chore(release): 11.1.3 (#11717)

2026-05-18 13:51:38 -04:00 · 2026-05-18 15:42:32 +02:00
parent 2a9bd897bf
commit cd80b2c8ae
266 changed files with 2128 additions and 319 deletions
--- a/.changeset-released/bump-versions.txt
+++ b/.changeset-released/bump-versions.txt
@@ -0,0 +1,17 @@
+attestation-first-min-release-age
+auto-collect-minimum-release-age-exclude
+cache-aware-minimum-release-age-gate
+clear-password-padding
+fix-11655-self-update-minimum-release-age
+fix-global-allow-builds
+fix-verify-deps-silent-install
+floppy-parents-teach
+gvs-engine-name-shell-node
+gvs-engine-per-snapshot-runtime-pin
+lockfile-verification-progress-logs
+oidc-unresolved-env-placeholder
+pmonfail-default-devengines-11676
+record-locally-resolved-lockfile-verified
+revalidate-minimum-release-age
+sync-env-lockfile-when-missing-11674
+warn-deprecated-pnpm-field-11677
--- a/.changeset/attestation-first-min-release-age.md
+++ b/.changeset/attestation-first-min-release-age.md
@@ -1,8 +0,0 @@
---
-"@pnpm/resolving.npm-resolver": minor
-"pnpm": patch
---
-
-Sped up the `minimumReleaseAge` lockfile verification gate on cold-cache installs by trying npm's `/-/npm/v1/attestations/<name>@<version>` endpoint before fetching the full metadata document. The attestation response is tens of KB versus the multi-MB full metadata, so `--frozen-lockfile` installs against a fleet of provenance-published packages download far less to verify timestamps.
-
-The publish time comes from `bundle.verificationMaterial.tlogEntries[].integratedTime` (the Rekor inclusion time, a couple of seconds after the actual publish — close enough for a policy that operates in minutes/hours/days). When the local full-metadata mirror already has the timestamp, or the attestation endpoint 404s / errors, the verifier falls back to the existing `fetchFullMetadataCached` path. Sigstore signature verification is not performed; the trust model is unchanged versus reading the registry's `time` field on the full metadata document [#11687](https://github.com/pnpm/pnpm/issues/11687).
--- a/.changeset/auto-collect-minimum-release-age-exclude.md
+++ b/.changeset/auto-collect-minimum-release-age-exclude.md
@@ -1,27 +0,0 @@
---
-"@pnpm/resolving.resolver-base": minor
-"@pnpm/store.controller-types": minor
-"@pnpm/resolving.npm-resolver": minor
-"@pnpm/resolving.default-resolver": minor
-"@pnpm/installing.client": minor
-"@pnpm/installing.deps-resolver": minor
-"@pnpm/installing.deps-installer": minor
-"@pnpm/installing.commands": minor
-"@pnpm/store.connection-manager": minor
-"@pnpm/deps.inspection.outdated": patch
-"@pnpm/engine.pm.commands": patch
-"@pnpm/exec.commands": patch
-"@pnpm/cli.default-reporter": patch
-"pnpm": minor
---
-
-Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users:
-
-1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone.
-2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it.
-3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct *and* transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive.
-4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list.
-
-5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache).
-
-Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens.
--- a/.changeset/cache-aware-minimum-release-age-gate.md
+++ b/.changeset/cache-aware-minimum-release-age-gate.md
@@ -1,14 +0,0 @@
---
-"@pnpm/resolving.resolver-base": minor
-"@pnpm/resolving.npm-resolver": minor
-"@pnpm/resolving.default-resolver": minor
-"@pnpm/installing.client": minor
-"@pnpm/store.connection-manager": minor
-"@pnpm/testing.temp-store": minor
-"@pnpm/installing.deps-installer": minor
-"pnpm": patch
---
-
-Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely.
-
-Verification results are memoized in JSON Lines at `<cacheDir>/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687).
--- a/.changeset/clear-password-padding.md
+++ b/.changeset/clear-password-padding.md
@@ -1,6 +0,0 @@
---
-"@pnpm/config.reader": patch
-"pnpm": patch
---
-
-Allow redundant trailing base64 padding in `.npmrc` auth values and report invalid auth base64 with a pnpm error.
--- a/.changeset/fix-11655-self-update-minimum-release-age.md
+++ b/.changeset/fix-11655-self-update-minimum-release-age.md
@@ -1,14 +0,0 @@
---
-"@pnpm/config.version-policy": minor
-"@pnpm/deps.inspection.outdated": patch
-"@pnpm/engine.pm.commands": patch
-"@pnpm/exec.commands": patch
-"@pnpm/installing.deps-resolver": patch
-"pnpm": patch
---
-
-Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install.
-
-When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`.
-
-Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes.
--- a/.changeset/fix-global-allow-builds.md
+++ b/.changeset/fix-global-allow-builds.md
@@ -1,13 +0,0 @@
---
-"@pnpm/config.reader": patch
-"pnpm": patch
---
-
-**fix**: global installs respect global config build policy (e.g., `dangerouslyAllowAllBuilds` from config.yaml) when GVS is enabled [#9249](https://github.com/pnpm/pnpm/issues/9249).
-
-The global virtual-store (GVS) default `allowBuilds = {}` was applied before workspace manifest settings were read and before global config values (stripped by `extractAndRemoveDependencyBuildOptions`) were re-applied via `globalDepsBuildConfig`. This caused `hasDependencyBuildOptions` to return `true` (because `{}` is not null), blocking restoration of global config values like `dangerouslyAllowAllBuilds`. As a result, global installs skipped all build scripts even when the config explicitly allowed them.
-
-This fix moves the GVS default to **after** workspace manifest reading and `globalDepsBuildConfig` re-application, so that:
-1. Workspace manifest `allowBuilds` takes precedence (if present)
-2. Global config `dangerouslyAllowAllBuilds` is properly restored (if set and no workspace policy exists)
-3. Empty `{}` is only applied as a last resort when no policy is configured anywhere
--- a/.changeset/fix-verify-deps-silent-install.md
+++ b/.changeset/fix-verify-deps-silent-install.md
@@ -1,7 +0,0 @@
---
-"@pnpm/exec.commands": patch
-"@pnpm/exec.pnpm-cli-runner": patch
-"pnpm": patch
---
-
-Honor `--silent` when `verifyDepsBeforeRun: install` auto-installs dependencies before `pnpm run` or `pnpm exec`, preventing install output from being written to stdout [#11636](https://github.com/pnpm/pnpm/issues/11636).
--- a/.changeset/floppy-parents-teach.md
+++ b/.changeset/floppy-parents-teach.md
@@ -1,6 +0,0 @@
---
-"@pnpm/lockfile.fs": patch
-"pnpm": patch
---
-
-Fix lockfile parsing failures when `pnpm-lock.yaml` contains CRLF line endings and multiple YAML documents [#11612](https://github.com/pnpm/pnpm/issues/11612).
--- a/.changeset/gvs-engine-name-shell-node.md
+++ b/.changeset/gvs-engine-name-shell-node.md
@@ -1,31 +0,0 @@
---
-"@pnpm/building.after-install": patch
-"@pnpm/building.during-install": patch
-"@pnpm/deps.graph-builder": patch
-"@pnpm/deps.graph-hasher": patch
-"@pnpm/engine.runtime.system-node-version": minor
-"@pnpm/installing.deps-installer": patch
-"@pnpm/installing.deps-resolver": patch
-"@pnpm/installing.deps-restorer": patch
-"pnpm": patch
---
-
-**fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime.
-
-`ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations:
-
-1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`.
-2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node.
-
-Three changes:
-
- `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`.
- `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up.
- Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through.
-
-On upgrade, two one-time GVS slot churns are possible:
-
- **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce.
- **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on.
-
-In both cases the old slots become prune-eligible.
--- a/.changeset/gvs-engine-per-snapshot-runtime-pin.md
+++ b/.changeset/gvs-engine-per-snapshot-runtime-pin.md
@@ -1,17 +0,0 @@
---
-"@pnpm/deps.graph-hasher": minor
-"pnpm": patch
---
-
-**fix**: resolve the GVS hash's engine portion per-snapshot when a dependency declares its own `engines.runtime`, instead of using an install-wide value.
-
-Pnpm's resolver desugars a dep's `engines.runtime` into `dependencies.node: 'runtime:<version>'`, and the bin linker spawns that dep's lifecycle scripts through the pinned Node downloaded into `<pkgDir>/node_modules/node/`. The GVS hash and the side-effects-cache key prefix were still anchored to the install-wide runtime — so a pinning snapshot's slot encoded the wrong Node major, and a reinstall on the same host could read the cached side-effects under a key whose `<platform>;<arch>;node<major>` triple disagreed with the Node the build actually ran on.
-
-Per-snapshot resolution now matches what `bins/linker` already does on a per-package basis:
-
- `@pnpm/deps.graph-hasher` adds `readSnapshotRuntimePin(children)` — reads the `node` entry from one snapshot's graph children and extracts the version from a `node@runtime:` value. Pairs with the existing `findRuntimeNodeVersion(snapshotKeys)` install-wide fallback (also now exported from `@pnpm/deps.graph-hasher` rather than `@pnpm/engine.runtime.system-node-version`, where it was a poor fit — `system-node-version` is about probing the host Node, not parsing lockfile-derived strings).
- `calcDepState` and `calcGraphNodeHash` consult `readSnapshotRuntimePin(graph[depPath].children)` first and only fall back to the install-wide `nodeVersion` parameter when the snapshot doesn't pin its own Node.
-
-Pacquet mirrors the same precedence at the `calc_graph_node_hash` call site in `package-manager/src/virtual_store_layout.rs` — a new `find_own_runtime_node_major(snapshot)` helper reads each snapshot's `dependencies` for a `node` entry with `Prefix::Runtime` and overrides the install-wide engine when present.
-
-On upgrade, snapshots of dependencies that declare their own `engines.runtime` re-hash under that dep's pinned Node instead of the install-wide value. The old slots become prune-eligible. Closes [#11690](https://github.com/pnpm/pnpm/issues/11690).
--- a/.changeset/lockfile-verification-progress-logs.md
+++ b/.changeset/lockfile-verification-progress-logs.md
@@ -1,10 +0,0 @@
---
-"@pnpm/core-loggers": minor
-"@pnpm/installing.deps-installer": patch
-"@pnpm/cli.default-reporter": minor
-"pnpm": patch
---
-
-The lockfile verifier added in #11705 now emits `pnpm:lockfile-verification` log events (`status: 'started' | 'done'`) around the registry round-trip pass, and the default reporter renders them as a transient progress line so users can see that pnpm is doing work — on a cold registry cache the round-trip can take a noticeable beat, and the previous behavior was complete silence followed by either a long pause or an error. The cached short-circuit stays silent (no logs when no work happens), and the `done` line carries the number of distinct entries that were checked plus the elapsed time.
-
-Pacquet parity: not ported — pacquet doesn't carry the lockfile verifier yet (see the parity note on #11705).
--- a/.changeset/oidc-unresolved-env-placeholder.md
+++ b/.changeset/oidc-unresolved-env-placeholder.md
@@ -1,6 +0,0 @@
---
-"@pnpm/config.reader": patch
-"pnpm": patch
---
-
-Fixed `pnpm publish` failing with a 404 when authentication relied on OIDC trusted publishing alongside an `.npmrc` written by `actions/setup-node` (`_authToken=${NODE_AUTH_TOKEN}`) without `NODE_AUTH_TOKEN` being set. Unresolved `${VAR}` placeholders in auth values are now treated as empty rather than passed through verbatim, so the literal placeholder no longer surfaces as a bearer token when OIDC fallback is the intended auth source [#11513](https://github.com/pnpm/pnpm/issues/11513).
--- a/.changeset/pmonfail-default-devengines-11676.md
+++ b/.changeset/pmonfail-default-devengines-11676.md
@@ -1,8 +0,0 @@
---
-"@pnpm/config.reader": patch
-"pnpm": patch
---
-
-Fix `devEngines.packageManager` (singular form, without `onFail`) defaulting to `onFail: "error"` instead of the documented `pmOnFail: "download"`. As a result, a project that pinned a different pnpm version via `devEngines.packageManager` and ran `pnpm install` from a mismatched pnpm version failed with a hard error, even though the migration table from `managePackageManagerVersions: true` to `pmOnFail: download (default)` promises the install would auto-download the wanted version [#11676](https://github.com/pnpm/pnpm/issues/11676).
-
-The array form of `devEngines.packageManager` keeps its existing per-element defaults (`error` for the last entry, `ignore` for the rest), since those reflect explicit prioritization by the user. Explicit `onFail` values continue to win.
--- a/.changeset/record-locally-resolved-lockfile-verified.md
+++ b/.changeset/record-locally-resolved-lockfile-verified.md
@@ -1,7 +0,0 @@
---
-"@pnpm/installing.deps-installer": patch
-"@pnpm/lockfile.fs": minor
-"pnpm": patch
---
-
-Record the post-resolution lockfile in the verification cache. Previously the cache only captured the lockfile that was loaded at the start of an install, so a flow like `pnpm install <pkg>` followed by `rm -rf node_modules && pnpm install` re-ran the per-package registry round-trip against the newly written lockfile even though the local resolver had already enforced the policy when picking those versions. The fresh lockfile is now recorded immediately after each install-time write, so the second install takes the cache fast path.
--- a/.changeset/revalidate-minimum-release-age.md
+++ b/.changeset/revalidate-minimum-release-age.md
@@ -1,6 +0,0 @@
---
-"@pnpm/installing.deps-installer": minor
-"pnpm": patch
---
-
-`minimumReleaseAge` is now re-checked against `pnpm-lock.yaml` before any tarball is installed, so a freshly-published version pinned in the lockfile (e.g. by a developer who bypassed the policy locally) is no longer installed silently by other consumers or CI. Violating entries abort the install with `ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION`; `minimumReleaseAgeExclude` is honored. [#10438](https://github.com/pnpm/pnpm/issues/10438).
--- a/.changeset/sync-env-lockfile-when-missing-11674.md
+++ b/.changeset/sync-env-lockfile-when-missing-11674.md
@@ -1,5 +0,0 @@
---
-"pnpm": patch
---
-
-Fix `devEngines.packageManager` not writing `packageManagerDependencies` to `pnpm-lock.yaml` when the lockfile lacks an env-doc entry. Previously the lockfile sync skipped resolution unless an existing `packageManagerDependencies.pnpm` entry needed refreshing, so a fresh install without `onFail: "download"` left the resolved pnpm version unrecorded — contradicting the documented behavior that the resolved version is stored in `pnpm-lock.yaml` [#11674](https://github.com/pnpm/pnpm/issues/11674).
--- a/.changeset/warn-deprecated-pnpm-field-11677.md
+++ b/.changeset/warn-deprecated-pnpm-field-11677.md
@@ -1,6 +0,0 @@
---
-"@pnpm/config.reader": patch
-"pnpm": patch
---
-
-Warn when `package.json` contains a legacy `pnpm` field with settings pnpm no longer reads from `package.json` (e.g. `pnpm.overrides`, `pnpm.patchedDependencies`). Previously these were silently ignored after the upgrade from v10, leaving users unaware that their overrides/patched dependencies had stopped taking effect [#11677](https://github.com/pnpm/pnpm/issues/11677).
--- a/.meta-updater/CHANGELOG.md
+++ b/.meta-updater/CHANGELOG.md
@@ -1,5 +1,14 @@
 # @pnpm-private/updater

+## 1100.0.12
+
+### Patch Changes
+
+- Updated dependencies [6e93f35]
+- Updated dependencies [2a9bd89]
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/workspace.projects-reader@1101.0.5
+
 ## 1100.0.11

 ### Patch Changes
--- a/.meta-updater/package.json
+++ b/.meta-updater/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm-private/updater",
-  "version": "1100.0.11",
+  "version": "1100.0.12",
  "private": true,
  "type": "module",
  "scripts": {
--- a/utils/assert-project/CHANGELOG.md
+++ b/utils/assert-project/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @pnpm/assert-project

+## 1100.0.9
+
+### Patch Changes
+
+- @pnpm/lockfile.types@1100.0.6
+- @pnpm/assert-store@1100.0.9
+
 ## 1100.0.8

 ### Patch Changes
--- a/utils/assert-project/package.json
+++ b/utils/assert-project/package.json
@@ -1,7 +1,7 @@
 {
  "name": "@pnpm/assert-project",
  "description": "Utils for testing projects that use pnpm",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
  "author": {
    "name": "Zoltan Kochan",
    "email": "z@kochan.io",
--- a/utils/assert-store/CHANGELOG.md
+++ b/utils/assert-store/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @pnpm/assert-store

+## 1100.0.9
+
+### Patch Changes
+
+- @pnpm/store.cafs@1100.1.5
+
 ## 1100.0.8

 ### Patch Changes
--- a/utils/assert-store/package.json
+++ b/utils/assert-store/package.json
@@ -1,7 +1,7 @@
 {
  "name": "@pnpm/assert-store",
  "description": "Utils for testing pnpm store",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
  "bugs": {
    "url": "https://github.com/pnpm/pnpm/issues"
  },
--- a/utils/jest-config/CHANGELOG.md
+++ b/utils/jest-config/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @pnpm/jest-config

+## 1100.0.9
+
+### Patch Changes
+
+- @pnpm/worker@1100.1.6
+
 ## 1100.0.8

 ### Patch Changes
--- a/utils/jest-config/package.json
+++ b/utils/jest-config/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/jest-config",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
  "private": true,
  "main": "jest-preset.js",
  "type": "module",
--- a/utils/prepare/CHANGELOG.md
+++ b/utils/prepare/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @pnpm/prepare

+## 1100.0.9
+
+### Patch Changes
+
+- @pnpm/assert-project@1100.0.9
+
 ## 1100.0.8

 ### Patch Changes
--- a/utils/prepare/package.json
+++ b/utils/prepare/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/prepare",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
  "main": "lib/index.js",
  "types": "lib/index.d.ts",
  "type": "module",
--- a/utils/scripts/CHANGELOG.md
+++ b/utils/scripts/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @pnpm/scripts

+## 1100.0.8
+
+### Patch Changes
+
+- @pnpm/workspace.projects-reader@1101.0.5
+
 ## 1100.0.7

 ### Patch Changes
--- a/utils/scripts/package.json
+++ b/utils/scripts/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/scripts",
-  "version": "1100.0.7",
+  "version": "1100.0.8",
  "private": true,
  "type": "module",
  "scripts": {
--- a/agent/client/CHANGELOG.md
+++ b/agent/client/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @pnpm/agent.client

+## 1.0.6
+
+### Patch Changes
+
+- @pnpm/lockfile.types@1100.0.6
+- @pnpm/store.cafs@1100.1.5
+- @pnpm/worker@1100.1.6
+
 ## 1.0.5

 ### Patch Changes
--- a/agent/client/package.json
+++ b/agent/client/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/agent.client",
-  "version": "1.0.5",
+  "version": "1.0.6",
  "description": "Client for pnpm agent server — sends store state, receives resolved lockfile and missing files",
  "keywords": [
    "pnpm",
--- a/agent/server/CHANGELOG.md
+++ b/agent/server/CHANGELOG.md
@@ -1,5 +1,23 @@
 # pnpm-agent

+## 0.0.15
+
+### Patch Changes
+
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [6e93f35]
+- Updated dependencies [3ddde2b]
+- Updated dependencies [4a79336]
+- Updated dependencies [2a9bd89]
+- Updated dependencies [31538bf]
+  - @pnpm/installing.client@1100.1.0
+  - @pnpm/installing.deps-installer@1101.2.0
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/lockfile.types@1100.0.6
+  - @pnpm/store.controller@1101.0.7
+  - @pnpm/store.cafs@1100.1.5
+
 ## 0.0.14

 ### Patch Changes
--- a/agent/server/package.json
+++ b/agent/server/package.json
@@ -1,6 +1,6 @@
 {
  "name": "pnpm-agent",
-  "version": "0.0.14",
+  "version": "0.0.15",
  "description": "pnpm agent server for server-side resolution and store-aware downloads",
  "keywords": [
    "pnpm",
--- a/auth/commands/CHANGELOG.md
+++ b/auth/commands/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @pnpm/auth.commands

+## 1100.0.14
+
+### Patch Changes
+
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/network.fetch@1100.0.5
+  - @pnpm/cli.utils@1101.0.5
+
 ## 1100.0.13

 ### Patch Changes
--- a/auth/commands/package.json
+++ b/auth/commands/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/auth.commands",
-  "version": "1100.0.13",
+  "version": "1100.0.14",
  "description": "Commands for authentication with npm registries",
  "keywords": [
    "pnpm",
--- a/bins/linker/CHANGELOG.md
+++ b/bins/linker/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @pnpm/link-bins

+## 1100.0.7
+
+### Patch Changes
+
+- @pnpm/pkg-manifest.utils@1100.1.4
+- @pnpm/workspace.project-manifest-reader@1100.0.6
+
 ## 1100.0.6

 ### Patch Changes
--- a/bins/linker/package.json
+++ b/bins/linker/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/bins.linker",
-  "version": "1100.0.6",
+  "version": "1100.0.7",
  "description": "Link bins to node_modules/.bin",
  "keywords": [
    "pnpm",
--- a/bins/remover/CHANGELOG.md
+++ b/bins/remover/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @pnpm/remove-bins

+## 1100.0.4
+
+### Patch Changes
+
+- Updated dependencies [4a79336]
+  - @pnpm/core-loggers@1100.1.0
+
 ## 1100.0.3

 ### Patch Changes
--- a/bins/remover/package.json
+++ b/bins/remover/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/bins.remover",
-  "version": "1100.0.3",
+  "version": "1100.0.4",
  "description": "Remove bins from .bin",
  "keywords": [
    "pnpm",
--- a/building/after-install/CHANGELOG.md
+++ b/building/after-install/CHANGELOG.md
@@ -1,5 +1,54 @@
 # @pnpm/building.after-install

+## 1101.0.13
+
+### Patch Changes
+
+- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime.
+
+  `ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations:
+
+  1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`.
+  2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node.
+
+  Three changes:
+
+  - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`.
+  - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up.
+  - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through.
+
+  On upgrade, two one-time GVS slot churns are possible:
+
+  - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce.
+  - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on.
+
+  In both cases the old slots become prune-eligible.
+
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [3ddde2b]
+- Updated dependencies [5dc8be8]
+- Updated dependencies [4a79336]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/store.controller-types@1100.1.0
+  - @pnpm/store.connection-manager@1100.2.0
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/deps.graph-hasher@1100.2.0
+  - @pnpm/core-loggers@1100.1.0
+  - @pnpm/installing.context@1100.0.11
+  - @pnpm/lockfile.types@1100.0.6
+  - @pnpm/lockfile.utils@1100.0.8
+  - @pnpm/exec.lifecycle@1100.0.11
+  - @pnpm/store.cafs@1100.1.5
+  - @pnpm/building.policy@1100.0.5
+  - @pnpm/lockfile.walker@1100.0.6
+  - @pnpm/worker@1100.1.6
+  - @pnpm/bins.linker@1100.0.7
+
 ## 1101.0.12

 ### Patch Changes
--- a/building/after-install/package.json
+++ b/building/after-install/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/building.after-install",
-  "version": "1101.0.12",
+  "version": "1101.0.13",
  "description": "Rebuild packages that are already installed by running their lifecycle scripts",
  "keywords": [
    "pnpm",
--- a/building/commands/CHANGELOG.md
+++ b/building/commands/CHANGELOG.md
@@ -1,5 +1,24 @@
 # @pnpm/building.commands

+## 1100.0.18
+
+### Patch Changes
+
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [3ddde2b]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/installing.commands@1100.3.0
+  - @pnpm/store.connection-manager@1100.2.0
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/building.after-install@1101.0.13
+  - @pnpm/cli.utils@1101.0.5
+  - @pnpm/config.writer@1100.0.8
+
 ## 1100.0.17

 ### Patch Changes
--- a/building/commands/package.json
+++ b/building/commands/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/building.commands",
-  "version": "1100.0.17",
+  "version": "1100.0.18",
  "description": "Commands for rebuilding and managing dependency builds",
  "keywords": [
    "pnpm",
--- a/building/during-install/CHANGELOG.md
+++ b/building/during-install/CHANGELOG.md
@@ -1,5 +1,48 @@
 # @pnpm/building.during-install

+## 1101.0.11
+
+### Patch Changes
+
+- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime.
+
+  `ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations:
+
+  1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`.
+  2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node.
+
+  Three changes:
+
+  - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`.
+  - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up.
+  - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through.
+
+  On upgrade, two one-time GVS slot churns are possible:
+
+  - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce.
+  - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on.
+
+  In both cases the old slots become prune-eligible.
+
+- Updated dependencies [4195766]
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [3ddde2b]
+- Updated dependencies [5dc8be8]
+- Updated dependencies [4a79336]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/store.controller-types@1100.1.0
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/deps.graph-hasher@1100.2.0
+  - @pnpm/core-loggers@1100.1.0
+  - @pnpm/exec.lifecycle@1100.0.11
+  - @pnpm/worker@1100.1.6
+  - @pnpm/bins.linker@1100.0.7
+  - @pnpm/fs.hard-link-dir@1100.0.1
+  - @pnpm/patching.apply-patch@1100.0.0
+
 ## 1101.0.10

 ### Patch Changes
--- a/building/during-install/package.json
+++ b/building/during-install/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/building.during-install",
-  "version": "1101.0.10",
+  "version": "1101.0.11",
  "description": "Build packages in node_modules",
  "keywords": [
    "pnpm",
--- a/building/policy/CHANGELOG.md
+++ b/building/policy/CHANGELOG.md
@@ -1,5 +1,12 @@
 # @pnpm/building.policy

+## 1100.0.5
+
+### Patch Changes
+
+- Updated dependencies [b6e2c8c]
+  - @pnpm/config.version-policy@1100.1.0
+
 ## 1100.0.4

 ### Patch Changes
--- a/building/policy/package.json
+++ b/building/policy/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/building.policy",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
  "description": "Create a function for filtering out dependencies that are not allowed to be built",
  "keywords": [
    "pnpm",
--- a/cache/api/CHANGELOG.md
+++ b/cache/api/CHANGELOG.md
@@ -1,5 +1,21 @@
 # @pnpm/cache.api

+## 1100.0.13
+
+### Patch Changes
+
+- Updated dependencies [963861c]
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/resolving.npm-resolver@1101.2.0
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/store.cafs@1100.1.5
+
 ## 1100.0.12

 ### Patch Changes
--- a/cache/api/package.json
+++ b/cache/api/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/cache.api",
-  "version": "1100.0.12",
+  "version": "1100.0.13",
  "description": "API for controlling the cache",
  "keywords": [
    "pnpm",
--- a/cache/commands/CHANGELOG.md
+++ b/cache/commands/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @pnpm/cache.commands

+## 1100.0.14
+
+### Patch Changes
+
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/cache.api@1100.0.13
+  - @pnpm/cli.utils@1101.0.5
+
 ## 1100.0.13

 ### Patch Changes
--- a/cache/commands/package.json
+++ b/cache/commands/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/cache.commands",
-  "version": "1100.0.13",
+  "version": "1100.0.14",
  "description": "Commands for controlling the cache",
  "keywords": [
    "pnpm",
--- a/cli/commands/CHANGELOG.md
+++ b/cli/commands/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @pnpm/cli.commands

+## 1100.0.13
+
+### Patch Changes
+
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/cli.utils@1101.0.5
+  - @pnpm/workspace.projects-reader@1101.0.5
+
 ## 1100.0.12

 ### Patch Changes
--- a/cli/commands/package.json
+++ b/cli/commands/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/cli.commands",
-  "version": "1100.0.12",
+  "version": "1100.0.13",
  "description": "Commands for pnpm CLI",
  "keywords": [
    "pnpm",
--- a/cli/default-reporter/CHANGELOG.md
+++ b/cli/default-reporter/CHANGELOG.md
@@ -1,5 +1,35 @@
 # @pnpm/default-reporter

+## 1100.2.0
+
+### Minor Changes
+
+- 4a79336: The lockfile verifier added in #11705 now emits `pnpm:lockfile-verification` log events (`status: 'started' | 'done'`) around the registry round-trip pass, and the default reporter renders them as a transient progress line so users can see that pnpm is doing work — on a cold registry cache the round-trip can take a noticeable beat, and the previous behavior was complete silence followed by either a long pause or an error. The cached short-circuit stays silent (no logs when no work happens), and the `done` line carries the number of distinct entries that were checked plus the elapsed time.
+
+  Pacquet parity: not ported — pacquet doesn't carry the lockfile verifier yet (see the parity note on #11705).
+
+### Patch Changes
+
+- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users:
+
+  1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone.
+  2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it.
+  3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive.
+  4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list.
+
+  5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache).
+
+  Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens.
+
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [4a79336]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/core-loggers@1100.1.0
+
 ## 1100.1.2

 ### Patch Changes
--- a/cli/default-reporter/package.json
+++ b/cli/default-reporter/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/cli.default-reporter",
-  "version": "1100.1.2",
+  "version": "1100.2.0",
  "description": "The default reporter of pnpm",
  "keywords": [
    "pnpm",
--- a/cli/utils/CHANGELOG.md
+++ b/cli/utils/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @pnpm/cli-utils

+## 1101.0.5
+
+### Patch Changes
+
+- @pnpm/config.package-is-installable@1100.0.5
+- @pnpm/pkg-manifest.utils@1100.1.4
+- @pnpm/workspace.project-manifest-reader@1100.0.6
+
 ## 1101.0.4

 ### Patch Changes
--- a/cli/utils/package.json
+++ b/cli/utils/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/cli.utils",
-  "version": "1101.0.4",
+  "version": "1101.0.5",
  "description": "Utils for pnpm commands",
  "keywords": [
    "pnpm",
--- a/config/commands/CHANGELOG.md
+++ b/config/commands/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @pnpm/plugin-commands-config

+## 1100.0.14
+
+### Patch Changes
+
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [8df408c]
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/workspace.workspace-manifest-writer@1100.0.8
+  - @pnpm/cli.utils@1101.0.5
+
 ## 1100.0.13

 ### Patch Changes
--- a/config/commands/package.json
+++ b/config/commands/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/config.commands",
-  "version": "1100.0.13",
+  "version": "1100.0.14",
  "description": "Commands for reading and writing settings to/from config files",
  "keywords": [
    "pnpm",
--- a/config/package-is-installable/CHANGELOG.md
+++ b/config/package-is-installable/CHANGELOG.md
@@ -1,5 +1,14 @@
 # @pnpm/package-is-installable

+## 1100.0.5
+
+### Patch Changes
+
+- Updated dependencies [3ddde2b]
+- Updated dependencies [4a79336]
+  - @pnpm/engine.runtime.system-node-version@1100.1.0
+  - @pnpm/core-loggers@1100.1.0
+
 ## 1100.0.4

 ### Patch Changes
--- a/config/package-is-installable/package.json
+++ b/config/package-is-installable/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/config.package-is-installable",
-  "version": "1100.0.4",
+  "version": "1100.0.5",
  "description": "Checks if a package is installable on the current system",
  "keywords": [
    "pnpm",
--- a/config/reader/CHANGELOG.md
+++ b/config/reader/CHANGELOG.md
@@ -1,5 +1,30 @@
 # @pnpm/config

+## 1101.3.2
+
+### Patch Changes
+
+- 020ac45: Allow redundant trailing base64 padding in `.npmrc` auth values and report invalid auth base64 with a pnpm error.
+- d3f8408: **fix**: global installs respect global config build policy (e.g., `dangerouslyAllowAllBuilds` from config.yaml) when GVS is enabled [#9249](https://github.com/pnpm/pnpm/issues/9249).
+
+  The global virtual-store (GVS) default `allowBuilds = {}` was applied before workspace manifest settings were read and before global config values (stripped by `extractAndRemoveDependencyBuildOptions`) were re-applied via `globalDepsBuildConfig`. This caused `hasDependencyBuildOptions` to return `true` (because `{}` is not null), blocking restoration of global config values like `dangerouslyAllowAllBuilds`. As a result, global installs skipped all build scripts even when the config explicitly allowed them.
+
+  This fix moves the GVS default to **after** workspace manifest reading and `globalDepsBuildConfig` re-application, so that:
+
+  1. Workspace manifest `allowBuilds` takes precedence (if present)
+  2. Global config `dangerouslyAllowAllBuilds` is properly restored (if set and no workspace policy exists)
+  3. Empty `{}` is only applied as a last resort when no policy is configured anywhere
+
+- a62f959: Fixed `pnpm publish` failing with a 404 when authentication relied on OIDC trusted publishing alongside an `.npmrc` written by `actions/setup-node` (`_authToken=${NODE_AUTH_TOKEN}`) without `NODE_AUTH_TOKEN` being set. Unresolved `${VAR}` placeholders in auth values are now treated as empty rather than passed through verbatim, so the literal placeholder no longer surfaces as a bearer token when OIDC fallback is the intended auth source [#11513](https://github.com/pnpm/pnpm/issues/11513).
+- ba2c884: Fix `devEngines.packageManager` (singular form, without `onFail`) defaulting to `onFail: "error"` instead of the documented `pmOnFail: "download"`. As a result, a project that pinned a different pnpm version via `devEngines.packageManager` and ran `pnpm install` from a mismatched pnpm version failed with a hard error, even though the migration table from `managePackageManagerVersions: true` to `pmOnFail: download (default)` promises the install would auto-download the wanted version [#11676](https://github.com/pnpm/pnpm/issues/11676).
+
+  The array form of `devEngines.packageManager` keeps its existing per-element defaults (`error` for the last entry, `ignore` for the rest), since those reflect explicit prioritization by the user. Explicit `onFail` values continue to win.
+
+- 8df408c: Warn when `package.json` contains a legacy `pnpm` field with settings pnpm no longer reads from `package.json` (e.g. `pnpm.overrides`, `pnpm.patchedDependencies`). Previously these were silently ignored after the upgrade from v10, leaving users unaware that their overrides/patched dependencies had stopped taking effect [#11677](https://github.com/pnpm/pnpm/issues/11677).
+  - @pnpm/hooks.pnpmfile@1100.0.9
+  - @pnpm/pkg-manifest.utils@1100.1.4
+  - @pnpm/workspace.project-manifest-reader@1100.0.6
+
 ## 1101.3.1

 ### Patch Changes
--- a/config/reader/package.json
+++ b/config/reader/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/config.reader",
-  "version": "1101.3.1",
+  "version": "1101.3.2",
  "description": "Gets configuration options for pnpm",
  "keywords": [
    "pnpm",
--- a/config/version-policy/CHANGELOG.md
+++ b/config/version-policy/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @pnpm/config.version-policy

+## 1100.1.0
+
+### Minor Changes
+
+- b6e2c8c: Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install.
+
+  When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`.
+
+  Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes.
+
 ## 1100.0.3

 ### Patch Changes
--- a/config/version-policy/package.json
+++ b/config/version-policy/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/config.version-policy",
-  "version": "1100.0.3",
+  "version": "1100.1.0",
  "description": "Parses and evaluates package version policy specs and produces package-version matchers",
  "keywords": [
    "pnpm",
--- a/config/writer/CHANGELOG.md
+++ b/config/writer/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @pnpm/config.config-writer

+## 1100.0.8
+
+### Patch Changes
+
+- @pnpm/workspace.workspace-manifest-writer@1100.0.8
+
 ## 1100.0.7

 ### Patch Changes
--- a/config/writer/package.json
+++ b/config/writer/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/config.writer",
-  "version": "1100.0.7",
+  "version": "1100.0.8",
  "description": "Functions for updating the configuration settings",
  "keywords": [
    "pnpm",
--- a/core/core-loggers/CHANGELOG.md
+++ b/core/core-loggers/CHANGELOG.md
@@ -1,5 +1,13 @@
 # @pnpm/core-loggers

+## 1100.1.0
+
+### Minor Changes
+
+- 4a79336: The lockfile verifier added in #11705 now emits `pnpm:lockfile-verification` log events (`status: 'started' | 'done'`) around the registry round-trip pass, and the default reporter renders them as a transient progress line so users can see that pnpm is doing work — on a cold registry cache the round-trip can take a noticeable beat, and the previous behavior was complete silence followed by either a long pause or an error. The cached short-circuit stays silent (no logs when no work happens), and the `done` line carries the number of distinct entries that were checked plus the elapsed time.
+
+  Pacquet parity: not ported — pacquet doesn't carry the lockfile verifier yet (see the parity note on #11705).
+
 ## 1100.0.2

 ### Patch Changes
--- a/core/core-loggers/package.json
+++ b/core/core-loggers/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/core-loggers",
-  "version": "1100.0.2",
+  "version": "1100.1.0",
  "description": "Core loggers of pnpm",
  "keywords": [
    "pnpm",
--- a/deps/compliance/audit/CHANGELOG.md
+++ b/deps/compliance/audit/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @pnpm/audit

+## 1101.0.8
+
+### Patch Changes
+
+- Updated dependencies [6e93f35]
+- Updated dependencies [2a9bd89]
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/lockfile.types@1100.0.6
+  - @pnpm/lockfile.utils@1100.0.8
+  - @pnpm/network.fetch@1100.0.5
+  - @pnpm/lockfile.detect-dep-types@1100.0.6
+  - @pnpm/lockfile.walker@1100.0.6
+
 ## 1101.0.7

 ### Patch Changes
--- a/deps/compliance/audit/package.json
+++ b/deps/compliance/audit/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.compliance.audit",
-  "version": "1101.0.7",
+  "version": "1101.0.8",
  "description": "Audit a lockfile",
  "keywords": [
    "pnpm",
--- a/deps/compliance/commands/CHANGELOG.md
+++ b/deps/compliance/commands/CHANGELOG.md
@@ -1,5 +1,31 @@
 # @pnpm/deps.compliance.commands

+## 1101.2.3
+
+### Patch Changes
+
+- Updated dependencies [4195766]
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [6e93f35]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [2a9bd89]
+- Updated dependencies [8df408c]
+  - @pnpm/installing.commands@1100.3.0
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/deps.compliance.sbom@1100.1.2
+  - @pnpm/lockfile.types@1100.0.6
+  - @pnpm/lockfile.utils@1100.0.8
+  - @pnpm/deps.compliance.audit@1101.0.8
+  - @pnpm/deps.compliance.license-scanner@1100.0.12
+  - @pnpm/lockfile.walker@1100.0.6
+  - @pnpm/cli.utils@1101.0.5
+  - @pnpm/deps.security.signatures@1101.1.2
+  - @pnpm/workspace.project-manifest-reader@1100.0.6
+  - @pnpm/config.writer@1100.0.8
+
 ## 1101.2.2

 ### Patch Changes
--- a/deps/compliance/commands/package.json
+++ b/deps/compliance/commands/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.compliance.commands",
-  "version": "1101.2.2",
+  "version": "1101.2.3",
  "description": "pnpm commands for audit, licenses, and sbom",
  "keywords": [
    "pnpm",
--- a/deps/compliance/license-scanner/CHANGELOG.md
+++ b/deps/compliance/license-scanner/CHANGELOG.md
@@ -1,5 +1,19 @@
 # @pnpm/license-scanner

+## 1100.0.12
+
+### Patch Changes
+
+- Updated dependencies [6e93f35]
+- Updated dependencies [2a9bd89]
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/lockfile.types@1100.0.6
+  - @pnpm/lockfile.utils@1100.0.8
+  - @pnpm/store.pkg-finder@1100.0.10
+  - @pnpm/config.package-is-installable@1100.0.5
+  - @pnpm/lockfile.detect-dep-types@1100.0.6
+  - @pnpm/lockfile.walker@1100.0.6
+
 ## 1100.0.11

 ### Patch Changes
--- a/deps/compliance/license-scanner/package.json
+++ b/deps/compliance/license-scanner/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.compliance.license-scanner",
-  "version": "1100.0.11",
+  "version": "1100.0.12",
  "description": "Check for licenses packages",
  "keywords": [
    "pnpm",
--- a/deps/compliance/sbom/CHANGELOG.md
+++ b/deps/compliance/sbom/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @pnpm/deps.compliance.sbom

+## 1100.1.2
+
+### Patch Changes
+
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+  - @pnpm/resolving.resolver-base@1100.2.0
+  - @pnpm/lockfile.types@1100.0.6
+  - @pnpm/lockfile.utils@1100.0.8
+  - @pnpm/store.pkg-finder@1100.0.10
+  - @pnpm/lockfile.detect-dep-types@1100.0.6
+  - @pnpm/lockfile.walker@1100.0.6
+
 ## 1100.1.1

 ### Patch Changes
--- a/deps/compliance/sbom/package.json
+++ b/deps/compliance/sbom/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.compliance.sbom",
-  "version": "1100.1.1",
+  "version": "1100.1.2",
  "description": "Generate SBOM from pnpm lockfile",
  "keywords": [
    "pnpm",
--- a/deps/graph-builder/CHANGELOG.md
+++ b/deps/graph-builder/CHANGELOG.md
@@ -1,5 +1,43 @@
 # @pnpm/deps.graph-builder

+## 1100.0.10
+
+### Patch Changes
+
+- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime.
+
+  `ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations:
+
+  1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`.
+  2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node.
+
+  Three changes:
+
+  - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`.
+  - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up.
+  - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through.
+
+  On upgrade, two one-time GVS slot churns are possible:
+
+  - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce.
+  - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on.
+
+  In both cases the old slots become prune-eligible.
+
+- Updated dependencies [4195766]
+- Updated dependencies [6e93f35]
+- Updated dependencies [3ddde2b]
+- Updated dependencies [5dc8be8]
+- Updated dependencies [4a79336]
+- Updated dependencies [2a9bd89]
+  - @pnpm/store.controller-types@1100.1.0
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/deps.graph-hasher@1100.2.0
+  - @pnpm/core-loggers@1100.1.0
+  - @pnpm/hooks.types@1100.0.7
+  - @pnpm/lockfile.utils@1100.0.8
+  - @pnpm/config.package-is-installable@1100.0.5
+
 ## 1100.0.9

 ### Patch Changes
--- a/deps/graph-builder/package.json
+++ b/deps/graph-builder/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.graph-builder",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
  "description": "A package for building a dependency graph from a lockfile",
  "keywords": [
    "pnpm",
--- a/deps/graph-hasher/CHANGELOG.md
+++ b/deps/graph-hasher/CHANGELOG.md
@@ -1,5 +1,52 @@
 # @pnpm/calc-dep-state

+## 1100.2.0
+
+### Minor Changes
+
+- 5dc8be8: **fix**: resolve the GVS hash's engine portion per-snapshot when a dependency declares its own `engines.runtime`, instead of using an install-wide value.
+
+  Pnpm's resolver desugars a dep's `engines.runtime` into `dependencies.node: 'runtime:<version>'`, and the bin linker spawns that dep's lifecycle scripts through the pinned Node downloaded into `<pkgDir>/node_modules/node/`. The GVS hash and the side-effects-cache key prefix were still anchored to the install-wide runtime — so a pinning snapshot's slot encoded the wrong Node major, and a reinstall on the same host could read the cached side-effects under a key whose `<platform>;<arch>;node<major>` triple disagreed with the Node the build actually ran on.
+
+  Per-snapshot resolution now matches what `bins/linker` already does on a per-package basis:
+
+  - `@pnpm/deps.graph-hasher` adds `readSnapshotRuntimePin(children)` — reads the `node` entry from one snapshot's graph children and extracts the version from a `node@runtime:` value. Pairs with the existing `findRuntimeNodeVersion(snapshotKeys)` install-wide fallback (also now exported from `@pnpm/deps.graph-hasher` rather than `@pnpm/engine.runtime.system-node-version`, where it was a poor fit — `system-node-version` is about probing the host Node, not parsing lockfile-derived strings).
+  - `calcDepState` and `calcGraphNodeHash` consult `readSnapshotRuntimePin(graph[depPath].children)` first and only fall back to the install-wide `nodeVersion` parameter when the snapshot doesn't pin its own Node.
+
+  Pacquet mirrors the same precedence at the `calc_graph_node_hash` call site in `package-manager/src/virtual_store_layout.rs` — a new `find_own_runtime_node_major(snapshot)` helper reads each snapshot's `dependencies` for a `node` entry with `Prefix::Runtime` and overrides the install-wide engine when present.
+
+  On upgrade, snapshots of dependencies that declare their own `engines.runtime` re-hash under that dep's pinned Node instead of the install-wide value. The old slots become prune-eligible. Closes [#11690](https://github.com/pnpm/pnpm/issues/11690).
+
+### Patch Changes
+
+- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime.
+
+  `ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations:
+
+  1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`.
+  2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node.
+
+  Three changes:
+
+  - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`.
+  - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up.
+  - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through.
+
+  On upgrade, two one-time GVS slot churns are possible:
+
+  - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce.
+  - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on.
+
+  In both cases the old slots become prune-eligible.
+
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [3ddde2b]
+  - @pnpm/resolving.resolver-base@1100.2.0
+  - @pnpm/engine.runtime.system-node-version@1100.1.0
+  - @pnpm/lockfile.types@1100.0.6
+  - @pnpm/lockfile.utils@1100.0.8
+
 ## 1100.1.5

 ### Patch Changes
--- a/deps/graph-hasher/package.json
+++ b/deps/graph-hasher/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.graph-hasher",
-  "version": "1100.1.5",
+  "version": "1100.2.0",
  "description": "Calculates the state of a dependency",
  "keywords": [
    "pnpm",
--- a/deps/inspection/commands/CHANGELOG.md
+++ b/deps/inspection/commands/CHANGELOG.md
@@ -1,5 +1,31 @@
 # @pnpm/deps.inspection.commands

+## 1100.2.3
+
+### Patch Changes
+
+- Updated dependencies [963861c]
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [020ac45]
+- Updated dependencies [b6e2c8c]
+- Updated dependencies [d3f8408]
+- Updated dependencies [6e93f35]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [2a9bd89]
+- Updated dependencies [8df408c]
+  - @pnpm/resolving.npm-resolver@1101.2.0
+  - @pnpm/resolving.default-resolver@1100.2.0
+  - @pnpm/deps.inspection.outdated@1100.0.16
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/global.commands@1100.0.18
+  - @pnpm/deps.inspection.list@1100.0.11
+  - @pnpm/deps.inspection.peers-checker@1100.0.9
+  - @pnpm/network.fetch@1100.0.5
+  - @pnpm/cli.utils@1101.0.5
+
 ## 1100.2.2

 ### Patch Changes
--- a/deps/inspection/commands/package.json
+++ b/deps/inspection/commands/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.inspection.commands",
-  "version": "1100.2.2",
+  "version": "1100.2.3",
  "description": "The list, ll, why, and outdated commands of pnpm",
  "keywords": [
    "pnpm",
--- a/deps/inspection/list/CHANGELOG.md
+++ b/deps/inspection/list/CHANGELOG.md
@@ -1,5 +1,15 @@
 # @pnpm/list

+## 1100.0.11
+
+### Patch Changes
+
+- Updated dependencies [6e93f35]
+- Updated dependencies [2a9bd89]
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/deps.inspection.tree-builder@1100.0.10
+  - @pnpm/workspace.project-manifest-reader@1100.0.6
+
 ## 1100.0.10

 ### Patch Changes
--- a/deps/inspection/list/package.json
+++ b/deps/inspection/list/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.inspection.list",
-  "version": "1100.0.10",
+  "version": "1100.0.11",
  "description": "List installed packages in a symlinked `node_modules`",
  "keywords": [
    "pnpm",
--- a/deps/inspection/outdated/CHANGELOG.md
+++ b/deps/inspection/outdated/CHANGELOG.md
@@ -1,5 +1,39 @@
 # @pnpm/outdated

+## 1100.0.16
+
+### Patch Changes
+
+- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users:
+
+  1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone.
+  2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it.
+  3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive.
+  4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list.
+
+  5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache).
+
+  Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens.
+
+- b6e2c8c: Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install.
+
+  When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`.
+
+  Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes.
+
+- Updated dependencies [963861c]
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [b6e2c8c]
+- Updated dependencies [6e93f35]
+- Updated dependencies [2a9bd89]
+  - @pnpm/resolving.npm-resolver@1101.2.0
+  - @pnpm/installing.client@1100.1.0
+  - @pnpm/config.version-policy@1100.1.0
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/lockfile.utils@1100.0.8
+  - @pnpm/pkg-manifest.utils@1100.1.4
+
 ## 1100.0.15

 ### Patch Changes
--- a/deps/inspection/outdated/package.json
+++ b/deps/inspection/outdated/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.inspection.outdated",
-  "version": "1100.0.15",
+  "version": "1100.0.16",
  "description": "Check for outdated packages",
  "keywords": [
    "pnpm",
--- a/deps/inspection/peers-checker/CHANGELOG.md
+++ b/deps/inspection/peers-checker/CHANGELOG.md
@@ -1,5 +1,14 @@
 # @pnpm/deps.inspection.peers-checker

+## 1100.0.9
+
+### Patch Changes
+
+- Updated dependencies [6e93f35]
+- Updated dependencies [2a9bd89]
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/lockfile.walker@1100.0.6
+
 ## 1100.0.8

 ### Patch Changes
--- a/deps/inspection/peers-checker/package.json
+++ b/deps/inspection/peers-checker/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.inspection.peers-checker",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
  "description": "Check for unmet and missing peer dependency issues from the lockfile",
  "keywords": [
    "pnpm",
--- a/deps/inspection/tree-builder/CHANGELOG.md
+++ b/deps/inspection/tree-builder/CHANGELOG.md
@@ -1,5 +1,16 @@
 # @pnpm/reviewing.dependencies-hierarchy

+## 1100.0.10
+
+### Patch Changes
+
+- Updated dependencies [6e93f35]
+- Updated dependencies [2a9bd89]
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/lockfile.utils@1100.0.8
+  - @pnpm/store.cafs@1100.1.5
+  - @pnpm/lockfile.detect-dep-types@1100.0.6
+
 ## 1100.0.9

 ### Patch Changes
--- a/deps/inspection/tree-builder/package.json
+++ b/deps/inspection/tree-builder/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.inspection.tree-builder",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
  "description": "Creates a dependencies hierarchy for a symlinked `node_modules`",
  "keywords": [
    "pnpm",
--- a/deps/security/signatures/CHANGELOG.md
+++ b/deps/security/signatures/CHANGELOG.md
@@ -1,5 +1,11 @@
 # @pnpm/deps.security.signatures

+## 1101.1.2
+
+### Patch Changes
+
+- @pnpm/network.fetch@1100.0.5
+
 ## 1101.1.1

 ### Patch Changes
--- a/deps/security/signatures/package.json
+++ b/deps/security/signatures/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.security.signatures",
-  "version": "1101.1.1",
+  "version": "1101.1.2",
  "description": "Verify package signatures from npm registries",
  "keywords": [
    "pnpm",
--- a/deps/status/CHANGELOG.md
+++ b/deps/status/CHANGELOG.md
@@ -1,5 +1,27 @@
 # @pnpm/deps.status

+## 1100.0.16
+
+### Patch Changes
+
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [020ac45]
+- Updated dependencies [d3f8408]
+- Updated dependencies [6e93f35]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [2a9bd89]
+- Updated dependencies [8df408c]
+  - @pnpm/resolving.resolver-base@1100.2.0
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/installing.context@1100.0.11
+  - @pnpm/lockfile.verification@1100.0.11
+  - @pnpm/workspace.state@1100.0.13
+  - @pnpm/lockfile.settings-checker@1100.0.11
+  - @pnpm/workspace.projects-reader@1101.0.5
+
 ## 1100.0.15

 ### Patch Changes
--- a/deps/status/package.json
+++ b/deps/status/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/deps.status",
-  "version": "1100.0.15",
+  "version": "1100.0.16",
  "description": "Check dependencies status",
  "keywords": [
    "pnpm",
--- a/engine/pm/commands/CHANGELOG.md
+++ b/engine/pm/commands/CHANGELOG.md
@@ -1,5 +1,56 @@
 # @pnpm/engine.pm.commands

+## 1101.1.13
+
+### Patch Changes
+
+- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users:
+
+  1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone.
+  2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it.
+  3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive.
+  4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list.
+
+  5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache).
+
+  Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens.
+
+- b6e2c8c: Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install.
+
+  When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`.
+
+  Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes.
+
+- Updated dependencies [963861c]
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+- Updated dependencies [020ac45]
+- Updated dependencies [b6e2c8c]
+- Updated dependencies [d3f8408]
+- Updated dependencies [6e93f35]
+- Updated dependencies [3ddde2b]
+- Updated dependencies [5dc8be8]
+- Updated dependencies [a62f959]
+- Updated dependencies [ba2c884]
+- Updated dependencies [2a9bd89]
+- Updated dependencies [8df408c]
+  - @pnpm/resolving.npm-resolver@1101.2.0
+  - @pnpm/installing.client@1100.1.0
+  - @pnpm/store.connection-manager@1100.2.0
+  - @pnpm/config.reader@1101.3.2
+  - @pnpm/config.version-policy@1100.1.0
+  - @pnpm/lockfile.fs@1100.1.0
+  - @pnpm/deps.graph-hasher@1100.2.0
+  - @pnpm/installing.deps-restorer@1101.1.3
+  - @pnpm/installing.env-installer@1101.0.10
+  - @pnpm/lockfile.types@1100.0.6
+  - @pnpm/store.controller@1101.0.7
+  - @pnpm/global.commands@1100.0.18
+  - @pnpm/building.policy@1100.0.5
+  - @pnpm/cli.utils@1101.0.5
+  - @pnpm/bins.linker@1100.0.7
+  - @pnpm/workspace.project-manifest-reader@1100.0.6
+
 ## 1101.1.12

 ### Patch Changes
--- a/engine/pm/commands/package.json
+++ b/engine/pm/commands/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/engine.pm.commands",
-  "version": "1101.1.12",
+  "version": "1101.1.13",
  "description": "pnpm commands for self-updating and setting up pnpm",
  "keywords": [
    "pnpm",
--- a/engine/runtime/bun-resolver/CHANGELOG.md
+++ b/engine/runtime/bun-resolver/CHANGELOG.md
@@ -1,5 +1,18 @@
 # @pnpm/resolving.bun-resolver

+## 1101.0.7
+
+### Patch Changes
+
+- Updated dependencies [963861c]
+- Updated dependencies [4195766]
+- Updated dependencies [31538bf]
+  - @pnpm/resolving.npm-resolver@1101.2.0
+  - @pnpm/resolving.resolver-base@1100.2.0
+  - @pnpm/fetching.fetcher-base@1100.1.4
+  - @pnpm/fetching.binary-fetcher@1101.0.6
+  - @pnpm/worker@1100.1.6
+
 ## 1101.0.6

 ### Patch Changes
--- a/engine/runtime/bun-resolver/package.json
+++ b/engine/runtime/bun-resolver/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@pnpm/engine.runtime.bun-resolver",
-  "version": "1101.0.6",
+  "version": "1101.0.7",
  "description": "Resolves the Bun runtime",
  "keywords": [
    "pnpm",
--- a/Show More
+++ b/Show More