chore(release): 11.0.7

.changeset-released/release-11.0.txt

@@ -0,0 +1,10 @@
+exe-node-gyp-executable
+exe-windows-aliases
+fetch-install-no-recreate
+git-tarball-integrity
+global-yaml-user-prefs
+oidc-precedence-over-static-token
+pm-on-fail-survives-help-version
+recursive-filter-root-exclusion
+restore-publish-json-stdout
+scoped-registry-config-get-publish

.changeset/exe-node-gyp-executable.md

@@ -1,6 +0,0 @@
----
-"@pnpm/exe": patch
-"pnpm": patch
----
-
-Restore the execute bit on the `node-gyp` shims packed inside `@pnpm/exe` (`dist/node-gyp-bin/node-gyp`, `dist/node-gyp-bin/node-gyp.cmd`, and `dist/node_modules/node-gyp/bin/node-gyp.js`). Without this, `pnpm/action-setup`'s standalone path (used on runners with Node.js < 22.13) failed any install whose lifecycle script invoked `node-gyp rebuild` with `sh: 1: node-gyp: Permission denied` [#11483](https://github.com/pnpm/pnpm/issues/11483).

.changeset/exe-windows-aliases.md

@@ -1,6 +0,0 @@
----
-"@pnpm/engine.pm.commands": patch
-"pnpm": patch
----
-
-Fixed the `pn`, `pnpx`, and `pnx` aliases failing in Git Bash / MSYS2 on Windows when pnpm was installed via `@pnpm/exe` (or after `pnpm self-update`) [#11486](https://github.com/pnpm/pnpm/issues/11486). Running `pnpx` (or `pnx`) printed the cmd.exe banner and dropped the user into an interactive command prompt instead of running `pnpm dlx`. The `bin` field rewrite on Windows was pointing those aliases at `.cmd` files; cmd-shim's Bash shim for a `.cmd` target wraps it in `exec cmd /C ...`, and MSYS2 mangles `/C` into a Windows path before cmd.exe sees it. The aliases are now `.exe` hardlinks of the SEA binary, which detects which name it was launched as via `process.execPath` and prepends `dlx` for `pnpx` / `pnx`.

.changeset/fetch-install-no-recreate.md

@@ -1,8 +0,0 @@
----
-"@pnpm/installing.modules-yaml": patch
-"@pnpm/installing.deps-restorer": patch
-"@pnpm/installing.deps-installer": patch
-"pnpm": patch
----
-
-Fix `pnpm install` recreating `node_modules` after `pnpm fetch`. `pnpm fetch` records empty `hoistPattern` and `publicHoistPattern` in `.modules.yaml`; since v11 removed the explicit-config gate, the follow-up install treated those as a hoist-pattern change and purged the modules directory. The fetch step now flags the modules manifest with `virtualStoreOnly: true` so the next install skips the hoist-pattern comparison and completes the missing post-import linking in place [#11488](https://github.com/pnpm/pnpm/issues/11488).

.changeset/git-tarball-integrity.md

@@ -1,20 +0,0 @@
----
-"@pnpm/building.after-install": patch
-"@pnpm/fetching.pick-fetcher": patch
-"@pnpm/fetching.tarball-fetcher": patch
-"@pnpm/installing.deps-installer": patch
-"@pnpm/installing.package-requester": patch
-"@pnpm/lockfile.fs": patch
-"@pnpm/lockfile.types": patch
-"@pnpm/lockfile.utils": patch
-"@pnpm/modules-mounter.daemon": patch
-"@pnpm/resolving.git-resolver": patch
-"@pnpm/resolving.resolver-base": patch
-"@pnpm/store.commands": patch
-"@pnpm/store.pkg-finder": patch
-"pnpm": patch
----
-
-Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
-
-A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.

.changeset/global-yaml-user-prefs.md

@@ -1,6 +0,0 @@
----
-"@pnpm/config.reader": patch
-"pnpm": patch
----
-
-Allow user-level preferences in the global `config.yaml`. The following settings can now be set in `~/.config/pnpm/config.yaml` (or via `pnpm config set --location global`) instead of being restricted to `pnpm-workspace.yaml`: `agent`, `globalVirtualStoreDir`, `initPackageManager`, `initType`, `registrySupportsTimeField`, `scriptShell`, `shellEmulator`, `sideEffectsCache`, `sideEffectsCacheReadonly`, `stateDir`, `strictDepBuilds`, `trustPolicy`, `trustPolicyExclude`, `trustPolicyIgnoreAfter`, `updateNotifier`, `useStderr`, `verifyDepsBeforeRun`, `verifyStoreIntegrity`, `virtualStoreDir`, `virtualStoreDirMaxLength` [#11474](https://github.com/pnpm/pnpm/issues/11474).

.changeset/oidc-precedence-over-static-token.md

@@ -1,8 +0,0 @@
----
-"@pnpm/releasing.commands": patch
-"pnpm": patch
----
-
-Make trusted publishing (OIDC) take precedence over a configured static `_authToken` in `pnpm publish`, mirroring the npm CLI's behavior. When OIDC succeeds, the OIDC-derived token overrides any pre-configured `_authToken`; when OIDC is not applicable (no CI environment, exchange fails, registry has no trusted publisher configured), the static token is used as a fallback. This applies on every package during recursive publish, so each workspace package independently attempts trusted publishing.
-
-Additionally, the `NPM_ID_TOKEN` env var is now honored as a CI-agnostic injection point for an OIDC ID token. Previously OIDC was only attempted on GitHub Actions or GitLab; now any CI provider that exposes its own OIDC mechanism (e.g. CircleCI's `CIRCLE_OIDC_TOKEN_V2`, Buildkite, etc.) can forward its token via `NPM_ID_TOKEN` and trusted publishing will work without pnpm needing to recognize the provider explicitly.

.changeset/pm-on-fail-survives-help-version.md

@@ -1,6 +0,0 @@
----
-"@pnpm/cli.parse-cli-args": patch
-"pnpm": patch
----
-
-`--pm-on-fail=ignore` (and other universal options like `--loglevel`, `--reporter`) is now honored when combined with `--help` or `--version`. Previously the CLI argument parser short-circuited those flags before universal options were preserved, so `pnpm audit --pm-on-fail=ignore --help` and `pnpm --pm-on-fail=ignore --version` reported the strict packageManager mismatch instead of running the requested action [#11487](https://github.com/pnpm/pnpm/issues/11487).

.changeset/recursive-filter-root-exclusion.md

@@ -1,5 +0,0 @@
----
-"pnpm": patch
----
-
-Fix a regression where `pnpm --recursive --filter '!<pkg>' run/exec/test/add` would include the workspace root in the matched projects. The workspace root is now correctly excluded by default when only negative `--filter` arguments are provided, matching the [documented behavior](https://pnpm.io/cli/recursive). To include the root, pass `--include-workspace-root` [#11341](https://github.com/pnpm/pnpm/issues/11341).

.changeset/restore-publish-json-stdout.md

@@ -1,10 +0,0 @@
----
-"@pnpm/releasing.commands": patch
-pnpm: patch
----
-
-Restore npm-CLI-compatible `--json` stdout output for `pnpm publish` ([#11476](https://github.com/pnpm/pnpm/issues/11476)). pnpm 11 reimplemented publish natively ([#10591](https://github.com/pnpm/pnpm/pull/10591)) and inadvertently dropped the per-package JSON object that pnpm 10 emitted transitively via the npm CLI, silently breaking downstream tooling — most notably `nx release publish`, which parses stdout JSON to confirm success ([nrwl/nx#35575](https://github.com/nrwl/nx/issues/35575)). On success, the output is now:
-
-- `pnpm publish --json` → single object `{ id, name, version, size, unpackedSize, shasum, integrity, filename, files, entryCount, bundled }`, mirroring `npm publish --json`.
-- `pnpm publish -r --json` → array of those objects, mirroring `pnpm pack --json`'s shape choice.
-- `pnpm publish -r --report-summary` → existing `pnpm-publish-summary.json` envelope `{ publishedPackages: [...] }` is preserved, but each entry is upgraded to the same per-package shape (additive — `name` and `version` are still present).

.changeset/scoped-registry-config-get-publish.md

@@ -1,6 +0,0 @@
----
-"@pnpm/config.commands": patch
-"pnpm": patch
----
-
-`pnpm config get @<scope>:registry` now reports the same URL that `pnpm publish` and the resolvers actually use. Previously, `config get` only consulted `.npmrc`, while `publish`/install used the merged map that includes `pnpm-workspace.yaml`'s `registries` block — so the two could diverge silently and a publish could go to the wrong registry [#11492](https://github.com/pnpm/pnpm/issues/11492).

.meta-updater/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm-private/updater
 
+## 1100.0.8
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.fs@1100.0.5
+
 ## 1100.0.7
 
 ### Patch Changes

.meta-updater/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm-private/updater",
-  "version": "1100.0.7",
+  "version": "1100.0.8",
   "private": true,
   "type": "module",
   "scripts": {

__utils__/assert-project/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/assert-project
 
+## 1100.0.5
+
+### Patch Changes
+
+- Updated dependencies [12313f1]
+- Updated dependencies [27425d7]
+  - @pnpm/installing.modules-yaml@1100.0.3
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/assert-store@1100.0.5
+
 ## 1100.0.4
 
 ### Patch Changes

__utils__/assert-project/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@pnpm/assert-project",
   "description": "Utils for testing projects that use pnpm",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
   "author": {
     "name": "Zoltan Kochan",
     "email": "z@kochan.io",

__utils__/assert-store/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/assert-store
 
+## 1100.0.5
+
+### Patch Changes
+
+- @pnpm/store.cafs@1100.1.2
+
 ## 1100.0.4
 
 ### Patch Changes

__utils__/assert-store/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@pnpm/assert-store",
   "description": "Utils for testing pnpm store",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
   "bugs": {
     "url": "https://github.com/pnpm/pnpm/issues"
   },

__utils__/jest-config/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/jest-config
 
+## 1100.0.5
+
+### Patch Changes
+
+- @pnpm/worker@1100.1.2
+
 ## 1100.0.4
 
 ### Patch Changes

__utils__/jest-config/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/jest-config",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
   "private": true,
   "main": "jest-preset.js",
   "type": "module",

__utils__/prepare/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/prepare
 
+## 1100.0.5
+
+### Patch Changes
+
+- @pnpm/assert-project@1100.0.5
+
 ## 1100.0.4
 
 ### Patch Changes

__utils__/prepare/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/prepare",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
   "main": "lib/index.js",
   "types": "lib/index.d.ts",
   "type": "module",

agent/client/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/agent.client
 
+## 1.0.2
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/store.cafs@1100.1.2
+  - @pnpm/worker@1100.1.2
+
 ## 1.0.1
 
 ### Patch Changes

agent/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/agent.client",
-  "version": "1.0.1",
+  "version": "1.0.2",
   "description": "Client for pnpm agent server — sends store state, receives resolved lockfile and missing files",
   "keywords": [
     "pnpm",

agent/server/CHANGELOG.md

@@ -1,5 +1,18 @@
 # pnpm-agent
 
+## 0.0.9
+
+### Patch Changes
+
+- Updated dependencies [12313f1]
+- Updated dependencies [27425d7]
+  - @pnpm/installing.deps-installer@1101.0.7
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/installing.client@1100.0.10
+  - @pnpm/store.controller@1101.0.3
+  - @pnpm/store.cafs@1100.1.2
+
 ## 0.0.8
 
 ### Patch Changes

agent/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pnpm-agent",
-  "version": "0.0.8",
+  "version": "0.0.9",
   "description": "pnpm agent server for server-side resolution and store-aware downloads",
   "keywords": [
     "pnpm",

auth/commands/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/auth.commands
 
+## 1100.0.10
+
+### Patch Changes
+
+- Updated dependencies [707a879]
+  - @pnpm/config.reader@1101.2.1
+
 ## 1100.0.9
 
 ### Patch Changes

auth/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/auth.commands",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
   "description": "Commands for authentication with npm registries",
   "keywords": [
     "pnpm",

building/after-install/CHANGELOG.md

@@ -1,5 +1,29 @@
 # @pnpm/building.after-install
 
+## 1101.0.7
+
+### Patch Changes
+
+- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
+
+  A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.
+
+- Updated dependencies [12313f1]
+- Updated dependencies [27425d7]
+- Updated dependencies [707a879]
+  - @pnpm/installing.modules-yaml@1100.0.3
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/installing.context@1100.0.6
+  - @pnpm/deps.graph-hasher@1100.1.3
+  - @pnpm/lockfile.walker@1100.0.4
+  - @pnpm/store.controller-types@1100.0.5
+  - @pnpm/store.connection-manager@1100.0.11
+  - @pnpm/exec.lifecycle@1100.0.6
+  - @pnpm/store.cafs@1100.1.2
+  - @pnpm/worker@1100.1.2
+
 ## 1101.0.6
 
 ### Patch Changes

building/after-install/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/building.after-install",
-  "version": "1101.0.6",
+  "version": "1101.0.7",
   "description": "Rebuild packages that are already installed by running their lifecycle scripts",
   "keywords": [
     "pnpm",

building/commands/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @pnpm/building.commands
 
+## 1100.0.12
+
+### Patch Changes
+
+- Updated dependencies [12313f1]
+- Updated dependencies [27425d7]
+- Updated dependencies [707a879]
+  - @pnpm/installing.modules-yaml@1100.0.3
+  - @pnpm/building.after-install@1101.0.7
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/installing.commands@1100.1.10
+  - @pnpm/store.connection-manager@1100.0.11
+  - @pnpm/config.writer@1100.0.6
+
 ## 1100.0.11
 
 ### Patch Changes

building/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/building.commands",
-  "version": "1100.0.11",
+  "version": "1100.0.12",
   "description": "Commands for rebuilding and managing dependency builds",
   "keywords": [
     "pnpm",

building/during-install/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @pnpm/building.during-install
 
+## 1101.0.5
+
+### Patch Changes
+
+- Updated dependencies [707a879]
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/deps.graph-hasher@1100.1.3
+  - @pnpm/store.controller-types@1100.0.5
+  - @pnpm/exec.lifecycle@1100.0.6
+  - @pnpm/fs.hard-link-dir@1100.0.1
+  - @pnpm/patching.apply-patch@1100.0.0
+  - @pnpm/worker@1100.1.2
+
 ## 1101.0.4
 
 ### Patch Changes

building/during-install/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/building.during-install",
-  "version": "1101.0.4",
+  "version": "1101.0.5",
   "description": "Build packages in node_modules",
   "keywords": [
     "pnpm",

cache/api/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/cache.api
 
+## 1100.0.9
+
+### Patch Changes
+
+- Updated dependencies [707a879]
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/resolving.npm-resolver@1101.0.2
+  - @pnpm/store.cafs@1100.1.2
+
 ## 1100.0.8
 
 ### Patch Changes

cache/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cache.api",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
   "description": "API for controlling the cache",
   "keywords": [
     "pnpm",

cache/commands/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/cache.commands
 
+## 1100.0.10
+
+### Patch Changes
+
+- Updated dependencies [707a879]
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/cache.api@1100.0.9
+
 ## 1100.0.9
 
 ### Patch Changes

cache/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cache.commands",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
   "description": "Commands for controlling the cache",
   "keywords": [
     "pnpm",

cli/commands/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/cli.commands
 
+## 1100.0.9
+
+### Patch Changes
+
+- Updated dependencies [707a879]
+- Updated dependencies [81161d5]
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/cli.parse-cli-args@1100.1.2
+
 ## 1100.0.8
 
 ### Patch Changes

cli/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cli.commands",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
   "description": "Commands for pnpm CLI",
   "keywords": [
     "pnpm",

cli/default-reporter/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/default-reporter
 
+## 1100.0.10
+
+### Patch Changes
+
+- Updated dependencies [707a879]
+  - @pnpm/config.reader@1101.2.1
+
 ## 1100.0.9
 
 ### Patch Changes

cli/default-reporter/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cli.default-reporter",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
   "description": "The default reporter of pnpm",
   "keywords": [
     "pnpm",

cli/parse-cli-args/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/parse-cli-args
 
+## 1100.1.2
+
+### Patch Changes
+
+- 81161d5: `--pm-on-fail=ignore` (and other universal options like `--loglevel`, `--reporter`) is now honored when combined with `--help` or `--version`. Previously the CLI argument parser short-circuited those flags before universal options were preserved, so `pnpm audit --pm-on-fail=ignore --help` and `pnpm --pm-on-fail=ignore --version` reported the strict packageManager mismatch instead of running the requested action [#11487](https://github.com/pnpm/pnpm/issues/11487).
+
 ## 1100.1.1
 
 ### Patch Changes

cli/parse-cli-args/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cli.parse-cli-args",
-  "version": "1100.1.1",
+  "version": "1100.1.2",
   "description": "Parses the CLI args passed to pnpm",
   "keywords": [
     "pnpm",

config/commands/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/plugin-commands-config
 
+## 1100.0.10
+
+### Patch Changes
+
+- 3e2df55: `pnpm config get @<scope>:registry` now reports the same URL that `pnpm publish` and the resolvers actually use. Previously, `config get` only consulted `.npmrc`, while `publish`/install used the merged map that includes `pnpm-workspace.yaml`'s `registries` block — so the two could diverge silently and a publish could go to the wrong registry [#11492](https://github.com/pnpm/pnpm/issues/11492).
+- Updated dependencies [707a879]
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/workspace.workspace-manifest-writer@1100.0.6
+
 ## 1100.0.9
 
 ### Patch Changes

config/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/config.commands",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
   "description": "Commands for reading and writing settings to/from config files",
   "keywords": [
     "pnpm",

config/reader/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/config
 
+## 1101.2.1
+
+### Patch Changes
+
+- 707a879: Allow user-level preferences in the global `config.yaml`. The following settings can now be set in `~/.config/pnpm/config.yaml` (or via `pnpm config set --location global`) instead of being restricted to `pnpm-workspace.yaml`: `agent`, `globalVirtualStoreDir`, `initPackageManager`, `initType`, `registrySupportsTimeField`, `scriptShell`, `shellEmulator`, `sideEffectsCache`, `sideEffectsCacheReadonly`, `stateDir`, `strictDepBuilds`, `trustPolicy`, `trustPolicyExclude`, `trustPolicyIgnoreAfter`, `updateNotifier`, `useStderr`, `verifyDepsBeforeRun`, `verifyStoreIntegrity`, `virtualStoreDir`, `virtualStoreDirMaxLength` [#11474](https://github.com/pnpm/pnpm/issues/11474).
+  - @pnpm/hooks.pnpmfile@1100.0.6
+
 ## 1101.2.0
 
 ### Minor Changes

config/reader/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/config.reader",
-  "version": "1101.2.0",
+  "version": "1101.2.1",
   "description": "Gets configuration options for pnpm",
   "keywords": [
     "pnpm",

config/writer/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/config.config-writer
 
+## 1100.0.6
+
+### Patch Changes
+
+- @pnpm/workspace.workspace-manifest-writer@1100.0.6
+
 ## 1100.0.5
 
 ### Patch Changes

config/writer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/config.writer",
-  "version": "1100.0.5",
+  "version": "1100.0.6",
   "description": "Functions for updating the configuration settings",
   "keywords": [
     "pnpm",

deps/compliance/audit/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @pnpm/audit
 
+## 1101.0.4
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/lockfile.detect-dep-types@1100.0.4
+  - @pnpm/lockfile.walker@1100.0.4
+
 ## 1101.0.3
 
 ### Patch Changes

deps/compliance/audit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.audit",
-  "version": "1101.0.3",
+  "version": "1101.0.4",
   "description": "Audit a lockfile",
   "keywords": [
     "pnpm",

deps/compliance/commands/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @pnpm/deps.compliance.commands
 
+## 1101.1.9
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+- Updated dependencies [707a879]
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/installing.commands@1100.1.10
+  - @pnpm/deps.compliance.audit@1101.0.4
+  - @pnpm/deps.compliance.license-scanner@1100.0.7
+  - @pnpm/deps.compliance.sbom@1100.0.7
+  - @pnpm/lockfile.walker@1100.0.4
+  - @pnpm/config.writer@1100.0.6
+
 ## 1101.1.8
 
 ### Patch Changes

deps/compliance/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.commands",
-  "version": "1101.1.8",
+  "version": "1101.1.9",
   "description": "pnpm commands for audit, licenses, and sbom",
   "keywords": [
     "pnpm",

deps/compliance/license-scanner/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/license-scanner
 
+## 1100.0.7
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/store.pkg-finder@1100.0.6
+  - @pnpm/lockfile.detect-dep-types@1100.0.4
+  - @pnpm/lockfile.walker@1100.0.4
+
 ## 1100.0.6
 
 ### Patch Changes

deps/compliance/license-scanner/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.license-scanner",
-  "version": "1100.0.6",
+  "version": "1100.0.7",
   "description": "Check for licenses packages",
   "keywords": [
     "pnpm",

deps/compliance/sbom/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/deps.compliance.sbom
 
+## 1100.0.7
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/resolving.resolver-base@1100.1.2
+  - @pnpm/store.pkg-finder@1100.0.6
+  - @pnpm/lockfile.detect-dep-types@1100.0.4
+  - @pnpm/lockfile.walker@1100.0.4
+
 ## 1100.0.6
 
 ### Patch Changes

deps/compliance/sbom/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.sbom",
-  "version": "1100.0.6",
+  "version": "1100.0.7",
   "description": "Generate SBOM from pnpm lockfile",
   "keywords": [
     "pnpm",

deps/graph-builder/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @pnpm/deps.graph-builder
 
+## 1100.0.6
+
+### Patch Changes
+
+- Updated dependencies [12313f1]
+- Updated dependencies [27425d7]
+  - @pnpm/installing.modules-yaml@1100.0.3
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/deps.graph-hasher@1100.1.3
+  - @pnpm/hooks.types@1100.0.5
+  - @pnpm/store.controller-types@1100.0.5
+
 ## 1100.0.5
 
 ### Patch Changes

deps/graph-builder/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.graph-builder",
-  "version": "1100.0.5",
+  "version": "1100.0.6",
   "description": "A package for building a dependency graph from a lockfile",
   "keywords": [
     "pnpm",

deps/graph-hasher/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/calc-dep-state
 
+## 1100.1.3
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/resolving.resolver-base@1100.1.2
+
 ## 1100.1.2
 
 ### Patch Changes

deps/graph-hasher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.graph-hasher",
-  "version": "1100.1.2",
+  "version": "1100.1.3",
   "description": "Calculates the state of a dependency",
   "keywords": [
     "pnpm",

deps/inspection/commands/CHANGELOG.md

@@ -1,5 +1,22 @@
 # @pnpm/deps.inspection.commands
 
+## 1100.1.11
+
+### Patch Changes
+
+- Updated dependencies [12313f1]
+- Updated dependencies [27425d7]
+- Updated dependencies [707a879]
+  - @pnpm/installing.modules-yaml@1100.0.3
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/global.commands@1100.0.12
+  - @pnpm/resolving.default-resolver@1100.0.10
+  - @pnpm/deps.inspection.list@1100.0.6
+  - @pnpm/deps.inspection.outdated@1100.0.10
+  - @pnpm/deps.inspection.peers-checker@1100.0.5
+  - @pnpm/resolving.npm-resolver@1101.0.2
+
 ## 1100.1.10
 
 ### Patch Changes

deps/inspection/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.commands",
-  "version": "1100.1.10",
+  "version": "1100.1.11",
   "description": "The list, ll, why, and outdated commands of pnpm",
   "keywords": [
     "pnpm",

deps/inspection/list/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/list
 
+## 1100.0.6
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/deps.inspection.tree-builder@1100.0.5
+
 ## 1100.0.5
 
 ### Patch Changes

deps/inspection/list/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.list",
-  "version": "1100.0.5",
+  "version": "1100.0.6",
   "description": "List installed packages in a symlinked `node_modules`",
   "keywords": [
     "pnpm",

deps/inspection/outdated/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/outdated
 
+## 1100.0.10
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/installing.client@1100.0.10
+  - @pnpm/resolving.npm-resolver@1101.0.2
+
 ## 1100.0.9
 
 ### Patch Changes

deps/inspection/outdated/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.outdated",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
   "description": "Check for outdated packages",
   "keywords": [
     "pnpm",

deps/inspection/peers-checker/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/deps.inspection.peers-checker
 
+## 1100.0.5
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.walker@1100.0.4
+
 ## 1100.0.4
 
 ### Patch Changes

deps/inspection/peers-checker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.peers-checker",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
   "description": "Check for unmet and missing peer dependency issues from the lockfile",
   "keywords": [
     "pnpm",

deps/inspection/tree-builder/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/reviewing.dependencies-hierarchy
 
+## 1100.0.5
+
+### Patch Changes
+
+- Updated dependencies [12313f1]
+- Updated dependencies [27425d7]
+  - @pnpm/installing.modules-yaml@1100.0.3
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.utils@1100.0.5
+  - @pnpm/lockfile.detect-dep-types@1100.0.4
+  - @pnpm/store.cafs@1100.1.2
+
 ## 1100.0.4
 
 ### Patch Changes

deps/inspection/tree-builder/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.tree-builder",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
   "description": "Creates a dependencies hierarchy for a symlinked `node_modules`",
   "keywords": [
     "pnpm",

deps/status/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @pnpm/deps.status
 
+## 1100.0.10
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+- Updated dependencies [707a879]
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/resolving.resolver-base@1100.1.2
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/installing.context@1100.0.6
+  - @pnpm/lockfile.settings-checker@1100.0.6
+  - @pnpm/lockfile.verification@1100.0.6
+  - @pnpm/workspace.state@1100.0.9
+
 ## 1100.0.9
 
 ### Patch Changes

deps/status/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.status",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
   "description": "Check dependencies status",
   "keywords": [
     "pnpm",

engine/pm/commands/CHANGELOG.md

@@ -1,5 +1,25 @@
 # @pnpm/engine.pm.commands
 
+## 1101.1.7
+
+### Patch Changes
+
+- d0982fc: Fixed the `pn`, `pnpx`, and `pnx` aliases failing in Git Bash / MSYS2 on Windows when pnpm was installed via `@pnpm/exe` (or after `pnpm self-update`) [#11486](https://github.com/pnpm/pnpm/issues/11486). Running `pnpx` (or `pnx`) printed the cmd.exe banner and dropped the user into an interactive command prompt instead of running `pnpm dlx`. The `bin` field rewrite on Windows was pointing those aliases at `.cmd` files; cmd-shim's Bash shim for a `.cmd` target wraps it in `exec cmd /C ...`, and MSYS2 mangles `/C` into a Windows path before cmd.exe sees it. The aliases are now `.exe` hardlinks of the SEA binary, which detects which name it was launched as via `process.execPath` and prepends `dlx` for `pnpx` / `pnx`.
+- Updated dependencies [12313f1]
+- Updated dependencies [27425d7]
+- Updated dependencies [707a879]
+  - @pnpm/installing.deps-restorer@1101.0.6
+  - @pnpm/lockfile.fs@1100.0.5
+  - @pnpm/lockfile.types@1100.0.4
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/global.commands@1100.0.12
+  - @pnpm/installing.client@1100.0.10
+  - @pnpm/store.controller@1101.0.3
+  - @pnpm/installing.env-installer@1101.0.5
+  - @pnpm/deps.graph-hasher@1100.1.3
+  - @pnpm/resolving.npm-resolver@1101.0.2
+  - @pnpm/store.connection-manager@1100.0.11
+
 ## 1101.1.6
 
 ### Patch Changes

engine/pm/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.pm.commands",
-  "version": "1101.1.6",
+  "version": "1101.1.7",
   "description": "pnpm commands for self-updating and setting up pnpm",
   "keywords": [
     "pnpm",

engine/runtime/bun-resolver/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @pnpm/resolving.bun-resolver
 
+## 1101.0.3
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/resolving.resolver-base@1100.1.2
+  - @pnpm/fetching.fetcher-base@1100.1.2
+  - @pnpm/resolving.npm-resolver@1101.0.2
+  - @pnpm/fetching.binary-fetcher@1101.0.3
+  - @pnpm/worker@1100.1.2
+
 ## 1101.0.2
 
 ### Patch Changes

engine/runtime/bun-resolver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.runtime.bun-resolver",
-  "version": "1101.0.2",
+  "version": "1101.0.3",
   "description": "Resolves the Bun runtime",
   "keywords": [
     "pnpm",

engine/runtime/commands/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/engine.runtime.commands
 
+## 1100.0.11
+
+### Patch Changes
+
+- Updated dependencies [707a879]
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/engine.runtime.node-resolver@1101.0.5
+
 ## 1100.0.10
 
 ### Patch Changes

engine/runtime/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.runtime.commands",
-  "version": "1100.0.10",
+  "version": "1100.0.11",
   "description": "pnpm commands for managing runtimes",
   "keywords": [
     "pnpm",

engine/runtime/deno-resolver/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @pnpm/resolving.deno-resolver
 
+## 1101.0.3
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/resolving.resolver-base@1100.1.2
+  - @pnpm/fetching.fetcher-base@1100.1.2
+  - @pnpm/resolving.npm-resolver@1101.0.2
+  - @pnpm/fetching.binary-fetcher@1101.0.3
+  - @pnpm/worker@1100.1.2
+
 ## 1101.0.2
 
 ### Patch Changes

engine/runtime/deno-resolver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.runtime.deno-resolver",
-  "version": "1101.0.2",
+  "version": "1101.0.3",
   "description": "Resolves the Deno runtime",
   "keywords": [
     "pnpm",

engine/runtime/node-resolver/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/node.resolver
 
+## 1101.0.5
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+- Updated dependencies [707a879]
+  - @pnpm/resolving.resolver-base@1100.1.2
+  - @pnpm/config.reader@1101.2.1
+
 ## 1101.0.4
 
 ### Patch Changes

engine/runtime/node-resolver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.runtime.node-resolver",
-  "version": "1101.0.4",
+  "version": "1101.0.5",
   "description": "Resolves a Node.js version specifier to an exact Node.js version",
   "keywords": [
     "pnpm",

exec/commands/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @pnpm/plugin-commands-script-runners
 
+## 1100.1.2
+
+### Patch Changes
+
+- Updated dependencies [707a879]
+  - @pnpm/config.reader@1101.2.1
+  - @pnpm/building.commands@1100.0.12
+  - @pnpm/installing.commands@1100.1.10
+  - @pnpm/workspace.injected-deps-syncer@1100.0.7
+  - @pnpm/installing.client@1100.0.10
+  - @pnpm/deps.status@1100.0.10
+  - @pnpm/engine.runtime.commands@1100.0.11
+  - @pnpm/exec.lifecycle@1100.0.6
+  - @pnpm/crypto.hash@1100.0.1
+
 ## 1100.1.1
 
 ### Patch Changes

exec/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/exec.commands",
-  "version": "1100.1.1",
+  "version": "1100.1.2",
   "description": "Commands for running scripts",
   "keywords": [
     "pnpm",

exec/lifecycle/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/lifecycle
 
+## 1100.0.6
+
+### Patch Changes
+
+- @pnpm/fetching.directory-fetcher@1100.0.6
+- @pnpm/store.controller-types@1100.0.5
+
 ## 1100.0.5
 
 ### Patch Changes

exec/lifecycle/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/exec.lifecycle",
-  "version": "1100.0.5",
+  "version": "1100.0.6",
   "description": "Package lifecycle hook runner",
   "keywords": [
     "pnpm",

exec/prepare-package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/prepare-package
 
+## 1100.0.6
+
+### Patch Changes
+
+- @pnpm/exec.lifecycle@1100.0.6
+
 ## 1100.0.5
 
 ### Patch Changes

exec/prepare-package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/exec.prepare-package",
-  "version": "1100.0.5",
+  "version": "1100.0.6",
   "description": "Prepares a Git-hosted package",
   "keywords": [
     "pnpm",

fetching/binary-fetcher/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/fetching.binary-fetcher
 
+## 1101.0.3
+
+### Patch Changes
+
+- @pnpm/fetching.fetcher-base@1100.1.2
+- @pnpm/worker@1100.1.2
+
 ## 1101.0.2
 
 ### Patch Changes

fetching/binary-fetcher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/fetching.binary-fetcher",
-  "version": "1101.0.2",
+  "version": "1101.0.3",
   "description": "A fetcher for binary archives",
   "keywords": [
     "pnpm",

fetching/directory-fetcher/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/directory-fetcher
 
+## 1100.0.6
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/resolving.resolver-base@1100.1.2
+  - @pnpm/fetching.fetcher-base@1100.1.2
+
 ## 1100.0.5
 
 ### Patch Changes

fetching/directory-fetcher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/fetching.directory-fetcher",
-  "version": "1100.0.5",
+  "version": "1100.0.6",
   "description": "A fetcher for local directory packages",
   "keywords": [
     "pnpm",

fetching/fetcher-base/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/fetcher-base
 
+## 1100.1.2
+
+### Patch Changes
+
+- Updated dependencies [27425d7]
+  - @pnpm/resolving.resolver-base@1100.1.2
+
 ## 1100.1.1
 
 ### Patch Changes

fetching/fetcher-base/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/fetching.fetcher-base",
-  "version": "1100.1.1",
+  "version": "1100.1.2",
   "description": "Types for pnpm-compatible fetchers",
   "keywords": [
     "pnpm",

fetching/git-fetcher/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/git-fetcher
 
+## 1101.0.2
+
+### Patch Changes
+
+- @pnpm/fetching.fetcher-base@1100.1.2
+- @pnpm/exec.prepare-package@1100.0.6
+- @pnpm/worker@1100.1.2
+
 ## 1101.0.1
 
 ### Patch Changes

fetching/git-fetcher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/fetching.git-fetcher",
-  "version": "1101.0.1",
+  "version": "1101.0.2",
   "description": "A fetcher for git-hosted packages",
   "keywords": [
     "pnpm",

fetching/pick-fetcher/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @pnpm/pick-fetcher
 
+## 1100.0.5
+
+### Patch Changes
+
+- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
+
+  A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.
+
+- Updated dependencies [27425d7]
+  - @pnpm/resolving.resolver-base@1100.1.2
+  - @pnpm/hooks.types@1100.0.5
+  - @pnpm/fetching.fetcher-base@1100.1.2
+
 ## 1100.0.4
 
 ### Patch Changes

fetching/pick-fetcher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/fetching.pick-fetcher",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
   "description": "Pick a package fetcher by type",
   "keywords": [
     "pnpm",

fetching/tarball-fetcher/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/tarball-fetcher
 
+## 1101.0.2
+
+### Patch Changes
+
+- 27425d7: Pin the integrity of git-hosted tarballs (codeload.github.com, gitlab.com, bitbucket.org) in the lockfile so that subsequent installs detect a tampered or substituted tarball and refuse to install it. Previously the lockfile only stored the tarball URL for git dependencies, so a compromised git host or a man-in-the-middle could serve arbitrary code on later installs without lockfile changes.
+
+  A new `gitHosted: true` field is recorded on git-hosted tarball resolutions in the lockfile, letting every reader/writer route them by a single typed check instead of pattern-matching the tarball URL in each call site. Lockfiles written by older pnpm versions are enriched on load (URL fallback) so the field can be relied on uniformly across the codebase.
+
+  - @pnpm/fetching.fetcher-base@1100.1.2
+  - @pnpm/exec.prepare-package@1100.0.6
+  - @pnpm/worker@1100.1.2
+
 ## 1101.0.1
 
 ### Patch Changes