diff --git a/.changeset-released/release-11.0.txt b/.changeset-released/release-11.0.txt new file mode 100644 index 0000000000..ebfa2321df --- /dev/null +++ b/.changeset-released/release-11.0.txt @@ -0,0 +1,10 @@ +exe-node-gyp-executable +exe-windows-aliases +fetch-install-no-recreate +git-tarball-integrity +global-yaml-user-prefs +oidc-precedence-over-static-token +pm-on-fail-survives-help-version +recursive-filter-root-exclusion +restore-publish-json-stdout +scoped-registry-config-get-publish diff --git a/.changeset/exe-node-gyp-executable.md b/.changeset/exe-node-gyp-executable.md deleted file mode 100644 index 1f574f81ce..0000000000 --- a/.changeset/exe-node-gyp-executable.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/exe": patch -"pnpm": patch ---- - -Restore the execute bit on the `node-gyp` shims packed inside `@pnpm/exe` (`dist/node-gyp-bin/node-gyp`, `dist/node-gyp-bin/node-gyp.cmd`, and `dist/node_modules/node-gyp/bin/node-gyp.js`). Without this, `pnpm/action-setup`'s standalone path (used on runners with Node.js < 22.13) failed any install whose lifecycle script invoked `node-gyp rebuild` with `sh: 1: node-gyp: Permission denied` [#11483](https://github.com/pnpm/pnpm/issues/11483). diff --git a/.changeset/exe-windows-aliases.md b/.changeset/exe-windows-aliases.md deleted file mode 100644 index 9ac6b0dc2c..0000000000 --- a/.changeset/exe-windows-aliases.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/engine.pm.commands": patch -"pnpm": patch ---- - -Fixed the `pn`, `pnpx`, and `pnx` aliases failing in Git Bash / MSYS2 on Windows when pnpm was installed via `@pnpm/exe` (or after `pnpm self-update`) [#11486](https://github.com/pnpm/pnpm/issues/11486). Running `pnpx` (or `pnx`) printed the cmd.exe banner and dropped the user into an interactive command prompt instead of running `pnpm dlx`. The `bin` field rewrite on Windows was pointing those aliases at `.cmd` files; cmd-shim's Bash shim for a `.cmd` target wraps it in `exec cmd /C ...`, and MSYS2 mangles `/C` into a Windows path before cmd.exe sees it. The aliases are now `.exe` hardlinks of the SEA binary, which detects which name it was launched as via `process.execPath` and prepends `dlx` for `pnpx` / `pnx`. diff --git a/.changeset/fetch-install-no-recreate.md b/.changeset/fetch-install-no-recreate.md deleted file mode 100644 index f106e85b15..0000000000 --- a/.changeset/fetch-install-no-recreate.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -"@pnpm/installing.modules-yaml": patch -"@pnpm/installing.deps-restorer": patch -"@pnpm/installing.deps-installer": patch -"pnpm": patch ---- - -Fix `pnpm install` recreating `node_modules` after `pnpm fetch`. `pnpm fetch` records empty `hoistPattern` and `publicHoistPattern` in `.modules.yaml`; since v11 removed the explicit-config gate, the follow-up install treated those as a hoist-pattern change and purged the modules directory. The fetch step now flags the modules manifest with `virtualStoreOnly: true` so the next install skips the hoist-pattern comparison and completes the missing post-import linking in place [#11488](https://github.com/pnpm/pnpm/issues/11488). diff --git a/.changeset/git-tarball-integrity.md b/.changeset/git-tarball-integrity.md deleted file mode 100644 index 0c809e985b..0000000000 --- a/.changeset/git-tarball-integrity.md +++ /dev/null @@ -1,20 +0,0 @@ ---- -"@pnpm/building.after-install": patch -"@pnpm/fetching.pick-fetcher": patch -"@pnpm/fetching.tarball-fetcher": patch -"@pnpm/installing.deps-installer": patch -"@pnpm/installing.package-requester": patch -"@pnpm/lockfile.fs": patch -"@pnpm/lockfile.types": patch -"@pnpm/lockfile.utils": patch -"@pnpm/modules-mounter.daemon": patch -"@pnpm/resolving.git-resolver": patch -"@pnpm/resolving.resolver-base": patch -"@pnpm/store.commands": patch -"@pnpm/store.pkg-finder": patch -"pnpm": patch ---- - -Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. - -A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. diff --git a/.changeset/global-yaml-user-prefs.md b/.changeset/global-yaml-user-prefs.md deleted file mode 100644 index 76df43a3d4..0000000000 --- a/.changeset/global-yaml-user-prefs.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/config.reader": patch -"pnpm": patch ---- - -Allow user-level preferences in the global `config.yaml`. The following settings can now be set in `~/.config/pnpm/config.yaml` (or via `pnpm config set --location global`) instead of being restricted to `pnpm-workspace.yaml`: `agent`, `globalVirtualStoreDir`, `initPackageManager`, `initType`, `registrySupportsTimeField`, `scriptShell`, `shellEmulator`, `sideEffectsCache`, `sideEffectsCacheReadonly`, `stateDir`, `strictDepBuilds`, `trustPolicy`, `trustPolicyExclude`, `trustPolicyIgnoreAfter`, `updateNotifier`, `useStderr`, `verifyDepsBeforeRun`, `verifyStoreIntegrity`, `virtualStoreDir`, `virtualStoreDirMaxLength` [#11474](https://github.com/pnpm/pnpm/issues/11474). diff --git a/.changeset/oidc-precedence-over-static-token.md b/.changeset/oidc-precedence-over-static-token.md deleted file mode 100644 index 6da3969301..0000000000 --- a/.changeset/oidc-precedence-over-static-token.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -"@pnpm/releasing.commands": patch -"pnpm": patch ---- - -Make trusted publishing (OIDC) take precedence over a configured static `_authToken` in `pnpm publish`, mirroring the npm CLI's behavior. When OIDC succeeds, the OIDC-derived token overrides any pre-configured `_authToken`; when OIDC is not applicable (no CI environment, exchange fails, registry has no trusted publisher configured), the static token is used as a fallback. This applies on every package during recursive publish, so each workspace package independently attempts trusted publishing. - -Additionally, the `NPM_ID_TOKEN` env var is now honored as a CI-agnostic injection point for an OIDC ID token. Previously OIDC was only attempted on GitHub Actions or GitLab; now any CI provider that exposes its own OIDC mechanism (e.g. CircleCI's `CIRCLE_OIDC_TOKEN_V2`, Buildkite, etc.) can forward its token via `NPM_ID_TOKEN` and trusted publishing will work without pnpm needing to recognize the provider explicitly. diff --git a/.changeset/pm-on-fail-survives-help-version.md b/.changeset/pm-on-fail-survives-help-version.md deleted file mode 100644 index 99f6dcb45d..0000000000 --- a/.changeset/pm-on-fail-survives-help-version.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/cli.parse-cli-args": patch -"pnpm": patch ---- - -`--pm-on-fail=ignore` (and other universal options like `--loglevel`, `--reporter`) is now honored when combined with `--help` or `--version`. Previously the CLI argument parser short-circuited those flags before universal options were preserved, so `pnpm audit --pm-on-fail=ignore --help` and `pnpm --pm-on-fail=ignore --version` reported the strict packageManager mismatch instead of running the requested action [#11487](https://github.com/pnpm/pnpm/issues/11487). diff --git a/.changeset/recursive-filter-root-exclusion.md b/.changeset/recursive-filter-root-exclusion.md deleted file mode 100644 index a4af404d96..0000000000 --- a/.changeset/recursive-filter-root-exclusion.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"pnpm": patch ---- - -Fix a regression where `pnpm --recursive --filter '!' run/exec/test/add` would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative `--filter` arguments are provided, matching the [documented behavior](https://pnpm.io/cli/recursive). To include the root, pass `--include-workspace-root` [#11341](https://github.com/pnpm/pnpm/issues/11341). diff --git a/.changeset/restore-publish-json-stdout.md b/.changeset/restore-publish-json-stdout.md deleted file mode 100644 index e8685ac719..0000000000 --- a/.changeset/restore-publish-json-stdout.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -"@pnpm/releasing.commands": patch -pnpm: patch ---- - -Restore npm-CLI-compatible `--json` stdout output for `pnpm publish` ([#11476](https://github.com/pnpm/pnpm/issues/11476)). pnpm 11 reimplemented publish natively ([#10591](https://github.com/pnpm/pnpm/pull/10591)) and inadvertently dropped the per-package JSON object that pnpm 10 emitted transitively via the npm CLI, silently breaking downstream tooling — most notably `nx release publish`, which parses stdout JSON to confirm success ([nrwl/nx#35575](https://github.com/nrwl/nx/issues/35575)). On success, the output is now: - -- `pnpm publish --json` → single object `{ id, name, version, size, unpackedSize, shasum, integrity, filename, files, entryCount, bundled }`, mirroring `npm publish --json`. -- `pnpm publish -r --json` → array of those objects, mirroring `pnpm pack --json`'s shape choice. -- `pnpm publish -r --report-summary` → existing `pnpm-publish-summary.json` envelope `{ publishedPackages: [...] }` is preserved, but each entry is upgraded to the same per-package shape (additive — `name` and `version` are still present). diff --git a/.changeset/scoped-registry-config-get-publish.md b/.changeset/scoped-registry-config-get-publish.md deleted file mode 100644 index dbde8e7ba7..0000000000 --- a/.changeset/scoped-registry-config-get-publish.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/config.commands": patch -"pnpm": patch ---- - -`pnpm config get @:registry` now reports the same URL that `pnpm publish` and the resolvers actually use. Previously, `config get` only consulted `.npmrc`, while `publish`/install used the merged map that includes `pnpm-workspace.yaml`'s `registries` block — so the two could diverge silently and a publish could go to the wrong registry [#11492](https://github.com/pnpm/pnpm/issues/11492). diff --git a/.meta-updater/CHANGELOG.md b/.meta-updater/CHANGELOG.md index fb8e6d901b..c1d95ead83 100644 --- a/.meta-updater/CHANGELOG.md +++ b/.meta-updater/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm-private/updater +## 1100.0.8 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + ## 1100.0.7 ### Patch Changes diff --git a/.meta-updater/package.json b/.meta-updater/package.json index d9614b74e1..6a885f47a4 100644 --- a/.meta-updater/package.json +++ b/.meta-updater/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm-private/updater", - "version": "1100.0.7", + "version": "1100.0.8", "private": true, "type": "module", "scripts": { diff --git a/__utils__/assert-project/CHANGELOG.md b/__utils__/assert-project/CHANGELOG.md index aa0785f25d..a5c236ff38 100644 --- a/__utils__/assert-project/CHANGELOG.md +++ b/__utils__/assert-project/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/assert-project +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/assert-store@1100.0.5 + ## 1100.0.4 ### Patch Changes diff --git a/__utils__/assert-project/package.json b/__utils__/assert-project/package.json index dec7be41f5..df7d52a6fc 100644 --- a/__utils__/assert-project/package.json +++ b/__utils__/assert-project/package.json @@ -1,7 +1,7 @@ { "name": "@pnpm/assert-project", "description": "Utils for testing projects that use pnpm", - "version": "1100.0.4", + "version": "1100.0.5", "author": { "name": "Zoltan Kochan", "email": "z@kochan.io", diff --git a/__utils__/assert-store/CHANGELOG.md b/__utils__/assert-store/CHANGELOG.md index 6ae036358a..1218ca8aca 100644 --- a/__utils__/assert-store/CHANGELOG.md +++ b/__utils__/assert-store/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/assert-store +## 1100.0.5 + +### Patch Changes + +- @pnpm/store.cafs@1100.1.2 + ## 1100.0.4 ### Patch Changes diff --git a/__utils__/assert-store/package.json b/__utils__/assert-store/package.json index c176ba9560..8d78888ce3 100644 --- a/__utils__/assert-store/package.json +++ b/__utils__/assert-store/package.json @@ -1,7 +1,7 @@ { "name": "@pnpm/assert-store", "description": "Utils for testing pnpm store", - "version": "1100.0.4", + "version": "1100.0.5", "bugs": { "url": "https://github.com/pnpm/pnpm/issues" }, diff --git a/__utils__/jest-config/CHANGELOG.md b/__utils__/jest-config/CHANGELOG.md index 61d2241396..44bf0244c0 100644 --- a/__utils__/jest-config/CHANGELOG.md +++ b/__utils__/jest-config/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/jest-config +## 1100.0.5 + +### Patch Changes + +- @pnpm/worker@1100.1.2 + ## 1100.0.4 ### Patch Changes diff --git a/__utils__/jest-config/package.json b/__utils__/jest-config/package.json index d08bcda513..4a1a386de5 100644 --- a/__utils__/jest-config/package.json +++ b/__utils__/jest-config/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/jest-config", - "version": "1100.0.4", + "version": "1100.0.5", "private": true, "main": "jest-preset.js", "type": "module", diff --git a/__utils__/prepare/CHANGELOG.md b/__utils__/prepare/CHANGELOG.md index 1d41f8e94b..72e94aa843 100644 --- a/__utils__/prepare/CHANGELOG.md +++ b/__utils__/prepare/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/prepare +## 1100.0.5 + +### Patch Changes + +- @pnpm/assert-project@1100.0.5 + ## 1100.0.4 ### Patch Changes diff --git a/__utils__/prepare/package.json b/__utils__/prepare/package.json index 6278c7e2ed..1ac4e6bc17 100644 --- a/__utils__/prepare/package.json +++ b/__utils__/prepare/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/prepare", - "version": "1100.0.4", + "version": "1100.0.5", "main": "lib/index.js", "types": "lib/index.d.ts", "type": "module", diff --git a/agent/client/CHANGELOG.md b/agent/client/CHANGELOG.md index edb42a7bf3..5aa0c6cd5c 100644 --- a/agent/client/CHANGELOG.md +++ b/agent/client/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/agent.client +## 1.0.2 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/store.cafs@1100.1.2 + - @pnpm/worker@1100.1.2 + ## 1.0.1 ### Patch Changes diff --git a/agent/client/package.json b/agent/client/package.json index c2d8bc115e..31db1cc0a7 100644 --- a/agent/client/package.json +++ b/agent/client/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/agent.client", - "version": "1.0.1", + "version": "1.0.2", "description": "Client for pnpm agent server — sends store state, receives resolved lockfile and missing files", "keywords": [ "pnpm", diff --git a/agent/server/CHANGELOG.md b/agent/server/CHANGELOG.md index dad4a45a4c..6ab2ac6970 100644 --- a/agent/server/CHANGELOG.md +++ b/agent/server/CHANGELOG.md @@ -1,5 +1,18 @@ # pnpm-agent +## 0.0.9 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] + - @pnpm/installing.deps-installer@1101.0.7 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/installing.client@1100.0.10 + - @pnpm/store.controller@1101.0.3 + - @pnpm/store.cafs@1100.1.2 + ## 0.0.8 ### Patch Changes diff --git a/agent/server/package.json b/agent/server/package.json index 654d784df5..27ab816553 100644 --- a/agent/server/package.json +++ b/agent/server/package.json @@ -1,6 +1,6 @@ { "name": "pnpm-agent", - "version": "0.0.8", + "version": "0.0.9", "description": "pnpm agent server for server-side resolution and store-aware downloads", "keywords": [ "pnpm", diff --git a/auth/commands/CHANGELOG.md b/auth/commands/CHANGELOG.md index b16d88de95..7eb567c158 100644 --- a/auth/commands/CHANGELOG.md +++ b/auth/commands/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/auth.commands +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + ## 1100.0.9 ### Patch Changes diff --git a/auth/commands/package.json b/auth/commands/package.json index 8ae6bdecb8..f8ce392628 100644 --- a/auth/commands/package.json +++ b/auth/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/auth.commands", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Commands for authentication with npm registries", "keywords": [ "pnpm", diff --git a/building/after-install/CHANGELOG.md b/building/after-install/CHANGELOG.md index b47c725761..e51d278200 100644 --- a/building/after-install/CHANGELOG.md +++ b/building/after-install/CHANGELOG.md @@ -1,5 +1,29 @@ # @pnpm/building.after-install +## 1101.0.7 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.context@1100.0.6 + - @pnpm/deps.graph-hasher@1100.1.3 + - @pnpm/lockfile.walker@1100.0.4 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/store.connection-manager@1100.0.11 + - @pnpm/exec.lifecycle@1100.0.6 + - @pnpm/store.cafs@1100.1.2 + - @pnpm/worker@1100.1.2 + ## 1101.0.6 ### Patch Changes diff --git a/building/after-install/package.json b/building/after-install/package.json index 340c2203d5..eb58fcc960 100644 --- a/building/after-install/package.json +++ b/building/after-install/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/building.after-install", - "version": "1101.0.6", + "version": "1101.0.7", "description": "Rebuild packages that are already installed by running their lifecycle scripts", "keywords": [ "pnpm", diff --git a/building/commands/CHANGELOG.md b/building/commands/CHANGELOG.md index 31229ea8d6..13b3f19b45 100644 --- a/building/commands/CHANGELOG.md +++ b/building/commands/CHANGELOG.md @@ -1,5 +1,19 @@ # @pnpm/building.commands +## 1100.0.12 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/building.after-install@1101.0.7 + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.commands@1100.1.10 + - @pnpm/store.connection-manager@1100.0.11 + - @pnpm/config.writer@1100.0.6 + ## 1100.0.11 ### Patch Changes diff --git a/building/commands/package.json b/building/commands/package.json index c47be3db30..2fb296a722 100644 --- a/building/commands/package.json +++ b/building/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/building.commands", - "version": "1100.0.11", + "version": "1100.0.12", "description": "Commands for rebuilding and managing dependency builds", "keywords": [ "pnpm", diff --git a/building/during-install/CHANGELOG.md b/building/during-install/CHANGELOG.md index 70c32953b6..3ae28176f8 100644 --- a/building/during-install/CHANGELOG.md +++ b/building/during-install/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/building.during-install +## 1101.0.5 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + - @pnpm/deps.graph-hasher@1100.1.3 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/exec.lifecycle@1100.0.6 + - @pnpm/fs.hard-link-dir@1100.0.1 + - @pnpm/patching.apply-patch@1100.0.0 + - @pnpm/worker@1100.1.2 + ## 1101.0.4 ### Patch Changes diff --git a/building/during-install/package.json b/building/during-install/package.json index b2c36fb609..79391ce97d 100644 --- a/building/during-install/package.json +++ b/building/during-install/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/building.during-install", - "version": "1101.0.4", + "version": "1101.0.5", "description": "Build packages in node_modules", "keywords": [ "pnpm", diff --git a/cache/api/CHANGELOG.md b/cache/api/CHANGELOG.md index 316bc295b4..32f658040a 100644 --- a/cache/api/CHANGELOG.md +++ b/cache/api/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/cache.api +## 1100.0.9 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + - @pnpm/resolving.npm-resolver@1101.0.2 + - @pnpm/store.cafs@1100.1.2 + ## 1100.0.8 ### Patch Changes diff --git a/cache/api/package.json b/cache/api/package.json index b7ecdbd7c3..ec86751de2 100644 --- a/cache/api/package.json +++ b/cache/api/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cache.api", - "version": "1100.0.8", + "version": "1100.0.9", "description": "API for controlling the cache", "keywords": [ "pnpm", diff --git a/cache/commands/CHANGELOG.md b/cache/commands/CHANGELOG.md index a2d7a79114..e5c654c6d9 100644 --- a/cache/commands/CHANGELOG.md +++ b/cache/commands/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/cache.commands +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + - @pnpm/cache.api@1100.0.9 + ## 1100.0.9 ### Patch Changes diff --git a/cache/commands/package.json b/cache/commands/package.json index 4792d46ceb..17e8d6b85d 100644 --- a/cache/commands/package.json +++ b/cache/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cache.commands", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Commands for controlling the cache", "keywords": [ "pnpm", diff --git a/cli/commands/CHANGELOG.md b/cli/commands/CHANGELOG.md index 067ba0a043..89e12d8c05 100644 --- a/cli/commands/CHANGELOG.md +++ b/cli/commands/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/cli.commands +## 1100.0.9 + +### Patch Changes + +- Updated dependencies [707a879] +- Updated dependencies [81161d5] + - @pnpm/config.reader@1101.2.1 + - @pnpm/cli.parse-cli-args@1100.1.2 + ## 1100.0.8 ### Patch Changes diff --git a/cli/commands/package.json b/cli/commands/package.json index 5dc1a0d259..9794f524aa 100644 --- a/cli/commands/package.json +++ b/cli/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cli.commands", - "version": "1100.0.8", + "version": "1100.0.9", "description": "Commands for pnpm CLI", "keywords": [ "pnpm", diff --git a/cli/default-reporter/CHANGELOG.md b/cli/default-reporter/CHANGELOG.md index a971b5a208..388661e887 100644 --- a/cli/default-reporter/CHANGELOG.md +++ b/cli/default-reporter/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/default-reporter +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + ## 1100.0.9 ### Patch Changes diff --git a/cli/default-reporter/package.json b/cli/default-reporter/package.json index a53081133d..d33a2c3a0e 100644 --- a/cli/default-reporter/package.json +++ b/cli/default-reporter/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cli.default-reporter", - "version": "1100.0.9", + "version": "1100.0.10", "description": "The default reporter of pnpm", "keywords": [ "pnpm", diff --git a/cli/parse-cli-args/CHANGELOG.md b/cli/parse-cli-args/CHANGELOG.md index c6b446ff0f..f08e4b7d5a 100644 --- a/cli/parse-cli-args/CHANGELOG.md +++ b/cli/parse-cli-args/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/parse-cli-args +## 1100.1.2 + +### Patch Changes + +- 81161d5: `--pm-on-fail=ignore` (and other universal options like `--loglevel`, `--reporter`) is now honored when combined with `--help` or `--version`. Previously the CLI argument parser short-circuited those flags before universal options were preserved, so `pnpm audit --pm-on-fail=ignore --help` and `pnpm --pm-on-fail=ignore --version` reported the strict packageManager mismatch instead of running the requested action [#11487](https://github.com/pnpm/pnpm/issues/11487). + ## 1100.1.1 ### Patch Changes diff --git a/cli/parse-cli-args/package.json b/cli/parse-cli-args/package.json index c12ac69202..9be8ead15c 100644 --- a/cli/parse-cli-args/package.json +++ b/cli/parse-cli-args/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cli.parse-cli-args", - "version": "1100.1.1", + "version": "1100.1.2", "description": "Parses the CLI args passed to pnpm", "keywords": [ "pnpm", diff --git a/config/commands/CHANGELOG.md b/config/commands/CHANGELOG.md index 0f3824cef3..b51190caaf 100644 --- a/config/commands/CHANGELOG.md +++ b/config/commands/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/plugin-commands-config +## 1100.0.10 + +### Patch Changes + +- 3e2df55: `pnpm config get @:registry` now reports the same URL that `pnpm publish` and the resolvers actually use. Previously, `config get` only consulted `.npmrc`, while `publish`/install used the merged map that includes `pnpm-workspace.yaml`'s `registries` block — so the two could diverge silently and a publish could go to the wrong registry [#11492](https://github.com/pnpm/pnpm/issues/11492). +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + - @pnpm/workspace.workspace-manifest-writer@1100.0.6 + ## 1100.0.9 ### Patch Changes diff --git a/config/commands/package.json b/config/commands/package.json index 4dab01e9eb..034fd4038b 100644 --- a/config/commands/package.json +++ b/config/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/config.commands", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Commands for reading and writing settings to/from config files", "keywords": [ "pnpm", diff --git a/config/reader/CHANGELOG.md b/config/reader/CHANGELOG.md index 3df7172c57..ebe1cc9abd 100644 --- a/config/reader/CHANGELOG.md +++ b/config/reader/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/config +## 1101.2.1 + +### Patch Changes + +- 707a879: Allow user-level preferences in the global `config.yaml`. The following settings can now be set in `~/.config/pnpm/config.yaml` (or via `pnpm config set --location global`) instead of being restricted to `pnpm-workspace.yaml`: `agent`, `globalVirtualStoreDir`, `initPackageManager`, `initType`, `registrySupportsTimeField`, `scriptShell`, `shellEmulator`, `sideEffectsCache`, `sideEffectsCacheReadonly`, `stateDir`, `strictDepBuilds`, `trustPolicy`, `trustPolicyExclude`, `trustPolicyIgnoreAfter`, `updateNotifier`, `useStderr`, `verifyDepsBeforeRun`, `verifyStoreIntegrity`, `virtualStoreDir`, `virtualStoreDirMaxLength` [#11474](https://github.com/pnpm/pnpm/issues/11474). + - @pnpm/hooks.pnpmfile@1100.0.6 + ## 1101.2.0 ### Minor Changes diff --git a/config/reader/package.json b/config/reader/package.json index fc31036c65..64cd6ce555 100644 --- a/config/reader/package.json +++ b/config/reader/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/config.reader", - "version": "1101.2.0", + "version": "1101.2.1", "description": "Gets configuration options for pnpm", "keywords": [ "pnpm", diff --git a/config/writer/CHANGELOG.md b/config/writer/CHANGELOG.md index 82e71b483e..3573e87530 100644 --- a/config/writer/CHANGELOG.md +++ b/config/writer/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/config.config-writer +## 1100.0.6 + +### Patch Changes + +- @pnpm/workspace.workspace-manifest-writer@1100.0.6 + ## 1100.0.5 ### Patch Changes diff --git a/config/writer/package.json b/config/writer/package.json index bbcb6e7b22..d86f2e4719 100644 --- a/config/writer/package.json +++ b/config/writer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/config.writer", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Functions for updating the configuration settings", "keywords": [ "pnpm", diff --git a/deps/compliance/audit/CHANGELOG.md b/deps/compliance/audit/CHANGELOG.md index f4443bfccb..3b23d02c9b 100644 --- a/deps/compliance/audit/CHANGELOG.md +++ b/deps/compliance/audit/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/audit +## 1101.0.4 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/lockfile.detect-dep-types@1100.0.4 + - @pnpm/lockfile.walker@1100.0.4 + ## 1101.0.3 ### Patch Changes diff --git a/deps/compliance/audit/package.json b/deps/compliance/audit/package.json index f462fad5a2..49b43dfe2d 100644 --- a/deps/compliance/audit/package.json +++ b/deps/compliance/audit/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.compliance.audit", - "version": "1101.0.3", + "version": "1101.0.4", "description": "Audit a lockfile", "keywords": [ "pnpm", diff --git a/deps/compliance/commands/CHANGELOG.md b/deps/compliance/commands/CHANGELOG.md index 7b18b5b072..9dcbc592b9 100644 --- a/deps/compliance/commands/CHANGELOG.md +++ b/deps/compliance/commands/CHANGELOG.md @@ -1,5 +1,22 @@ # @pnpm/deps.compliance.commands +## 1101.1.9 + +### Patch Changes + +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.commands@1100.1.10 + - @pnpm/deps.compliance.audit@1101.0.4 + - @pnpm/deps.compliance.license-scanner@1100.0.7 + - @pnpm/deps.compliance.sbom@1100.0.7 + - @pnpm/lockfile.walker@1100.0.4 + - @pnpm/config.writer@1100.0.6 + ## 1101.1.8 ### Patch Changes diff --git a/deps/compliance/commands/package.json b/deps/compliance/commands/package.json index cce576945e..c8b8991bae 100644 --- a/deps/compliance/commands/package.json +++ b/deps/compliance/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.compliance.commands", - "version": "1101.1.8", + "version": "1101.1.9", "description": "pnpm commands for audit, licenses, and sbom", "keywords": [ "pnpm", diff --git a/deps/compliance/license-scanner/CHANGELOG.md b/deps/compliance/license-scanner/CHANGELOG.md index 3e0a8061be..08c34ab0c7 100644 --- a/deps/compliance/license-scanner/CHANGELOG.md +++ b/deps/compliance/license-scanner/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/license-scanner +## 1100.0.7 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/store.pkg-finder@1100.0.6 + - @pnpm/lockfile.detect-dep-types@1100.0.4 + - @pnpm/lockfile.walker@1100.0.4 + ## 1100.0.6 ### Patch Changes diff --git a/deps/compliance/license-scanner/package.json b/deps/compliance/license-scanner/package.json index 9bac8bf2ea..60bf25af71 100644 --- a/deps/compliance/license-scanner/package.json +++ b/deps/compliance/license-scanner/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.compliance.license-scanner", - "version": "1100.0.6", + "version": "1100.0.7", "description": "Check for licenses packages", "keywords": [ "pnpm", diff --git a/deps/compliance/sbom/CHANGELOG.md b/deps/compliance/sbom/CHANGELOG.md index 748e94a869..406a161f86 100644 --- a/deps/compliance/sbom/CHANGELOG.md +++ b/deps/compliance/sbom/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/deps.compliance.sbom +## 1100.0.7 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/store.pkg-finder@1100.0.6 + - @pnpm/lockfile.detect-dep-types@1100.0.4 + - @pnpm/lockfile.walker@1100.0.4 + ## 1100.0.6 ### Patch Changes diff --git a/deps/compliance/sbom/package.json b/deps/compliance/sbom/package.json index 76d0541619..4d62d41b1d 100644 --- a/deps/compliance/sbom/package.json +++ b/deps/compliance/sbom/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.compliance.sbom", - "version": "1100.0.6", + "version": "1100.0.7", "description": "Generate SBOM from pnpm lockfile", "keywords": [ "pnpm", diff --git a/deps/graph-builder/CHANGELOG.md b/deps/graph-builder/CHANGELOG.md index b00d8a92c7..bbfb1710b5 100644 --- a/deps/graph-builder/CHANGELOG.md +++ b/deps/graph-builder/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/deps.graph-builder +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/deps.graph-hasher@1100.1.3 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/store.controller-types@1100.0.5 + ## 1100.0.5 ### Patch Changes diff --git a/deps/graph-builder/package.json b/deps/graph-builder/package.json index 7e3df1ae60..ec98062d4a 100644 --- a/deps/graph-builder/package.json +++ b/deps/graph-builder/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.graph-builder", - "version": "1100.0.5", + "version": "1100.0.6", "description": "A package for building a dependency graph from a lockfile", "keywords": [ "pnpm", diff --git a/deps/graph-hasher/CHANGELOG.md b/deps/graph-hasher/CHANGELOG.md index 55b0184841..237c4da0ae 100644 --- a/deps/graph-hasher/CHANGELOG.md +++ b/deps/graph-hasher/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/calc-dep-state +## 1100.1.3 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + ## 1100.1.2 ### Patch Changes diff --git a/deps/graph-hasher/package.json b/deps/graph-hasher/package.json index 7a30021e85..6fef62e865 100644 --- a/deps/graph-hasher/package.json +++ b/deps/graph-hasher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.graph-hasher", - "version": "1100.1.2", + "version": "1100.1.3", "description": "Calculates the state of a dependency", "keywords": [ "pnpm", diff --git a/deps/inspection/commands/CHANGELOG.md b/deps/inspection/commands/CHANGELOG.md index f659605917..b7b4d9d73e 100644 --- a/deps/inspection/commands/CHANGELOG.md +++ b/deps/inspection/commands/CHANGELOG.md @@ -1,5 +1,22 @@ # @pnpm/deps.inspection.commands +## 1100.1.11 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/config.reader@1101.2.1 + - @pnpm/global.commands@1100.0.12 + - @pnpm/resolving.default-resolver@1100.0.10 + - @pnpm/deps.inspection.list@1100.0.6 + - @pnpm/deps.inspection.outdated@1100.0.10 + - @pnpm/deps.inspection.peers-checker@1100.0.5 + - @pnpm/resolving.npm-resolver@1101.0.2 + ## 1100.1.10 ### Patch Changes diff --git a/deps/inspection/commands/package.json b/deps/inspection/commands/package.json index b90bea9dd9..9686db94fc 100644 --- a/deps/inspection/commands/package.json +++ b/deps/inspection/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.commands", - "version": "1100.1.10", + "version": "1100.1.11", "description": "The list, ll, why, and outdated commands of pnpm", "keywords": [ "pnpm", diff --git a/deps/inspection/list/CHANGELOG.md b/deps/inspection/list/CHANGELOG.md index 2420ec799f..249508f03c 100644 --- a/deps/inspection/list/CHANGELOG.md +++ b/deps/inspection/list/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/list +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/deps.inspection.tree-builder@1100.0.5 + ## 1100.0.5 ### Patch Changes diff --git a/deps/inspection/list/package.json b/deps/inspection/list/package.json index 5c3f40ec5a..4d8fc704be 100644 --- a/deps/inspection/list/package.json +++ b/deps/inspection/list/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.list", - "version": "1100.0.5", + "version": "1100.0.6", "description": "List installed packages in a symlinked `node_modules`", "keywords": [ "pnpm", diff --git a/deps/inspection/outdated/CHANGELOG.md b/deps/inspection/outdated/CHANGELOG.md index dfd32122b9..c7f52249e3 100644 --- a/deps/inspection/outdated/CHANGELOG.md +++ b/deps/inspection/outdated/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/outdated +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/installing.client@1100.0.10 + - @pnpm/resolving.npm-resolver@1101.0.2 + ## 1100.0.9 ### Patch Changes diff --git a/deps/inspection/outdated/package.json b/deps/inspection/outdated/package.json index 925e411621..49d72f833e 100644 --- a/deps/inspection/outdated/package.json +++ b/deps/inspection/outdated/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.outdated", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Check for outdated packages", "keywords": [ "pnpm", diff --git a/deps/inspection/peers-checker/CHANGELOG.md b/deps/inspection/peers-checker/CHANGELOG.md index 5b9cc3a44a..4d992fa0d8 100644 --- a/deps/inspection/peers-checker/CHANGELOG.md +++ b/deps/inspection/peers-checker/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/deps.inspection.peers-checker +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.walker@1100.0.4 + ## 1100.0.4 ### Patch Changes diff --git a/deps/inspection/peers-checker/package.json b/deps/inspection/peers-checker/package.json index 74e1e65fa3..3174e5932f 100644 --- a/deps/inspection/peers-checker/package.json +++ b/deps/inspection/peers-checker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.peers-checker", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Check for unmet and missing peer dependency issues from the lockfile", "keywords": [ "pnpm", diff --git a/deps/inspection/tree-builder/CHANGELOG.md b/deps/inspection/tree-builder/CHANGELOG.md index d4bb6bd92e..36dec2d36e 100644 --- a/deps/inspection/tree-builder/CHANGELOG.md +++ b/deps/inspection/tree-builder/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/reviewing.dependencies-hierarchy +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/lockfile.detect-dep-types@1100.0.4 + - @pnpm/store.cafs@1100.1.2 + ## 1100.0.4 ### Patch Changes diff --git a/deps/inspection/tree-builder/package.json b/deps/inspection/tree-builder/package.json index 641f25a0b7..92673c9ab8 100644 --- a/deps/inspection/tree-builder/package.json +++ b/deps/inspection/tree-builder/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.tree-builder", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Creates a dependencies hierarchy for a symlinked `node_modules`", "keywords": [ "pnpm", diff --git a/deps/status/CHANGELOG.md b/deps/status/CHANGELOG.md index 10d5acde69..c1b322311c 100644 --- a/deps/status/CHANGELOG.md +++ b/deps/status/CHANGELOG.md @@ -1,5 +1,19 @@ # @pnpm/deps.status +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.context@1100.0.6 + - @pnpm/lockfile.settings-checker@1100.0.6 + - @pnpm/lockfile.verification@1100.0.6 + - @pnpm/workspace.state@1100.0.9 + ## 1100.0.9 ### Patch Changes diff --git a/deps/status/package.json b/deps/status/package.json index a43d63bbba..c69284b27f 100644 --- a/deps/status/package.json +++ b/deps/status/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.status", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Check dependencies status", "keywords": [ "pnpm", diff --git a/engine/pm/commands/CHANGELOG.md b/engine/pm/commands/CHANGELOG.md index ac800bd321..cb0c319b0b 100644 --- a/engine/pm/commands/CHANGELOG.md +++ b/engine/pm/commands/CHANGELOG.md @@ -1,5 +1,25 @@ # @pnpm/engine.pm.commands +## 1101.1.7 + +### Patch Changes + +- d0982fc: Fixed the `pn`, `pnpx`, and `pnx` aliases failing in Git Bash / MSYS2 on Windows when pnpm was installed via `@pnpm/exe` (or after `pnpm self-update`) [#11486](https://github.com/pnpm/pnpm/issues/11486). Running `pnpx` (or `pnx`) printed the cmd.exe banner and dropped the user into an interactive command prompt instead of running `pnpm dlx`. The `bin` field rewrite on Windows was pointing those aliases at `.cmd` files; cmd-shim's Bash shim for a `.cmd` target wraps it in `exec cmd /C ...`, and MSYS2 mangles `/C` into a Windows path before cmd.exe sees it. The aliases are now `.exe` hardlinks of the SEA binary, which detects which name it was launched as via `process.execPath` and prepends `dlx` for `pnpx` / `pnx`. +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/installing.deps-restorer@1101.0.6 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/config.reader@1101.2.1 + - @pnpm/global.commands@1100.0.12 + - @pnpm/installing.client@1100.0.10 + - @pnpm/store.controller@1101.0.3 + - @pnpm/installing.env-installer@1101.0.5 + - @pnpm/deps.graph-hasher@1100.1.3 + - @pnpm/resolving.npm-resolver@1101.0.2 + - @pnpm/store.connection-manager@1100.0.11 + ## 1101.1.6 ### Patch Changes diff --git a/engine/pm/commands/package.json b/engine/pm/commands/package.json index cb9d0af952..203c09f36b 100644 --- a/engine/pm/commands/package.json +++ b/engine/pm/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.pm.commands", - "version": "1101.1.6", + "version": "1101.1.7", "description": "pnpm commands for self-updating and setting up pnpm", "keywords": [ "pnpm", diff --git a/engine/runtime/bun-resolver/CHANGELOG.md b/engine/runtime/bun-resolver/CHANGELOG.md index 343a105108..7d04e547bc 100644 --- a/engine/runtime/bun-resolver/CHANGELOG.md +++ b/engine/runtime/bun-resolver/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/resolving.bun-resolver +## 1101.0.3 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/fetching.fetcher-base@1100.1.2 + - @pnpm/resolving.npm-resolver@1101.0.2 + - @pnpm/fetching.binary-fetcher@1101.0.3 + - @pnpm/worker@1100.1.2 + ## 1101.0.2 ### Patch Changes diff --git a/engine/runtime/bun-resolver/package.json b/engine/runtime/bun-resolver/package.json index 57a8e2951d..8e4b11fae9 100644 --- a/engine/runtime/bun-resolver/package.json +++ b/engine/runtime/bun-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.bun-resolver", - "version": "1101.0.2", + "version": "1101.0.3", "description": "Resolves the Bun runtime", "keywords": [ "pnpm", diff --git a/engine/runtime/commands/CHANGELOG.md b/engine/runtime/commands/CHANGELOG.md index d7febfa8d3..614d7b8977 100644 --- a/engine/runtime/commands/CHANGELOG.md +++ b/engine/runtime/commands/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/engine.runtime.commands +## 1100.0.11 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + - @pnpm/engine.runtime.node-resolver@1101.0.5 + ## 1100.0.10 ### Patch Changes diff --git a/engine/runtime/commands/package.json b/engine/runtime/commands/package.json index 8d6bb780b0..c4e624ca17 100644 --- a/engine/runtime/commands/package.json +++ b/engine/runtime/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.commands", - "version": "1100.0.10", + "version": "1100.0.11", "description": "pnpm commands for managing runtimes", "keywords": [ "pnpm", diff --git a/engine/runtime/deno-resolver/CHANGELOG.md b/engine/runtime/deno-resolver/CHANGELOG.md index bcf41250c8..153c0203ea 100644 --- a/engine/runtime/deno-resolver/CHANGELOG.md +++ b/engine/runtime/deno-resolver/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/resolving.deno-resolver +## 1101.0.3 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/fetching.fetcher-base@1100.1.2 + - @pnpm/resolving.npm-resolver@1101.0.2 + - @pnpm/fetching.binary-fetcher@1101.0.3 + - @pnpm/worker@1100.1.2 + ## 1101.0.2 ### Patch Changes diff --git a/engine/runtime/deno-resolver/package.json b/engine/runtime/deno-resolver/package.json index f1dcfa05ff..4240a4b1c3 100644 --- a/engine/runtime/deno-resolver/package.json +++ b/engine/runtime/deno-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.deno-resolver", - "version": "1101.0.2", + "version": "1101.0.3", "description": "Resolves the Deno runtime", "keywords": [ "pnpm", diff --git a/engine/runtime/node-resolver/CHANGELOG.md b/engine/runtime/node-resolver/CHANGELOG.md index aad1a9a342..f3c2f7223a 100644 --- a/engine/runtime/node-resolver/CHANGELOG.md +++ b/engine/runtime/node-resolver/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/node.resolver +## 1101.0.5 + +### Patch Changes + +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/config.reader@1101.2.1 + ## 1101.0.4 ### Patch Changes diff --git a/engine/runtime/node-resolver/package.json b/engine/runtime/node-resolver/package.json index bad96fa7a0..f49b11ce3e 100644 --- a/engine/runtime/node-resolver/package.json +++ b/engine/runtime/node-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.node-resolver", - "version": "1101.0.4", + "version": "1101.0.5", "description": "Resolves a Node.js version specifier to an exact Node.js version", "keywords": [ "pnpm", diff --git a/exec/commands/CHANGELOG.md b/exec/commands/CHANGELOG.md index c8c2d47f40..90abd4174b 100644 --- a/exec/commands/CHANGELOG.md +++ b/exec/commands/CHANGELOG.md @@ -1,5 +1,20 @@ # @pnpm/plugin-commands-script-runners +## 1100.1.2 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + - @pnpm/building.commands@1100.0.12 + - @pnpm/installing.commands@1100.1.10 + - @pnpm/workspace.injected-deps-syncer@1100.0.7 + - @pnpm/installing.client@1100.0.10 + - @pnpm/deps.status@1100.0.10 + - @pnpm/engine.runtime.commands@1100.0.11 + - @pnpm/exec.lifecycle@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1100.1.1 ### Patch Changes diff --git a/exec/commands/package.json b/exec/commands/package.json index e3e75a3c3f..fa4ee5a28c 100644 --- a/exec/commands/package.json +++ b/exec/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exec.commands", - "version": "1100.1.1", + "version": "1100.1.2", "description": "Commands for running scripts", "keywords": [ "pnpm", diff --git a/exec/lifecycle/CHANGELOG.md b/exec/lifecycle/CHANGELOG.md index 52e9c7e069..f7e3a4e412 100644 --- a/exec/lifecycle/CHANGELOG.md +++ b/exec/lifecycle/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/lifecycle +## 1100.0.6 + +### Patch Changes + +- @pnpm/fetching.directory-fetcher@1100.0.6 +- @pnpm/store.controller-types@1100.0.5 + ## 1100.0.5 ### Patch Changes diff --git a/exec/lifecycle/package.json b/exec/lifecycle/package.json index a55dc84c0d..d692fff8e7 100644 --- a/exec/lifecycle/package.json +++ b/exec/lifecycle/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exec.lifecycle", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Package lifecycle hook runner", "keywords": [ "pnpm", diff --git a/exec/prepare-package/CHANGELOG.md b/exec/prepare-package/CHANGELOG.md index 16163e91bc..cf17eaa482 100644 --- a/exec/prepare-package/CHANGELOG.md +++ b/exec/prepare-package/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/prepare-package +## 1100.0.6 + +### Patch Changes + +- @pnpm/exec.lifecycle@1100.0.6 + ## 1100.0.5 ### Patch Changes diff --git a/exec/prepare-package/package.json b/exec/prepare-package/package.json index 58a2eea09e..2de55f746f 100644 --- a/exec/prepare-package/package.json +++ b/exec/prepare-package/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exec.prepare-package", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Prepares a Git-hosted package", "keywords": [ "pnpm", diff --git a/fetching/binary-fetcher/CHANGELOG.md b/fetching/binary-fetcher/CHANGELOG.md index 77946cf0fd..fc776a7088 100644 --- a/fetching/binary-fetcher/CHANGELOG.md +++ b/fetching/binary-fetcher/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/fetching.binary-fetcher +## 1101.0.3 + +### Patch Changes + +- @pnpm/fetching.fetcher-base@1100.1.2 +- @pnpm/worker@1100.1.2 + ## 1101.0.2 ### Patch Changes diff --git a/fetching/binary-fetcher/package.json b/fetching/binary-fetcher/package.json index 24d8508677..d8fc42a4c3 100644 --- a/fetching/binary-fetcher/package.json +++ b/fetching/binary-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.binary-fetcher", - "version": "1101.0.2", + "version": "1101.0.3", "description": "A fetcher for binary archives", "keywords": [ "pnpm", diff --git a/fetching/directory-fetcher/CHANGELOG.md b/fetching/directory-fetcher/CHANGELOG.md index 2e92b2b705..76f3fbcf87 100644 --- a/fetching/directory-fetcher/CHANGELOG.md +++ b/fetching/directory-fetcher/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/directory-fetcher +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/fetching.fetcher-base@1100.1.2 + ## 1100.0.5 ### Patch Changes diff --git a/fetching/directory-fetcher/package.json b/fetching/directory-fetcher/package.json index b1ef43af6b..03c49acaa4 100644 --- a/fetching/directory-fetcher/package.json +++ b/fetching/directory-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.directory-fetcher", - "version": "1100.0.5", + "version": "1100.0.6", "description": "A fetcher for local directory packages", "keywords": [ "pnpm", diff --git a/fetching/fetcher-base/CHANGELOG.md b/fetching/fetcher-base/CHANGELOG.md index 1d6cda9fa9..c8be3cf2ad 100644 --- a/fetching/fetcher-base/CHANGELOG.md +++ b/fetching/fetcher-base/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/fetcher-base +## 1100.1.2 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + ## 1100.1.1 ### Patch Changes diff --git a/fetching/fetcher-base/package.json b/fetching/fetcher-base/package.json index 578f48a48d..1d1873da91 100644 --- a/fetching/fetcher-base/package.json +++ b/fetching/fetcher-base/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.fetcher-base", - "version": "1100.1.1", + "version": "1100.1.2", "description": "Types for pnpm-compatible fetchers", "keywords": [ "pnpm", diff --git a/fetching/git-fetcher/CHANGELOG.md b/fetching/git-fetcher/CHANGELOG.md index 287e899786..7beb3a1539 100644 --- a/fetching/git-fetcher/CHANGELOG.md +++ b/fetching/git-fetcher/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/git-fetcher +## 1101.0.2 + +### Patch Changes + +- @pnpm/fetching.fetcher-base@1100.1.2 +- @pnpm/exec.prepare-package@1100.0.6 +- @pnpm/worker@1100.1.2 + ## 1101.0.1 ### Patch Changes diff --git a/fetching/git-fetcher/package.json b/fetching/git-fetcher/package.json index 5dee542910..d59e2d2dcd 100644 --- a/fetching/git-fetcher/package.json +++ b/fetching/git-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.git-fetcher", - "version": "1101.0.1", + "version": "1101.0.2", "description": "A fetcher for git-hosted packages", "keywords": [ "pnpm", diff --git a/fetching/pick-fetcher/CHANGELOG.md b/fetching/pick-fetcher/CHANGELOG.md index 6957914e00..3ac50e702d 100644 --- a/fetching/pick-fetcher/CHANGELOG.md +++ b/fetching/pick-fetcher/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/pick-fetcher +## 1100.0.5 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/fetching.fetcher-base@1100.1.2 + ## 1100.0.4 ### Patch Changes diff --git a/fetching/pick-fetcher/package.json b/fetching/pick-fetcher/package.json index df9712e201..7653c173b9 100644 --- a/fetching/pick-fetcher/package.json +++ b/fetching/pick-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.pick-fetcher", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Pick a package fetcher by type", "keywords": [ "pnpm", diff --git a/fetching/tarball-fetcher/CHANGELOG.md b/fetching/tarball-fetcher/CHANGELOG.md index 4e6dbe1eba..cf7155edd3 100644 --- a/fetching/tarball-fetcher/CHANGELOG.md +++ b/fetching/tarball-fetcher/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/tarball-fetcher +## 1101.0.2 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + + - @pnpm/fetching.fetcher-base@1100.1.2 + - @pnpm/exec.prepare-package@1100.0.6 + - @pnpm/worker@1100.1.2 + ## 1101.0.1 ### Patch Changes diff --git a/fetching/tarball-fetcher/package.json b/fetching/tarball-fetcher/package.json index e6982370bc..d0e46d9c50 100644 --- a/fetching/tarball-fetcher/package.json +++ b/fetching/tarball-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.tarball-fetcher", - "version": "1101.0.1", + "version": "1101.0.2", "description": "Fetcher for packages hosted as tarballs", "keywords": [ "pnpm", diff --git a/fs/indexed-pkg-importer/CHANGELOG.md b/fs/indexed-pkg-importer/CHANGELOG.md index aa8fc4ca22..409d1f3278 100644 --- a/fs/indexed-pkg-importer/CHANGELOG.md +++ b/fs/indexed-pkg-importer/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/fs.indexed-pkg-importer +## 1100.0.5 + +### Patch Changes + +- @pnpm/store.controller-types@1100.0.5 + ## 1100.0.4 ### Patch Changes diff --git a/fs/indexed-pkg-importer/package.json b/fs/indexed-pkg-importer/package.json index 016b069b3b..7feb761b1b 100644 --- a/fs/indexed-pkg-importer/package.json +++ b/fs/indexed-pkg-importer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fs.indexed-pkg-importer", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Replicates indexed directories using hard links, copies, or cloning", "keywords": [ "pnpm", diff --git a/global/commands/CHANGELOG.md b/global/commands/CHANGELOG.md index bae7e40401..6becf6739a 100644 --- a/global/commands/CHANGELOG.md +++ b/global/commands/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/global.commands +## 1100.0.12 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/installing.deps-installer@1101.0.7 + - @pnpm/config.reader@1101.2.1 + - @pnpm/deps.inspection.list@1100.0.6 + - @pnpm/store.connection-manager@1100.0.11 + ## 1100.0.11 ### Patch Changes diff --git a/global/commands/package.json b/global/commands/package.json index 36affcc4e1..4120de3a58 100644 --- a/global/commands/package.json +++ b/global/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/global.commands", - "version": "1100.0.11", + "version": "1100.0.12", "description": "Global package command handlers for pnpm", "keywords": [ "pnpm", diff --git a/hooks/pnpmfile/CHANGELOG.md b/hooks/pnpmfile/CHANGELOG.md index 178453d82c..27e924e1be 100644 --- a/hooks/pnpmfile/CHANGELOG.md +++ b/hooks/pnpmfile/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/pnpmfile +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/crypto.hash@1100.0.1 + ## 1100.0.5 ### Patch Changes diff --git a/hooks/pnpmfile/package.json b/hooks/pnpmfile/package.json index 7506c626ba..746fde82a4 100644 --- a/hooks/pnpmfile/package.json +++ b/hooks/pnpmfile/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/hooks.pnpmfile", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Reading a .pnpmfile.cjs", "keywords": [ "pnpm", diff --git a/hooks/types/CHANGELOG.md b/hooks/types/CHANGELOG.md index 34c080d583..c06e008e45 100644 --- a/hooks/types/CHANGELOG.md +++ b/hooks/types/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/hooks.types +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/fetching.fetcher-base@1100.1.2 + ## 1100.0.4 ### Patch Changes diff --git a/hooks/types/package.json b/hooks/types/package.json index 2890ee52d4..a7a0e14200 100644 --- a/hooks/types/package.json +++ b/hooks/types/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/hooks.types", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Types for hooks", "keywords": [ "pnpm", diff --git a/installing/client/CHANGELOG.md b/installing/client/CHANGELOG.md index 2191f1c938..ebd1ea449c 100644 --- a/installing/client/CHANGELOG.md +++ b/installing/client/CHANGELOG.md @@ -1,5 +1,19 @@ # @pnpm/client +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/fetching.tarball-fetcher@1101.0.2 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/resolving.default-resolver@1100.0.10 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/engine.runtime.node-resolver@1101.0.5 + - @pnpm/fetching.directory-fetcher@1100.0.6 + - @pnpm/fetching.binary-fetcher@1101.0.3 + - @pnpm/fetching.git-fetcher@1101.0.2 + ## 1100.0.9 ### Patch Changes diff --git a/installing/client/package.json b/installing/client/package.json index 335d3e7d40..7dd03a5391 100644 --- a/installing/client/package.json +++ b/installing/client/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.client", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Creates the package resolve and fetch functions", "keywords": [ "pnpm", diff --git a/installing/commands/CHANGELOG.md b/installing/commands/CHANGELOG.md index c4b5331922..cfc5667b1e 100644 --- a/installing/commands/CHANGELOG.md +++ b/installing/commands/CHANGELOG.md @@ -1,5 +1,32 @@ # @pnpm/plugin-commands-installation +## 1100.1.10 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/installing.deps-installer@1101.0.7 + - @pnpm/building.after-install@1101.0.7 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.context@1100.0.6 + - @pnpm/global.commands@1100.0.12 + - @pnpm/store.controller@1101.0.3 + - @pnpm/deps.inspection.outdated@1100.0.10 + - @pnpm/deps.status@1100.0.10 + - @pnpm/installing.env-installer@1101.0.5 + - @pnpm/hooks.pnpmfile@1100.0.6 + - @pnpm/installing.dedupe.check@1100.0.4 + - @pnpm/workspace.workspace-manifest-writer@1100.0.6 + - @pnpm/store.connection-manager@1100.0.11 + - @pnpm/workspace.state@1100.0.9 + - @pnpm/config.writer@1100.0.6 + - @pnpm/workspace.projects-graph@1100.0.5 + - @pnpm/workspace.projects-filter@1100.0.8 + ## 1100.1.9 ### Patch Changes diff --git a/installing/commands/package.json b/installing/commands/package.json index 8160e4a1a5..60bc996b3d 100644 --- a/installing/commands/package.json +++ b/installing/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.commands", - "version": "1100.1.9", + "version": "1100.1.10", "description": "Commands for installation", "keywords": [ "pnpm", diff --git a/installing/context/CHANGELOG.md b/installing/context/CHANGELOG.md index 6898fb9bcf..e25a9e9ee5 100644 --- a/installing/context/CHANGELOG.md +++ b/installing/context/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/get-context +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/installing.read-projects-context@1100.0.6 + - @pnpm/store.controller@1101.0.3 + ## 1100.0.5 ### Patch Changes diff --git a/installing/context/package.json b/installing/context/package.json index 90aa688229..caeedae6d9 100644 --- a/installing/context/package.json +++ b/installing/context/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.context", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Gets context information about a project", "keywords": [ "pnpm", diff --git a/installing/dedupe/check/CHANGELOG.md b/installing/dedupe/check/CHANGELOG.md index 4a29caf89c..17343a3376 100644 --- a/installing/dedupe/check/CHANGELOG.md +++ b/installing/dedupe/check/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/dedupe.check +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + ## 1100.0.3 ### Patch Changes diff --git a/installing/dedupe/check/package.json b/installing/dedupe/check/package.json index 02ba5a9d66..52b189c700 100644 --- a/installing/dedupe/check/package.json +++ b/installing/dedupe/check/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.dedupe.check", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Visualize pnpm dedupe --check issues.", "keywords": [ "pnpm", diff --git a/installing/deps-installer/CHANGELOG.md b/installing/deps-installer/CHANGELOG.md index b1b41afa1b..02598c8d41 100644 --- a/installing/deps-installer/CHANGELOG.md +++ b/installing/deps-installer/CHANGELOG.md @@ -1,5 +1,43 @@ # @pnpm/core +## 1101.0.7 + +### Patch Changes + +- 12313f1: Fix `pnpm install` recreating `node_modules` after `pnpm fetch`. `pnpm fetch` records empty `hoistPattern` and `publicHoistPattern` in `.modules.yaml`; since v11 removed the explicit-config gate, the follow-up install treated those as a hoist-pattern change and purged the modules directory. The fetch step now flags the modules manifest with `virtualStoreOnly: true` so the next install skips the hoist-pattern comparison and completes the missing post-import linking in place [#11488](https://github.com/pnpm/pnpm/issues/11488). +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/installing.deps-restorer@1101.0.6 + - @pnpm/building.after-install@1101.0.7 + - @pnpm/installing.package-requester@1101.0.3 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/installing.context@1100.0.6 + - @pnpm/installing.deps-resolver@1100.0.6 + - @pnpm/lockfile.to-pnp@1100.0.5 + - @pnpm/agent.client@1.0.2 + - @pnpm/deps.graph-hasher@1100.1.3 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/installing.linking.modules-cleaner@1100.0.6 + - @pnpm/lockfile.filtering@1100.0.6 + - @pnpm/lockfile.pruner@1100.0.4 + - @pnpm/lockfile.settings-checker@1100.0.6 + - @pnpm/lockfile.verification@1100.0.6 + - @pnpm/lockfile.walker@1100.0.4 + - @pnpm/lockfile.preferred-versions@1100.0.6 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/building.during-install@1101.0.5 + - @pnpm/exec.lifecycle@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + - @pnpm/fs.symlink-dependency@1100.0.2 + - @pnpm/worker@1100.1.2 + ## 1101.0.6 ### Patch Changes diff --git a/installing/deps-installer/package.json b/installing/deps-installer/package.json index 601566ddb8..d33baa5492 100644 --- a/installing/deps-installer/package.json +++ b/installing/deps-installer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.deps-installer", - "version": "1101.0.6", + "version": "1101.0.7", "description": "Fast, disk space efficient installation engine", "keywords": [ "pnpm", diff --git a/installing/deps-resolver/CHANGELOG.md b/installing/deps-resolver/CHANGELOG.md index f6dd742d21..da9e396b9c 100644 --- a/installing/deps-resolver/CHANGELOG.md +++ b/installing/deps-resolver/CHANGELOG.md @@ -1,5 +1,21 @@ # @pnpm/resolve-dependencies +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/fetching.pick-fetcher@1100.0.5 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/deps.graph-hasher@1100.1.3 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/lockfile.pruner@1100.0.4 + - @pnpm/lockfile.preferred-versions@1100.0.6 + - @pnpm/resolving.npm-resolver@1101.0.2 + - @pnpm/store.controller-types@1100.0.5 + ## 1100.0.5 ### Patch Changes diff --git a/installing/deps-resolver/package.json b/installing/deps-resolver/package.json index 441dc820e9..c4e8b5d746 100644 --- a/installing/deps-resolver/package.json +++ b/installing/deps-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.deps-resolver", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Resolves dependency graph of a package", "keywords": [ "pnpm", diff --git a/installing/deps-restorer/CHANGELOG.md b/installing/deps-restorer/CHANGELOG.md index 8e7e409691..d0a7ba3bc2 100644 --- a/installing/deps-restorer/CHANGELOG.md +++ b/installing/deps-restorer/CHANGELOG.md @@ -1,5 +1,28 @@ # @pnpm/headless +## 1101.0.6 + +### Patch Changes + +- 12313f1: Fix `pnpm install` recreating `node_modules` after `pnpm fetch`. `pnpm fetch` records empty `hoistPattern` and `publicHoistPattern` in `.modules.yaml`; since v11 removed the explicit-config gate, the follow-up install treated those as a hoist-pattern change and purged the modules directory. The fetch step now flags the modules manifest with `virtualStoreOnly: true` so the next install skips the hoist-pattern comparison and completes the missing post-import linking in place [#11488](https://github.com/pnpm/pnpm/issues/11488). +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/installing.package-requester@1101.0.3 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/deps.graph-builder@1100.0.6 + - @pnpm/installing.linking.real-hoist@1100.0.5 + - @pnpm/lockfile.to-pnp@1100.0.5 + - @pnpm/deps.graph-hasher@1100.1.3 + - @pnpm/installing.linking.modules-cleaner@1100.0.6 + - @pnpm/lockfile.filtering@1100.0.6 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/building.during-install@1101.0.5 + - @pnpm/exec.lifecycle@1100.0.6 + - @pnpm/fs.symlink-dependency@1100.0.2 + - @pnpm/worker@1100.1.2 + ## 1101.0.5 ### Patch Changes diff --git a/installing/deps-restorer/package.json b/installing/deps-restorer/package.json index 7ed59922e5..5fa367df60 100644 --- a/installing/deps-restorer/package.json +++ b/installing/deps-restorer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.deps-restorer", - "version": "1101.0.5", + "version": "1101.0.6", "description": "Fast installation using only pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/installing/env-installer/CHANGELOG.md b/installing/env-installer/CHANGELOG.md index 2341b469bb..89cb587f0f 100644 --- a/installing/env-installer/CHANGELOG.md +++ b/installing/env-installer/CHANGELOG.md @@ -1,5 +1,22 @@ # @pnpm/config.deps-installer +## 1101.0.5 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/installing.deps-resolver@1100.0.6 + - @pnpm/store.controller@1101.0.3 + - @pnpm/deps.graph-hasher@1100.1.3 + - @pnpm/lockfile.pruner@1100.0.4 + - @pnpm/resolving.npm-resolver@1101.0.2 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/config.writer@1100.0.6 + - @pnpm/worker@1100.1.2 + ## 1101.0.4 ### Patch Changes diff --git a/installing/env-installer/package.json b/installing/env-installer/package.json index 533b24dbd6..8e0569fbfc 100644 --- a/installing/env-installer/package.json +++ b/installing/env-installer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.env-installer", - "version": "1101.0.4", + "version": "1101.0.5", "description": "Installer for configurational dependencies", "keywords": [ "pnpm", diff --git a/installing/linking/modules-cleaner/CHANGELOG.md b/installing/linking/modules-cleaner/CHANGELOG.md index a9256d7654..e5a0146a3c 100644 --- a/installing/linking/modules-cleaner/CHANGELOG.md +++ b/installing/linking/modules-cleaner/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/modules-cleaner +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/lockfile.filtering@1100.0.6 + - @pnpm/store.controller-types@1100.0.5 + ## 1100.0.5 ### Patch Changes diff --git a/installing/linking/modules-cleaner/package.json b/installing/linking/modules-cleaner/package.json index c27027a1f9..1ad963cf73 100644 --- a/installing/linking/modules-cleaner/package.json +++ b/installing/linking/modules-cleaner/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.linking.modules-cleaner", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Exports util functions to clean up node_modules", "keywords": [ "pnpm", diff --git a/installing/linking/real-hoist/CHANGELOG.md b/installing/linking/real-hoist/CHANGELOG.md index c250223c62..6595ef6993 100644 --- a/installing/linking/real-hoist/CHANGELOG.md +++ b/installing/linking/real-hoist/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/real-hoist +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.utils@1100.0.5 + ## 1100.0.4 ### Patch Changes diff --git a/installing/linking/real-hoist/package.json b/installing/linking/real-hoist/package.json index a838dd0745..390292ef05 100644 --- a/installing/linking/real-hoist/package.json +++ b/installing/linking/real-hoist/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.linking.real-hoist", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Hoists dependencies in a node_modules created by pnpm", "keywords": [ "pnpm", diff --git a/installing/modules-yaml/CHANGELOG.md b/installing/modules-yaml/CHANGELOG.md index df8791d08d..c226725ce8 100644 --- a/installing/modules-yaml/CHANGELOG.md +++ b/installing/modules-yaml/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/modules-yaml +## 1100.0.3 + +### Patch Changes + +- 12313f1: Fix `pnpm install` recreating `node_modules` after `pnpm fetch`. `pnpm fetch` records empty `hoistPattern` and `publicHoistPattern` in `.modules.yaml`; since v11 removed the explicit-config gate, the follow-up install treated those as a hoist-pattern change and purged the modules directory. The fetch step now flags the modules manifest with `virtualStoreOnly: true` so the next install skips the hoist-pattern comparison and completes the missing post-import linking in place [#11488](https://github.com/pnpm/pnpm/issues/11488). + ## 1100.0.2 ### Patch Changes diff --git a/installing/modules-yaml/package.json b/installing/modules-yaml/package.json index d09801f318..bf0ddc0d3e 100644 --- a/installing/modules-yaml/package.json +++ b/installing/modules-yaml/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.modules-yaml", - "version": "1100.0.2", + "version": "1100.0.3", "description": "Reads/writes `node_modules/.modules.yaml`", "keywords": [ "pnpm", diff --git a/installing/package-requester/CHANGELOG.md b/installing/package-requester/CHANGELOG.md index 824f653530..7273cae0ee 100644 --- a/installing/package-requester/CHANGELOG.md +++ b/installing/package-requester/CHANGELOG.md @@ -1,5 +1,22 @@ # @pnpm/package-requester +## 1101.0.3 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] + - @pnpm/fetching.pick-fetcher@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/fetching.fetcher-base@1100.1.2 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/store.cafs@1100.1.2 + - @pnpm/worker@1100.1.2 + ## 1101.0.2 ### Patch Changes diff --git a/installing/package-requester/package.json b/installing/package-requester/package.json index c203f90eaf..e3e97dc8b4 100644 --- a/installing/package-requester/package.json +++ b/installing/package-requester/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.package-requester", - "version": "1101.0.2", + "version": "1101.0.3", "description": "Concurrent downloader of npm-compatible packages", "keywords": [ "pnpm", diff --git a/installing/read-projects-context/CHANGELOG.md b/installing/read-projects-context/CHANGELOG.md index e2c89f861f..3bdfa1d75b 100644 --- a/installing/read-projects-context/CHANGELOG.md +++ b/installing/read-projects-context/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/read-projects-context +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/lockfile.fs@1100.0.5 + ## 1100.0.5 ### Patch Changes diff --git a/installing/read-projects-context/package.json b/installing/read-projects-context/package.json index f0cfce0edb..e2e133e1cc 100644 --- a/installing/read-projects-context/package.json +++ b/installing/read-projects-context/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.read-projects-context", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Reads the current state of projects from modules manifest", "keywords": [ "pnpm", diff --git a/lockfile/detect-dep-types/CHANGELOG.md b/lockfile/detect-dep-types/CHANGELOG.md index a50351f83f..26201dd821 100644 --- a/lockfile/detect-dep-types/CHANGELOG.md +++ b/lockfile/detect-dep-types/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/lockfile.detect-dep-types +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + ## 1100.0.3 ### Patch Changes diff --git a/lockfile/detect-dep-types/package.json b/lockfile/detect-dep-types/package.json index 080050f5d9..8ae409593c 100644 --- a/lockfile/detect-dep-types/package.json +++ b/lockfile/detect-dep-types/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.detect-dep-types", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Detect the types of dependencies", "keywords": [ "pnpm", diff --git a/lockfile/filtering/CHANGELOG.md b/lockfile/filtering/CHANGELOG.md index d7ea6f6172..36d34c5681 100644 --- a/lockfile/filtering/CHANGELOG.md +++ b/lockfile/filtering/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/filter-lockfile +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/lockfile.walker@1100.0.4 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/filtering/package.json b/lockfile/filtering/package.json index c95ef3b3ed..0acb13c81c 100644 --- a/lockfile/filtering/package.json +++ b/lockfile/filtering/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.filtering", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Filters a lockfile", "keywords": [ "pnpm", diff --git a/lockfile/fs/CHANGELOG.md b/lockfile/fs/CHANGELOG.md index 2fc51058da..461657e0b1 100644 --- a/lockfile/fs/CHANGELOG.md +++ b/lockfile/fs/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/lockfile-file +## 1100.0.5 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/lockfile.merger@1100.0.4 + ## 1100.0.4 ### Patch Changes diff --git a/lockfile/fs/package.json b/lockfile/fs/package.json index 46e63769f4..6614ab4179 100644 --- a/lockfile/fs/package.json +++ b/lockfile/fs/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.fs", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Read/write pnpm-lock.yaml files", "keywords": [ "pnpm", diff --git a/lockfile/make-dedicated-lockfile/CHANGELOG.md b/lockfile/make-dedicated-lockfile/CHANGELOG.md index 88de7fbd13..8248ec88b6 100644 --- a/lockfile/make-dedicated-lockfile/CHANGELOG.md +++ b/lockfile/make-dedicated-lockfile/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/make-dedicated-lockfile +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.pruner@1100.0.4 + - @pnpm/releasing.exportable-manifest@1100.0.3 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/make-dedicated-lockfile/package.json b/lockfile/make-dedicated-lockfile/package.json index ca5462ac66..9fee82451b 100644 --- a/lockfile/make-dedicated-lockfile/package.json +++ b/lockfile/make-dedicated-lockfile/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.make-dedicated-lockfile", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Creates a dedicated lockfile for a subset of workspace projects", "keywords": [ "pnpm", diff --git a/lockfile/merger/CHANGELOG.md b/lockfile/merger/CHANGELOG.md index 9cee4e3e75..43ae3e4217 100644 --- a/lockfile/merger/CHANGELOG.md +++ b/lockfile/merger/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/merge-lockfile-changes +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + ## 1100.0.3 ### Patch Changes diff --git a/lockfile/merger/package.json b/lockfile/merger/package.json index f497478d3d..66747f4329 100644 --- a/lockfile/merger/package.json +++ b/lockfile/merger/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.merger", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Merges lockfiles. Can automatically fix merge conflicts", "keywords": [ "pnpm", diff --git a/lockfile/preferred-versions/CHANGELOG.md b/lockfile/preferred-versions/CHANGELOG.md index ae0d9596cc..879c9c7734 100644 --- a/lockfile/preferred-versions/CHANGELOG.md +++ b/lockfile/preferred-versions/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/lockfile.preferred-versions +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/preferred-versions/package.json b/lockfile/preferred-versions/package.json index abd471efca..88bdbb2043 100644 --- a/lockfile/preferred-versions/package.json +++ b/lockfile/preferred-versions/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.preferred-versions", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Get preferred version from lockfile", "keywords": [ "pnpm", diff --git a/lockfile/pruner/CHANGELOG.md b/lockfile/pruner/CHANGELOG.md index f8ab493fc2..5f84d366b0 100644 --- a/lockfile/pruner/CHANGELOG.md +++ b/lockfile/pruner/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/prune-lockfile +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + ## 1100.0.3 ### Patch Changes diff --git a/lockfile/pruner/package.json b/lockfile/pruner/package.json index d7389d2423..8cefbfec10 100644 --- a/lockfile/pruner/package.json +++ b/lockfile/pruner/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.pruner", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Prune a pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/lockfile/settings-checker/CHANGELOG.md b/lockfile/settings-checker/CHANGELOG.md index 6c867d7134..ebba5e2ac7 100644 --- a/lockfile/settings-checker/CHANGELOG.md +++ b/lockfile/settings-checker/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/lockfile.settings-checker +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.verification@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/settings-checker/package.json b/lockfile/settings-checker/package.json index a6bd895fe2..920e229008 100644 --- a/lockfile/settings-checker/package.json +++ b/lockfile/settings-checker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.settings-checker", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Utilities to check if lockfile settings are out-of-date", "keywords": [ "pnpm", diff --git a/lockfile/to-pnp/CHANGELOG.md b/lockfile/to-pnp/CHANGELOG.md index 5e044d4658..e3f7c19be8 100644 --- a/lockfile/to-pnp/CHANGELOG.md +++ b/lockfile/to-pnp/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/lockfile-to-pnp +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.utils@1100.0.5 + ## 1100.0.4 ### Patch Changes diff --git a/lockfile/to-pnp/package.json b/lockfile/to-pnp/package.json index 17df815495..2668942bb8 100644 --- a/lockfile/to-pnp/package.json +++ b/lockfile/to-pnp/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.to-pnp", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Creates a Plug'n'Play file from a pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/lockfile/types/CHANGELOG.md b/lockfile/types/CHANGELOG.md index fca15b70dd..0bde4a06ef 100644 --- a/lockfile/types/CHANGELOG.md +++ b/lockfile/types/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/lockfile-types +## 1100.0.4 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + ## 1100.0.3 ### Patch Changes diff --git a/lockfile/types/package.json b/lockfile/types/package.json index 053bba59da..b99ff5c46a 100644 --- a/lockfile/types/package.json +++ b/lockfile/types/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.types", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Types for the pnpm-lock.yaml lockfile", "keywords": [ "pnpm", diff --git a/lockfile/utils/CHANGELOG.md b/lockfile/utils/CHANGELOG.md index 9e02ce4f7b..2c6cf4715d 100644 --- a/lockfile/utils/CHANGELOG.md +++ b/lockfile/utils/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/lockfile-utils +## 1100.0.5 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/hooks.types@1100.0.5 + ## 1100.0.4 ### Patch Changes diff --git a/lockfile/utils/package.json b/lockfile/utils/package.json index efcc91d092..00819bb752 100644 --- a/lockfile/utils/package.json +++ b/lockfile/utils/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.utils", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Utils for dealing with pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/lockfile/verification/CHANGELOG.md b/lockfile/verification/CHANGELOG.md index 94dd5ad1cc..af589fa8d3 100644 --- a/lockfile/verification/CHANGELOG.md +++ b/lockfile/verification/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/lockfile.verification +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/installing.context@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/verification/package.json b/lockfile/verification/package.json index 23e28e5867..f8bd88957e 100644 --- a/lockfile/verification/package.json +++ b/lockfile/verification/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.verification", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Checks a lockfile", "keywords": [ "pnpm", diff --git a/lockfile/walker/CHANGELOG.md b/lockfile/walker/CHANGELOG.md index 941d687eca..ab5902ec27 100644 --- a/lockfile/walker/CHANGELOG.md +++ b/lockfile/walker/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/lockfile-walker +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + ## 1100.0.3 ### Patch Changes diff --git a/lockfile/walker/package.json b/lockfile/walker/package.json index 0ea70245e5..05e50301a9 100644 --- a/lockfile/walker/package.json +++ b/lockfile/walker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.walker", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Walk over all the dependencies in a lockfile", "keywords": [ "pnpm", diff --git a/modules-mounter/daemon/CHANGELOG.md b/modules-mounter/daemon/CHANGELOG.md index 96ee9bfc82..360bff8695 100644 --- a/modules-mounter/daemon/CHANGELOG.md +++ b/modules-mounter/daemon/CHANGELOG.md @@ -1,5 +1,20 @@ # @pnpm/mount-modules +## 1100.0.9 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/config.reader@1101.2.1 + - @pnpm/store.cafs@1100.1.2 + ## 1100.0.8 ### Patch Changes diff --git a/modules-mounter/daemon/package.json b/modules-mounter/daemon/package.json index c183632400..bc2b9ec22d 100644 --- a/modules-mounter/daemon/package.json +++ b/modules-mounter/daemon/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/modules-mounter.daemon", - "version": "1100.0.8", + "version": "1100.0.9", "description": "Mounts a node_modules directory with FUSE", "keywords": [ "pnpm", diff --git a/patching/commands/CHANGELOG.md b/patching/commands/CHANGELOG.md index 81b4fac145..0fa7cd9d19 100644 --- a/patching/commands/CHANGELOG.md +++ b/patching/commands/CHANGELOG.md @@ -1,5 +1,23 @@ # @pnpm/plugin-commands-patching +## 1100.0.12 + +### Patch Changes + +- Updated dependencies [12313f1] +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/fetching.pick-fetcher@1100.0.5 + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.commands@1100.1.10 + - @pnpm/store.connection-manager@1100.0.11 + - @pnpm/config.writer@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + - @pnpm/patching.apply-patch@1100.0.0 + ## 1100.0.11 ### Patch Changes diff --git a/patching/commands/package.json b/patching/commands/package.json index a82990531a..98f15c0a1e 100644 --- a/patching/commands/package.json +++ b/patching/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/patching.commands", - "version": "1100.0.11", + "version": "1100.0.12", "description": "Commands for creating patches", "keywords": [ "pnpm", diff --git a/pnpm/CHANGELOG.md b/pnpm/CHANGELOG.md index e151ffa2e2..9b9ceb061b 100644 --- a/pnpm/CHANGELOG.md +++ b/pnpm/CHANGELOG.md @@ -1,5 +1,31 @@ # pnpm +## 11.0.7 + +### Patch Changes + +- Restore the execute bit on the `node-gyp` shims packed inside `@pnpm/exe` (`dist/node-gyp-bin/node-gyp`, `dist/node-gyp-bin/node-gyp.cmd`, and `dist/node_modules/node-gyp/bin/node-gyp.js`). Without this, `pnpm/action-setup`'s standalone path (used on runners with Node.js < 22.13) failed any install whose lifecycle script invoked `node-gyp rebuild` with `sh: 1: node-gyp: Permission denied` [#11483](https://github.com/pnpm/pnpm/issues/11483). +- Fixed the `pn`, `pnpx`, and `pnx` aliases failing in Git Bash / MSYS2 on Windows when pnpm was installed via `@pnpm/exe` (or after `pnpm self-update`) [#11486](https://github.com/pnpm/pnpm/issues/11486). Running `pnpx` (or `pnx`) printed the cmd.exe banner and dropped the user into an interactive command prompt instead of running `pnpm dlx`. The `bin` field rewrite on Windows was pointing those aliases at `.cmd` files; cmd-shim's Bash shim for a `.cmd` target wraps it in `exec cmd /C ...`, and MSYS2 mangles `/C` into a Windows path before cmd.exe sees it. The aliases are now `.exe` hardlinks of the SEA binary, which detects which name it was launched as via `process.execPath` and prepends `dlx` for `pnpx` / `pnx`. +- Fix `pnpm install` recreating `node_modules` after `pnpm fetch`. `pnpm fetch` records empty `hoistPattern` and `publicHoistPattern` in `.modules.yaml`; since v11 removed the explicit-config gate, the follow-up install treated those as a hoist-pattern change and purged the modules directory. The fetch step now flags the modules manifest with `virtualStoreOnly: true` so the next install skips the hoist-pattern comparison and completes the missing post-import linking in place [#11488](https://github.com/pnpm/pnpm/issues/11488). +- Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Allow user-level preferences in the global `config.yaml`. The following settings can now be set in `~/.config/pnpm/config.yaml` (or via `pnpm config set --location global`) instead of being restricted to `pnpm-workspace.yaml`: `agent`, `globalVirtualStoreDir`, `initPackageManager`, `initType`, `registrySupportsTimeField`, `scriptShell`, `shellEmulator`, `sideEffectsCache`, `sideEffectsCacheReadonly`, `stateDir`, `strictDepBuilds`, `trustPolicy`, `trustPolicyExclude`, `trustPolicyIgnoreAfter`, `updateNotifier`, `useStderr`, `verifyDepsBeforeRun`, `verifyStoreIntegrity`, `virtualStoreDir`, `virtualStoreDirMaxLength` [#11474](https://github.com/pnpm/pnpm/issues/11474). +- Make trusted publishing (OIDC) take precedence over a configured static `_authToken` in `pnpm publish`, mirroring the npm CLI's behavior. When OIDC succeeds, the OIDC-derived token overrides any pre-configured `_authToken`; when OIDC is not applicable (no CI environment, exchange fails, registry has no trusted publisher configured), the static token is used as a fallback. This applies on every package during recursive publish, so each workspace package independently attempts trusted publishing. + + Additionally, the `NPM_ID_TOKEN` env var is now honored as a CI-agnostic injection point for an OIDC ID token. Previously OIDC was only attempted on GitHub Actions or GitLab; now any CI provider that exposes its own OIDC mechanism (e.g. CircleCI's `CIRCLE_OIDC_TOKEN_V2`, Buildkite, etc.) can forward its token via `NPM_ID_TOKEN` and trusted publishing will work without pnpm needing to recognize the provider explicitly. + +- `--pm-on-fail=ignore` (and other universal options like `--loglevel`, `--reporter`) is now honored when combined with `--help` or `--version`. Previously the CLI argument parser short-circuited those flags before universal options were preserved, so `pnpm audit --pm-on-fail=ignore --help` and `pnpm --pm-on-fail=ignore --version` reported the strict packageManager mismatch instead of running the requested action [#11487](https://github.com/pnpm/pnpm/issues/11487). +- Fix a regression where `pnpm --recursive --filter '!' run/exec/test/add` would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative `--filter` arguments are provided, matching the [documented behavior](https://pnpm.io/cli/recursive). To include the root, pass `--include-workspace-root` [#11341](https://github.com/pnpm/pnpm/issues/11341). +- Restore npm-CLI-compatible `--json` stdout output for `pnpm publish` ([#11476](https://github.com/pnpm/pnpm/issues/11476)). pnpm 11 reimplemented publish natively ([#10591](https://github.com/pnpm/pnpm/pull/10591)) and inadvertently dropped the per-package JSON object that pnpm 10 emitted transitively via the npm CLI, silently breaking downstream tooling — most notably `nx release publish`, which parses stdout JSON to confirm success ([nrwl/nx#35575](https://github.com/nrwl/nx/issues/35575)). On success, the output is now: + + - `pnpm publish --json` → single object `{ id, name, version, size, unpackedSize, shasum, integrity, filename, files, entryCount, bundled }`, mirroring `npm publish --json`. + - `pnpm publish -r --json` → array of those objects, mirroring `pnpm pack --json`'s shape choice. + - `pnpm publish -r --report-summary` → existing `pnpm-publish-summary.json` envelope `{ publishedPackages: [...] }` is preserved, but each entry is upgraded to the same per-package shape (additive — `name` and `version` are still present). + +- `pnpm config get @:registry` now reports the same URL that `pnpm publish` and the resolvers actually use. Previously, `config get` only consulted `.npmrc`, while `publish`/install used the merged map that includes `pnpm-workspace.yaml`'s `registries` block — so the two could diverge silently and a publish could go to the wrong registry [#11492](https://github.com/pnpm/pnpm/issues/11492). + ## 11.0.6 ### Patch Changes diff --git a/pnpm/artifacts/darwin-arm64/package.json b/pnpm/artifacts/darwin-arm64/package.json index ea9476624c..2affc02325 100644 --- a/pnpm/artifacts/darwin-arm64/package.json +++ b/pnpm/artifacts/darwin-arm64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/macos-arm64", - "version": "11.0.6", + "version": "11.0.7", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/exe/CHANGELOG.md b/pnpm/artifacts/exe/CHANGELOG.md index c4c641ba65..79f6707fee 100644 --- a/pnpm/artifacts/exe/CHANGELOG.md +++ b/pnpm/artifacts/exe/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/exe +## 11.0.7 + +### Patch Changes + +- fbeee82: Restore the execute bit on the `node-gyp` shims packed inside `@pnpm/exe` (`dist/node-gyp-bin/node-gyp`, `dist/node-gyp-bin/node-gyp.cmd`, and `dist/node_modules/node-gyp/bin/node-gyp.js`). Without this, `pnpm/action-setup`'s standalone path (used on runners with Node.js < 22.13) failed any install whose lifecycle script invoked `node-gyp rebuild` with `sh: 1: node-gyp: Permission denied` [#11483](https://github.com/pnpm/pnpm/issues/11483). + ## 11.0.5 ### Patch Changes diff --git a/pnpm/artifacts/exe/package.json b/pnpm/artifacts/exe/package.json index 4043c727ad..44173ca9c5 100644 --- a/pnpm/artifacts/exe/package.json +++ b/pnpm/artifacts/exe/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exe", - "version": "11.0.6", + "version": "11.0.7", "description": "Fast, disk space efficient package manager", "keywords": [ "pnpm", diff --git a/pnpm/artifacts/linux-arm64-musl/package.json b/pnpm/artifacts/linux-arm64-musl/package.json index dd1026f41d..bd17c2ccce 100644 --- a/pnpm/artifacts/linux-arm64-musl/package.json +++ b/pnpm/artifacts/linux-arm64-musl/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/linuxstatic-arm64", - "version": "11.0.6", + "version": "11.0.7", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/linux-arm64/package.json b/pnpm/artifacts/linux-arm64/package.json index 09547f9d1b..6f217b3e04 100644 --- a/pnpm/artifacts/linux-arm64/package.json +++ b/pnpm/artifacts/linux-arm64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/linux-arm64", - "version": "11.0.6", + "version": "11.0.7", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/linux-x64-musl/package.json b/pnpm/artifacts/linux-x64-musl/package.json index 12beaa451d..09ce65b250 100644 --- a/pnpm/artifacts/linux-x64-musl/package.json +++ b/pnpm/artifacts/linux-x64-musl/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/linuxstatic-x64", - "version": "11.0.6", + "version": "11.0.7", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/linux-x64/package.json b/pnpm/artifacts/linux-x64/package.json index 5d5770a224..ecf34b7307 100644 --- a/pnpm/artifacts/linux-x64/package.json +++ b/pnpm/artifacts/linux-x64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/linux-x64", - "version": "11.0.6", + "version": "11.0.7", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/win32-arm64/package.json b/pnpm/artifacts/win32-arm64/package.json index 9930511f1b..b02358745b 100644 --- a/pnpm/artifacts/win32-arm64/package.json +++ b/pnpm/artifacts/win32-arm64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/win-arm64", - "version": "11.0.6", + "version": "11.0.7", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/win32-x64/package.json b/pnpm/artifacts/win32-x64/package.json index b5b87b8c90..4c308a45e5 100644 --- a/pnpm/artifacts/win32-x64/package.json +++ b/pnpm/artifacts/win32-x64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/win-x64", - "version": "11.0.6", + "version": "11.0.7", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/package.json b/pnpm/package.json index 35fea380e0..b7240ec162 100644 --- a/pnpm/package.json +++ b/pnpm/package.json @@ -1,6 +1,6 @@ { "name": "pnpm", - "version": "11.0.6", + "version": "11.0.7", "description": "Fast, disk space efficient package manager", "keywords": [ "pnpm", diff --git a/registry-access/commands/CHANGELOG.md b/registry-access/commands/CHANGELOG.md index 4cf922e4a8..fca3df356d 100644 --- a/registry-access/commands/CHANGELOG.md +++ b/registry-access/commands/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/registry-access.commands +## 1100.2.8 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + ## 1100.2.7 ### Patch Changes diff --git a/registry-access/commands/package.json b/registry-access/commands/package.json index fe0f8482ee..02634b7503 100644 --- a/registry-access/commands/package.json +++ b/registry-access/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/registry-access.commands", - "version": "1100.2.7", + "version": "1100.2.8", "description": "Commands for managing packages on the registry", "keywords": [ "pnpm", diff --git a/releasing/commands/CHANGELOG.md b/releasing/commands/CHANGELOG.md index 0aa33cf45b..8a9baf3a14 100644 --- a/releasing/commands/CHANGELOG.md +++ b/releasing/commands/CHANGELOG.md @@ -1,5 +1,35 @@ # @pnpm/releasing.commands +## 1100.2.9 + +### Patch Changes + +- 90e215f: Make trusted publishing (OIDC) take precedence over a configured static `_authToken` in `pnpm publish`, mirroring the npm CLI's behavior. When OIDC succeeds, the OIDC-derived token overrides any pre-configured `_authToken`; when OIDC is not applicable (no CI environment, exchange fails, registry has no trusted publisher configured), the static token is used as a fallback. This applies on every package during recursive publish, so each workspace package independently attempts trusted publishing. + + Additionally, the `NPM_ID_TOKEN` env var is now honored as a CI-agnostic injection point for an OIDC ID token. Previously OIDC was only attempted on GitHub Actions or GitLab; now any CI provider that exposes its own OIDC mechanism (e.g. CircleCI's `CIRCLE_OIDC_TOKEN_V2`, Buildkite, etc.) can forward its token via `NPM_ID_TOKEN` and trusted publishing will work without pnpm needing to recognize the provider explicitly. + +- 5607279: Restore npm-CLI-compatible `--json` stdout output for `pnpm publish` ([#11476](https://github.com/pnpm/pnpm/issues/11476)). pnpm 11 reimplemented publish natively ([#10591](https://github.com/pnpm/pnpm/pull/10591)) and inadvertently dropped the per-package JSON object that pnpm 10 emitted transitively via the npm CLI, silently breaking downstream tooling — most notably `nx release publish`, which parses stdout JSON to confirm success ([nrwl/nx#35575](https://github.com/nrwl/nx/issues/35575)). On success, the output is now: + + - `pnpm publish --json` → single object `{ id, name, version, size, unpackedSize, shasum, integrity, filename, files, entryCount, bundled }`, mirroring `npm publish --json`. + - `pnpm publish -r --json` → array of those objects, mirroring `pnpm pack --json`'s shape choice. + - `pnpm publish -r --report-summary` → existing `pnpm-publish-summary.json` envelope `{ publishedPackages: [...] }` is preserved, but each entry is upgraded to the same per-package shape (additive — `name` and `version` are still present). + +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/lockfile.fs@1100.0.5 + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.commands@1100.1.10 + - @pnpm/installing.client@1100.0.10 + - @pnpm/engine.runtime.node-resolver@1101.0.5 + - @pnpm/fetching.directory-fetcher@1100.0.6 + - @pnpm/engine.runtime.commands@1100.0.11 + - @pnpm/releasing.exportable-manifest@1100.0.3 + - @pnpm/exec.lifecycle@1100.0.6 + - @pnpm/fs.indexed-pkg-importer@1100.0.5 + - @pnpm/workspace.projects-filter@1100.0.8 + ## 1100.2.8 ### Patch Changes diff --git a/releasing/commands/package.json b/releasing/commands/package.json index 602809d0f7..fec016d885 100644 --- a/releasing/commands/package.json +++ b/releasing/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/releasing.commands", - "version": "1100.2.8", + "version": "1100.2.9", "description": "Commands for deploy, pack, and publish", "keywords": [ "pnpm", diff --git a/resolving/default-resolver/CHANGELOG.md b/resolving/default-resolver/CHANGELOG.md index ad6809bb0e..458bd99064 100644 --- a/resolving/default-resolver/CHANGELOG.md +++ b/resolving/default-resolver/CHANGELOG.md @@ -1,5 +1,20 @@ # @pnpm/default-resolver +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.git-resolver@1100.0.4 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/engine.runtime.bun-resolver@1101.0.3 + - @pnpm/engine.runtime.deno-resolver@1101.0.3 + - @pnpm/engine.runtime.node-resolver@1101.0.5 + - @pnpm/resolving.local-resolver@1100.0.5 + - @pnpm/resolving.npm-resolver@1101.0.2 + - @pnpm/resolving.tarball-resolver@1100.0.4 + ## 1100.0.9 ### Patch Changes diff --git a/resolving/default-resolver/package.json b/resolving/default-resolver/package.json index 25f5081f3c..f651acf4c7 100644 --- a/resolving/default-resolver/package.json +++ b/resolving/default-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.default-resolver", - "version": "1100.0.9", + "version": "1100.0.10", "description": "pnpm's default package resolver", "keywords": [ "pnpm", diff --git a/resolving/git-resolver/CHANGELOG.md b/resolving/git-resolver/CHANGELOG.md index b3f84d5f17..02679dfff5 100644 --- a/resolving/git-resolver/CHANGELOG.md +++ b/resolving/git-resolver/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/git-resolver +## 1100.0.4 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + ## 1100.0.3 ### Patch Changes diff --git a/resolving/git-resolver/package.json b/resolving/git-resolver/package.json index 7890cb4f51..ee22fceed8 100644 --- a/resolving/git-resolver/package.json +++ b/resolving/git-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.git-resolver", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Resolver for git-hosted packages", "keywords": [ "pnpm", diff --git a/resolving/local-resolver/CHANGELOG.md b/resolving/local-resolver/CHANGELOG.md index f55b329009..0b56870924 100644 --- a/resolving/local-resolver/CHANGELOG.md +++ b/resolving/local-resolver/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/local-resolver +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/crypto.hash@1100.0.1 + ## 1100.0.4 ### Patch Changes diff --git a/resolving/local-resolver/package.json b/resolving/local-resolver/package.json index ccc1f35119..63e45c504c 100644 --- a/resolving/local-resolver/package.json +++ b/resolving/local-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.local-resolver", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Resolver for local packages", "keywords": [ "pnpm", diff --git a/resolving/npm-resolver/CHANGELOG.md b/resolving/npm-resolver/CHANGELOG.md index 1004c0ae51..82a1506b18 100644 --- a/resolving/npm-resolver/CHANGELOG.md +++ b/resolving/npm-resolver/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/npm-resolver +## 1101.0.2 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/store.cafs@1100.1.2 + - @pnpm/crypto.hash@1100.0.1 + - @pnpm/worker@1100.1.2 + ## 1101.0.1 ### Patch Changes diff --git a/resolving/npm-resolver/package.json b/resolving/npm-resolver/package.json index f75bbcd362..5b11d08650 100644 --- a/resolving/npm-resolver/package.json +++ b/resolving/npm-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.npm-resolver", - "version": "1101.0.1", + "version": "1101.0.2", "description": "Resolver for npm-hosted packages", "keywords": [ "pnpm", diff --git a/resolving/resolver-base/CHANGELOG.md b/resolving/resolver-base/CHANGELOG.md index 2182dc5f68..5eba6ca83c 100644 --- a/resolving/resolver-base/CHANGELOG.md +++ b/resolving/resolver-base/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/resolver-base +## 1100.1.2 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + ## 1100.1.1 ### Patch Changes diff --git a/resolving/resolver-base/package.json b/resolving/resolver-base/package.json index 22c9d27b6b..9f038c5bdc 100644 --- a/resolving/resolver-base/package.json +++ b/resolving/resolver-base/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.resolver-base", - "version": "1100.1.1", + "version": "1100.1.2", "description": "Types for pnpm-compatible resolvers", "keywords": [ "pnpm", diff --git a/resolving/tarball-resolver/CHANGELOG.md b/resolving/tarball-resolver/CHANGELOG.md index 60ee210834..e3756c3784 100644 --- a/resolving/tarball-resolver/CHANGELOG.md +++ b/resolving/tarball-resolver/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/tarball-resolver +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + ## 1100.0.3 ### Patch Changes diff --git a/resolving/tarball-resolver/package.json b/resolving/tarball-resolver/package.json index 865a66ddfa..f8d9d288c2 100644 --- a/resolving/tarball-resolver/package.json +++ b/resolving/tarball-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.tarball-resolver", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Resolver for tarball dependencies", "keywords": [ "pnpm", diff --git a/store/cafs/CHANGELOG.md b/store/cafs/CHANGELOG.md index dafcd5280a..f94b67579e 100644 --- a/store/cafs/CHANGELOG.md +++ b/store/cafs/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/store.cafs +## 1100.1.2 + +### Patch Changes + +- @pnpm/fetching.fetcher-base@1100.1.2 +- @pnpm/store.controller-types@1100.0.5 + ## 1100.1.1 ### Patch Changes diff --git a/store/cafs/package.json b/store/cafs/package.json index a82aaf4e92..20ed08b15c 100644 --- a/store/cafs/package.json +++ b/store/cafs/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.cafs", - "version": "1100.1.1", + "version": "1100.1.2", "description": "A content-addressable filesystem for the packages storage", "keywords": [ "pnpm", diff --git a/store/commands/CHANGELOG.md b/store/commands/CHANGELOG.md index ca0670829f..862ea51fe4 100644 --- a/store/commands/CHANGELOG.md +++ b/store/commands/CHANGELOG.md @@ -1,5 +1,24 @@ # @pnpm/store.commands +## 1100.0.11 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] +- Updated dependencies [707a879] + - @pnpm/lockfile.types@1100.0.4 + - @pnpm/lockfile.utils@1100.0.5 + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.context@1100.0.6 + - @pnpm/installing.client@1100.0.10 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/store.connection-manager@1100.0.11 + - @pnpm/store.cafs@1100.1.2 + ## 1100.0.10 ### Patch Changes diff --git a/store/commands/package.json b/store/commands/package.json index 7e4c696949..d04d625592 100644 --- a/store/commands/package.json +++ b/store/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.commands", - "version": "1100.0.10", + "version": "1100.0.11", "description": "Commands for controlling and inspecting the store", "keywords": [ "pnpm", diff --git a/store/connection-manager/CHANGELOG.md b/store/connection-manager/CHANGELOG.md index 77b4360904..437f3af877 100644 --- a/store/connection-manager/CHANGELOG.md +++ b/store/connection-manager/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/store-connection-manager +## 1100.0.11 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + - @pnpm/installing.client@1100.0.10 + - @pnpm/store.controller@1101.0.3 + ## 1100.0.10 ### Patch Changes diff --git a/store/connection-manager/package.json b/store/connection-manager/package.json index ae73d69634..4661dadef1 100644 --- a/store/connection-manager/package.json +++ b/store/connection-manager/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.connection-manager", - "version": "1100.0.10", + "version": "1100.0.11", "description": "Create a pnpm store controller", "keywords": [ "pnpm", diff --git a/store/controller-types/CHANGELOG.md b/store/controller-types/CHANGELOG.md index 35f33672c9..cadb45c9f9 100644 --- a/store/controller-types/CHANGELOG.md +++ b/store/controller-types/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/store-controller-types +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/fetching.fetcher-base@1100.1.2 + ## 1100.0.4 ### Patch Changes diff --git a/store/controller-types/package.json b/store/controller-types/package.json index d0ec2951f9..ce96365f36 100644 --- a/store/controller-types/package.json +++ b/store/controller-types/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.controller-types", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Types for the store controller", "keywords": [ "pnpm", diff --git a/store/controller/CHANGELOG.md b/store/controller/CHANGELOG.md index a7be11a184..832717682a 100644 --- a/store/controller/CHANGELOG.md +++ b/store/controller/CHANGELOG.md @@ -1,5 +1,20 @@ # @pnpm/package-store +## 1101.0.3 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/installing.package-requester@1101.0.3 + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/hooks.types@1100.0.5 + - @pnpm/fetching.fetcher-base@1100.1.2 + - @pnpm/store.controller-types@1100.0.5 + - @pnpm/store.cafs@1100.1.2 + - @pnpm/store.create-cafs-store@1100.0.5 + - @pnpm/crypto.hash@1100.0.1 + - @pnpm/worker@1100.1.2 + ## 1101.0.2 ### Patch Changes diff --git a/store/controller/package.json b/store/controller/package.json index b6c94f8939..bd3341f83d 100644 --- a/store/controller/package.json +++ b/store/controller/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.controller", - "version": "1101.0.2", + "version": "1101.0.3", "description": "A storage for packages", "keywords": [ "pnpm", diff --git a/store/create-cafs-store/CHANGELOG.md b/store/create-cafs-store/CHANGELOG.md index 070b9de636..74ebc48b23 100644 --- a/store/create-cafs-store/CHANGELOG.md +++ b/store/create-cafs-store/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/create-cafs-store +## 1100.0.5 + +### Patch Changes + +- @pnpm/fetching.fetcher-base@1100.1.2 +- @pnpm/store.controller-types@1100.0.5 +- @pnpm/store.cafs@1100.1.2 +- @pnpm/fs.indexed-pkg-importer@1100.0.5 + ## 1100.0.4 ### Patch Changes diff --git a/store/create-cafs-store/package.json b/store/create-cafs-store/package.json index a3de0ae6d3..20b1d36969 100644 --- a/store/create-cafs-store/package.json +++ b/store/create-cafs-store/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.create-cafs-store", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Create a CAFS store controller", "keywords": [ "pnpm", diff --git a/store/pkg-finder/CHANGELOG.md b/store/pkg-finder/CHANGELOG.md index 1179863b5d..67fde35520 100644 --- a/store/pkg-finder/CHANGELOG.md +++ b/store/pkg-finder/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/store.pkg-finder +## 1100.0.6 + +### Patch Changes + +- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes. + + A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase. + +- Updated dependencies [27425d7] + - @pnpm/resolving.resolver-base@1100.1.2 + - @pnpm/fetching.directory-fetcher@1100.0.6 + - @pnpm/store.cafs@1100.1.2 + ## 1100.0.5 ### Patch Changes diff --git a/store/pkg-finder/package.json b/store/pkg-finder/package.json index 25f3efdd28..c247459e27 100644 --- a/store/pkg-finder/package.json +++ b/store/pkg-finder/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.pkg-finder", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Read a package's file map from the content-addressable store", "keywords": [ "pnpm", diff --git a/testing/temp-store/CHANGELOG.md b/testing/temp-store/CHANGELOG.md index 461826d1fa..6be67eb682 100644 --- a/testing/temp-store/CHANGELOG.md +++ b/testing/temp-store/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/testing.temp-store +## 1100.0.11 + +### Patch Changes + +- @pnpm/installing.client@1100.0.10 +- @pnpm/store.controller@1101.0.3 +- @pnpm/store.controller-types@1100.0.5 + ## 1100.0.10 ### Patch Changes diff --git a/testing/temp-store/package.json b/testing/temp-store/package.json index 9d056ac120..61bb589ae4 100644 --- a/testing/temp-store/package.json +++ b/testing/temp-store/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/testing.temp-store", - "version": "1100.0.10", + "version": "1100.0.11", "description": "A temporary store for testing purposes", "keywords": [ "pnpm", diff --git a/worker/CHANGELOG.md b/worker/CHANGELOG.md index ed26155583..8e013803a3 100644 --- a/worker/CHANGELOG.md +++ b/worker/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/worker +## 1100.1.2 + +### Patch Changes + +- @pnpm/store.cafs@1100.1.2 +- @pnpm/store.create-cafs-store@1100.0.5 +- @pnpm/fs.hard-link-dir@1100.0.1 +- @pnpm/fs.symlink-dependency@1100.0.2 + ## 1100.1.1 ### Patch Changes diff --git a/worker/package.json b/worker/package.json index 63f4e13a1c..6f2ad4df23 100644 --- a/worker/package.json +++ b/worker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/worker", - "version": "1100.1.1", + "version": "1100.1.2", "description": "A worker for extracting package taralls to the store", "keywords": [ "pnpm", diff --git a/workspace/commands/CHANGELOG.md b/workspace/commands/CHANGELOG.md index 35c34bdfa2..04745b44d6 100644 --- a/workspace/commands/CHANGELOG.md +++ b/workspace/commands/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/plugin-commands-init +## 1100.1.8 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + ## 1100.1.7 ### Patch Changes diff --git a/workspace/commands/package.json b/workspace/commands/package.json index a94cab1798..846a9f9da9 100644 --- a/workspace/commands/package.json +++ b/workspace/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.commands", - "version": "1100.1.7", + "version": "1100.1.8", "description": "Create a package.json file", "keywords": [ "pnpm", diff --git a/workspace/injected-deps-syncer/CHANGELOG.md b/workspace/injected-deps-syncer/CHANGELOG.md index 36e21faa07..5ee21cffc5 100644 --- a/workspace/injected-deps-syncer/CHANGELOG.md +++ b/workspace/injected-deps-syncer/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/workspace.injected-deps-syncer +## 1100.0.7 + +### Patch Changes + +- Updated dependencies [12313f1] + - @pnpm/installing.modules-yaml@1100.0.3 + - @pnpm/fetching.directory-fetcher@1100.0.6 + ## 1100.0.6 ### Patch Changes diff --git a/workspace/injected-deps-syncer/package.json b/workspace/injected-deps-syncer/package.json index b7611ea1aa..080d98eccd 100644 --- a/workspace/injected-deps-syncer/package.json +++ b/workspace/injected-deps-syncer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.injected-deps-syncer", - "version": "1100.0.6", + "version": "1100.0.7", "description": "Update all injected replica of a workspace package", "keywords": [ "pnpm", diff --git a/workspace/projects-filter/CHANGELOG.md b/workspace/projects-filter/CHANGELOG.md index 3a3db687ed..8a327533d2 100644 --- a/workspace/projects-filter/CHANGELOG.md +++ b/workspace/projects-filter/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/filter-workspace-packages +## 1100.0.8 + +### Patch Changes + +- @pnpm/workspace.projects-graph@1100.0.5 + ## 1100.0.7 ### Patch Changes diff --git a/workspace/projects-filter/package.json b/workspace/projects-filter/package.json index d0d928d71b..22346d8c32 100644 --- a/workspace/projects-filter/package.json +++ b/workspace/projects-filter/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.projects-filter", - "version": "1100.0.7", + "version": "1100.0.8", "description": "Filters packages in a workspace", "keywords": [ "pnpm", diff --git a/workspace/projects-graph/CHANGELOG.md b/workspace/projects-graph/CHANGELOG.md index 26f013881c..239d3bd2db 100644 --- a/workspace/projects-graph/CHANGELOG.md +++ b/workspace/projects-graph/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/workspace.pkgs-graph +## 1100.0.5 + +### Patch Changes + +- @pnpm/resolving.npm-resolver@1101.0.2 + ## 1100.0.4 ### Patch Changes diff --git a/workspace/projects-graph/package.json b/workspace/projects-graph/package.json index c3bd6eff9c..6ed6b01c82 100644 --- a/workspace/projects-graph/package.json +++ b/workspace/projects-graph/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.projects-graph", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Create a graph from an array of packages", "keywords": [ "pnpm", diff --git a/workspace/state/CHANGELOG.md b/workspace/state/CHANGELOG.md index f08ee8a19d..848aab2be7 100644 --- a/workspace/state/CHANGELOG.md +++ b/workspace/state/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/workspace.state +## 1100.0.9 + +### Patch Changes + +- Updated dependencies [707a879] + - @pnpm/config.reader@1101.2.1 + ## 1100.0.8 ### Patch Changes diff --git a/workspace/state/package.json b/workspace/state/package.json index 9d5b44123e..e80300d5c4 100644 --- a/workspace/state/package.json +++ b/workspace/state/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.state", - "version": "1100.0.8", + "version": "1100.0.9", "description": "Track the list of actual paths of workspace packages in a cache", "keywords": [ "pnpm", diff --git a/workspace/workspace-manifest-writer/CHANGELOG.md b/workspace/workspace-manifest-writer/CHANGELOG.md index 92f19b73e8..d682be1f9d 100644 --- a/workspace/workspace-manifest-writer/CHANGELOG.md +++ b/workspace/workspace-manifest-writer/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/workspace.manifest-writer +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [27425d7] + - @pnpm/lockfile.types@1100.0.4 + ## 1100.0.5 ### Patch Changes diff --git a/workspace/workspace-manifest-writer/package.json b/workspace/workspace-manifest-writer/package.json index 203e1a8e52..0cf1a00688 100644 --- a/workspace/workspace-manifest-writer/package.json +++ b/workspace/workspace-manifest-writer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.workspace-manifest-writer", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Updates the workspace manifest file", "keywords": [ "pnpm",