + dependency from GitHub having a slash in branch name #7697 + * Don't crash if the use-node-version setting is used and the + system has no Node.js installed #8769 + * Convert settings in local .npmrc files to their correct types. + For instance, child-concurrency should be a number, not a string #5075 + * pnpm should fail if a project requires a different package + manager even if manage-package-manager-versions is set to true + * pnpm init should respect the --dir option #8768 +- includes 9.14.0: + * chore: use verify-deps-before-run + * fix(init): --dir option should be respected (#8768) + * feat: support json format output in pnpm pack (#8765) + * fix: pnpm exec should specify command (#8774) + * fix: proper types of settings in local .npmrc files (#8775) + * fix: ERR_PNPM_TARBALL_EXTRACT when the URL's hash contains a slash + * fix: the CLI should fail if a different package manager is + required by the project + * fix: ETXTBSY error on running setup (#8780) + * feat: add linux-riscv64 build (#8779) + * fix: remove link to X from update notifier (#8773) + * docs: update sponsors + * fix: upgrade cross-sapwn (#8782) + * fix: don't crash when use-node-version is set and there is no node.js + * docs: update changesets + +- update to version 9.13.2: + * Detection of circular peer dependencies should not crash with + aliased dependencies #8759. Fixes a regression introduced in + the previous version. + * Fix race condition of symlink creations caused by multiple + parallel dlx processes. + +- update to version 9.13.1: + * Fixed some edge cases where resolving circular peer + dependencies caused a dead lock #8720 + +- update to version 9.13.0: + * The self-update now accepts a version specifier to install a + specific version of pnpm. + * Fix Cannot read properties of undefined (reading 'name') that + is printed while trying to render the missing peer + dependencies warning message #8538 + +- update to version 9.12.3: + * Don't purge node_modules, when typing "n" in the prompt that + asks whether to remove node_modules before installation #8655 + * Fix a bug causing pnpm to infinitely spawn itself when manage- + package-manager-versions=true is set and the .tools directory is corrupt + * Use crypto.hash, when available, for improved performance #8629 + * Fixed a race condition in temporary file creation in the + store by including worker thread ID in filename. Previously, + multiple worker threads could attempt to use the same + temporary file. Temporary files now include both process ID + and thread ID for uniqueness #8703 + * All commands should read settings from the package.json at + the root of the workspace #8667 + * When manage-package-manager-versions is set to true, errors + spawning a self-managed version of pnpm will now be shown + (instead of being silent) + * Pass the find command to npm, it is an alias for npm search +- includes 9.12.2: + * When checking whether a file in the store has executable + permissions, the new approach checks if at least one of the + executable bits (owner, group, and others) is set to 1. + Previously, a file was incorrectly considered executable only + when all the executable bits were set to 1. This fix ensures + that files with any executable permission, regardless of the + user class, are now correctly identified as executable #8546 + + + pnpm + + diff --git a/pnpm b/pnpm index 94b9cc2..4d55e02 160000 --- a/pnpm +++ b/pnpm @@ -1 +1 @@ -Subproject commit 94b9cc28e10af833bac78e77e43c3ceffd33855bddb6f1ec7a94b38de7e7875f +Subproject commit 4d55e025187c4e96fd320d1c9611757e5e2052e82bfd456a276051a1bc48a088