From cd80b2c8aee41e8d7e7099b2231881d04989f4a2 Mon Sep 17 00:00:00 2001 From: Zoltan Kochan Date: Mon, 18 May 2026 15:42:32 +0200 Subject: [PATCH] chore(release): 11.1.3 (#11717) --- .changeset-released/bump-versions.txt | 17 ++++ .../attestation-first-min-release-age.md | 8 -- ...uto-collect-minimum-release-age-exclude.md | 27 ------ .../cache-aware-minimum-release-age-gate.md | 14 --- .changeset/clear-password-padding.md | 6 -- ...x-11655-self-update-minimum-release-age.md | 14 --- .changeset/fix-global-allow-builds.md | 13 --- .changeset/fix-verify-deps-silent-install.md | 7 -- .changeset/floppy-parents-teach.md | 6 -- .changeset/gvs-engine-name-shell-node.md | 31 ------- .../gvs-engine-per-snapshot-runtime-pin.md | 17 ---- .../lockfile-verification-progress-logs.md | 10 --- .changeset/oidc-unresolved-env-placeholder.md | 6 -- .../pmonfail-default-devengines-11676.md | 8 -- ...cord-locally-resolved-lockfile-verified.md | 7 -- .changeset/revalidate-minimum-release-age.md | 6 -- .../sync-env-lockfile-when-missing-11674.md | 5 -- .../warn-deprecated-pnpm-field-11677.md | 6 -- .meta-updater/CHANGELOG.md | 9 ++ .meta-updater/package.json | 2 +- __utils__/assert-project/CHANGELOG.md | 7 ++ __utils__/assert-project/package.json | 2 +- __utils__/assert-store/CHANGELOG.md | 6 ++ __utils__/assert-store/package.json | 2 +- __utils__/jest-config/CHANGELOG.md | 6 ++ __utils__/jest-config/package.json | 2 +- __utils__/prepare/CHANGELOG.md | 6 ++ __utils__/prepare/package.json | 2 +- __utils__/scripts/CHANGELOG.md | 6 ++ __utils__/scripts/package.json | 2 +- agent/client/CHANGELOG.md | 8 ++ agent/client/package.json | 2 +- agent/server/CHANGELOG.md | 18 ++++ agent/server/package.json | 2 +- auth/commands/CHANGELOG.md | 13 +++ auth/commands/package.json | 2 +- bins/linker/CHANGELOG.md | 7 ++ bins/linker/package.json | 2 +- bins/remover/CHANGELOG.md | 7 ++ bins/remover/package.json | 2 +- building/after-install/CHANGELOG.md | 49 ++++++++++ building/after-install/package.json | 2 +- building/commands/CHANGELOG.md | 19 ++++ building/commands/package.json | 2 +- building/during-install/CHANGELOG.md | 43 +++++++++ building/during-install/package.json | 2 +- building/policy/CHANGELOG.md | 7 ++ building/policy/package.json | 2 +- cache/api/CHANGELOG.md | 16 ++++ cache/api/package.json | 2 +- cache/commands/CHANGELOG.md | 13 +++ cache/commands/package.json | 2 +- cli/commands/CHANGELOG.md | 13 +++ cli/commands/package.json | 2 +- cli/default-reporter/CHANGELOG.md | 30 +++++++ cli/default-reporter/package.json | 2 +- cli/utils/CHANGELOG.md | 8 ++ cli/utils/package.json | 2 +- config/commands/CHANGELOG.md | 13 +++ config/commands/package.json | 2 +- config/package-is-installable/CHANGELOG.md | 9 ++ config/package-is-installable/package.json | 2 +- config/reader/CHANGELOG.md | 25 ++++++ config/reader/package.json | 2 +- config/version-policy/CHANGELOG.md | 10 +++ config/version-policy/package.json | 2 +- config/writer/CHANGELOG.md | 6 ++ config/writer/package.json | 2 +- core/core-loggers/CHANGELOG.md | 8 ++ core/core-loggers/package.json | 2 +- deps/compliance/audit/CHANGELOG.md | 13 +++ deps/compliance/audit/package.json | 2 +- deps/compliance/commands/CHANGELOG.md | 26 ++++++ deps/compliance/commands/package.json | 2 +- deps/compliance/license-scanner/CHANGELOG.md | 14 +++ deps/compliance/license-scanner/package.json | 2 +- deps/compliance/sbom/CHANGELOG.md | 13 +++ deps/compliance/sbom/package.json | 2 +- deps/graph-builder/CHANGELOG.md | 38 ++++++++ deps/graph-builder/package.json | 2 +- deps/graph-hasher/CHANGELOG.md | 47 ++++++++++ deps/graph-hasher/package.json | 2 +- deps/inspection/commands/CHANGELOG.md | 26 ++++++ deps/inspection/commands/package.json | 2 +- deps/inspection/list/CHANGELOG.md | 10 +++ deps/inspection/list/package.json | 2 +- deps/inspection/outdated/CHANGELOG.md | 34 +++++++ deps/inspection/outdated/package.json | 2 +- deps/inspection/peers-checker/CHANGELOG.md | 9 ++ deps/inspection/peers-checker/package.json | 2 +- deps/inspection/tree-builder/CHANGELOG.md | 11 +++ deps/inspection/tree-builder/package.json | 2 +- deps/security/signatures/CHANGELOG.md | 6 ++ deps/security/signatures/package.json | 2 +- deps/status/CHANGELOG.md | 22 +++++ deps/status/package.json | 2 +- engine/pm/commands/CHANGELOG.md | 51 +++++++++++ engine/pm/commands/package.json | 2 +- engine/runtime/bun-resolver/CHANGELOG.md | 13 +++ engine/runtime/bun-resolver/package.json | 2 +- engine/runtime/commands/CHANGELOG.md | 16 ++++ engine/runtime/commands/package.json | 2 +- engine/runtime/deno-resolver/CHANGELOG.md | 13 +++ engine/runtime/deno-resolver/package.json | 2 +- engine/runtime/node-resolver/CHANGELOG.md | 14 +++ engine/runtime/node-resolver/package.json | 2 +- .../runtime/system-node-version/CHANGELOG.md | 24 +++++ .../runtime/system-node-version/package.json | 2 +- exec/commands/CHANGELOG.md | 47 ++++++++++ exec/commands/package.json | 2 +- exec/lifecycle/CHANGELOG.md | 11 +++ exec/lifecycle/package.json | 2 +- exec/pnpm-cli-runner/CHANGELOG.md | 6 ++ exec/pnpm-cli-runner/package.json | 2 +- exec/prepare-package/CHANGELOG.md | 6 ++ exec/prepare-package/package.json | 2 +- fetching/binary-fetcher/CHANGELOG.md | 7 ++ fetching/binary-fetcher/package.json | 2 +- fetching/directory-fetcher/CHANGELOG.md | 10 +++ fetching/directory-fetcher/package.json | 2 +- fetching/fetcher-base/CHANGELOG.md | 8 ++ fetching/fetcher-base/package.json | 2 +- fetching/git-fetcher/CHANGELOG.md | 8 ++ fetching/git-fetcher/package.json | 2 +- fetching/pick-fetcher/CHANGELOG.md | 10 +++ fetching/pick-fetcher/package.json | 2 +- fetching/tarball-fetcher/CHANGELOG.md | 10 +++ fetching/tarball-fetcher/package.json | 2 +- fs/indexed-pkg-importer/CHANGELOG.md | 9 ++ fs/indexed-pkg-importer/package.json | 2 +- fs/symlink-dependency/CHANGELOG.md | 7 ++ fs/symlink-dependency/package.json | 2 +- global/commands/CHANGELOG.md | 24 +++++ global/commands/package.json | 2 +- hooks/pnpmfile/CHANGELOG.md | 12 +++ hooks/pnpmfile/package.json | 2 +- hooks/types/CHANGELOG.md | 10 +++ hooks/types/package.json | 2 +- installing/client/CHANGELOG.md | 35 ++++++++ installing/client/package.json | 2 +- installing/commands/CHANGELOG.md | 55 ++++++++++++ installing/commands/package.json | 2 +- installing/context/CHANGELOG.md | 15 ++++ installing/context/package.json | 2 +- installing/dedupe/check/CHANGELOG.md | 6 ++ installing/dedupe/check/package.json | 2 +- installing/deps-installer/CHANGELOG.md | 90 +++++++++++++++++++ installing/deps-installer/package.json | 2 +- installing/deps-resolver/CHANGELOG.md | 64 +++++++++++++ installing/deps-resolver/package.json | 2 +- installing/deps-restorer/CHANGELOG.md | 52 +++++++++++ installing/deps-restorer/package.json | 2 +- installing/env-installer/CHANGELOG.md | 27 ++++++ installing/env-installer/package.json | 2 +- .../linking/direct-dep-linker/CHANGELOG.md | 8 ++ .../linking/direct-dep-linker/package.json | 2 +- installing/linking/hoist/CHANGELOG.md | 8 ++ installing/linking/hoist/package.json | 2 +- .../linking/modules-cleaner/CHANGELOG.md | 13 +++ .../linking/modules-cleaner/package.json | 2 +- installing/linking/real-hoist/CHANGELOG.md | 6 ++ installing/linking/real-hoist/package.json | 2 +- installing/package-requester/CHANGELOG.md | 17 ++++ installing/package-requester/package.json | 2 +- installing/read-projects-context/CHANGELOG.md | 8 ++ installing/read-projects-context/package.json | 2 +- lockfile/detect-dep-types/CHANGELOG.md | 6 ++ lockfile/detect-dep-types/package.json | 2 +- lockfile/filtering/CHANGELOG.md | 9 ++ lockfile/filtering/package.json | 2 +- lockfile/fs/CHANGELOG.md | 13 +++ lockfile/fs/package.json | 2 +- lockfile/make-dedicated-lockfile/CHANGELOG.md | 11 +++ lockfile/make-dedicated-lockfile/package.json | 2 +- lockfile/merger/CHANGELOG.md | 6 ++ lockfile/merger/package.json | 2 +- lockfile/preferred-versions/CHANGELOG.md | 10 +++ lockfile/preferred-versions/package.json | 2 +- lockfile/pruner/CHANGELOG.md | 6 ++ lockfile/pruner/package.json | 2 +- lockfile/settings-checker/CHANGELOG.md | 8 ++ lockfile/settings-checker/package.json | 2 +- lockfile/to-pnp/CHANGELOG.md | 9 ++ lockfile/to-pnp/package.json | 2 +- lockfile/types/CHANGELOG.md | 8 ++ lockfile/types/package.json | 2 +- lockfile/utils/CHANGELOG.md | 10 +++ lockfile/utils/package.json | 2 +- lockfile/verification/CHANGELOG.md | 12 +++ lockfile/verification/package.json | 2 +- lockfile/walker/CHANGELOG.md | 6 ++ lockfile/walker/package.json | 2 +- modules-mounter/daemon/CHANGELOG.md | 16 ++++ modules-mounter/daemon/package.json | 2 +- network/fetch/CHANGELOG.md | 7 ++ network/fetch/package.json | 2 +- patching/commands/CHANGELOG.md | 25 ++++++ patching/commands/package.json | 2 +- pkg-manifest/utils/CHANGELOG.md | 7 ++ pkg-manifest/utils/package.json | 2 +- pnpm/CHANGELOG.md | 73 +++++++++++++++ pnpm/artifacts/darwin-arm64/package.json | 2 +- pnpm/artifacts/exe/package.json | 2 +- pnpm/artifacts/linux-arm64-musl/package.json | 2 +- pnpm/artifacts/linux-arm64/package.json | 2 +- pnpm/artifacts/linux-x64-musl/package.json | 2 +- pnpm/artifacts/linux-x64/package.json | 2 +- pnpm/artifacts/win32-arm64/package.json | 2 +- pnpm/artifacts/win32-x64/package.json | 2 +- pnpm/dev/CHANGELOG.md | 6 ++ pnpm/dev/package.json | 2 +- pnpm/package.json | 2 +- registry-access/commands/CHANGELOG.md | 13 +++ registry-access/commands/package.json | 2 +- releasing/commands/CHANGELOG.md | 31 +++++++ releasing/commands/package.json | 2 +- releasing/exportable-manifest/CHANGELOG.md | 6 ++ releasing/exportable-manifest/package.json | 2 +- resolving/default-resolver/CHANGELOG.md | 34 +++++++ resolving/default-resolver/package.json | 2 +- resolving/git-resolver/CHANGELOG.md | 9 ++ resolving/git-resolver/package.json | 2 +- resolving/local-resolver/CHANGELOG.md | 10 +++ resolving/local-resolver/package.json | 2 +- resolving/npm-resolver/CHANGELOG.md | 36 ++++++++ resolving/npm-resolver/package.json | 2 +- resolving/resolver-base/CHANGELOG.md | 19 ++++ resolving/resolver-base/package.json | 2 +- resolving/tarball-resolver/CHANGELOG.md | 8 ++ resolving/tarball-resolver/package.json | 2 +- store/cafs/CHANGELOG.md | 8 ++ store/cafs/package.json | 2 +- store/commands/CHANGELOG.md | 21 +++++ store/commands/package.json | 2 +- store/connection-manager/CHANGELOG.md | 33 +++++++ store/connection-manager/package.json | 2 +- store/controller-types/CHANGELOG.md | 22 +++++ store/controller-types/package.json | 2 +- store/controller/CHANGELOG.md | 16 ++++ store/controller/package.json | 2 +- store/create-cafs-store/CHANGELOG.md | 10 +++ store/create-cafs-store/package.json | 2 +- store/pkg-finder/CHANGELOG.md | 10 +++ store/pkg-finder/package.json | 2 +- testing/mock-agent/CHANGELOG.md | 6 ++ testing/mock-agent/package.json | 2 +- testing/temp-store/CHANGELOG.md | 17 ++++ testing/temp-store/package.json | 2 +- worker/CHANGELOG.md | 9 ++ worker/package.json | 2 +- workspace/commands/CHANGELOG.md | 12 +++ workspace/commands/package.json | 2 +- workspace/injected-deps-syncer/CHANGELOG.md | 8 ++ workspace/injected-deps-syncer/package.json | 2 +- .../project-manifest-reader/CHANGELOG.md | 6 ++ .../project-manifest-reader/package.json | 2 +- workspace/projects-filter/CHANGELOG.md | 7 ++ workspace/projects-filter/package.json | 2 +- workspace/projects-graph/CHANGELOG.md | 9 ++ workspace/projects-graph/package.json | 2 +- workspace/projects-reader/CHANGELOG.md | 7 ++ workspace/projects-reader/package.json | 2 +- workspace/state/CHANGELOG.md | 11 +++ workspace/state/package.json | 2 +- .../workspace-manifest-writer/CHANGELOG.md | 6 ++ .../workspace-manifest-writer/package.json | 2 +- 266 files changed, 2128 insertions(+), 319 deletions(-) create mode 100644 .changeset-released/bump-versions.txt delete mode 100644 .changeset/attestation-first-min-release-age.md delete mode 100644 .changeset/auto-collect-minimum-release-age-exclude.md delete mode 100644 .changeset/cache-aware-minimum-release-age-gate.md delete mode 100644 .changeset/clear-password-padding.md delete mode 100644 .changeset/fix-11655-self-update-minimum-release-age.md delete mode 100644 .changeset/fix-global-allow-builds.md delete mode 100644 .changeset/fix-verify-deps-silent-install.md delete mode 100644 .changeset/floppy-parents-teach.md delete mode 100644 .changeset/gvs-engine-name-shell-node.md delete mode 100644 .changeset/gvs-engine-per-snapshot-runtime-pin.md delete mode 100644 .changeset/lockfile-verification-progress-logs.md delete mode 100644 .changeset/oidc-unresolved-env-placeholder.md delete mode 100644 .changeset/pmonfail-default-devengines-11676.md delete mode 100644 .changeset/record-locally-resolved-lockfile-verified.md delete mode 100644 .changeset/revalidate-minimum-release-age.md delete mode 100644 .changeset/sync-env-lockfile-when-missing-11674.md delete mode 100644 .changeset/warn-deprecated-pnpm-field-11677.md diff --git a/.changeset-released/bump-versions.txt b/.changeset-released/bump-versions.txt new file mode 100644 index 0000000000..45ebc73c1f --- /dev/null +++ b/.changeset-released/bump-versions.txt @@ -0,0 +1,17 @@ +attestation-first-min-release-age +auto-collect-minimum-release-age-exclude +cache-aware-minimum-release-age-gate +clear-password-padding +fix-11655-self-update-minimum-release-age +fix-global-allow-builds +fix-verify-deps-silent-install +floppy-parents-teach +gvs-engine-name-shell-node +gvs-engine-per-snapshot-runtime-pin +lockfile-verification-progress-logs +oidc-unresolved-env-placeholder +pmonfail-default-devengines-11676 +record-locally-resolved-lockfile-verified +revalidate-minimum-release-age +sync-env-lockfile-when-missing-11674 +warn-deprecated-pnpm-field-11677 diff --git a/.changeset/attestation-first-min-release-age.md b/.changeset/attestation-first-min-release-age.md deleted file mode 100644 index 9eb53d37b4..0000000000 --- a/.changeset/attestation-first-min-release-age.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -"@pnpm/resolving.npm-resolver": minor -"pnpm": patch ---- - -Sped up the `minimumReleaseAge` lockfile verification gate on cold-cache installs by trying npm's `/-/npm/v1/attestations/@` endpoint before fetching the full metadata document. The attestation response is tens of KB versus the multi-MB full metadata, so `--frozen-lockfile` installs against a fleet of provenance-published packages download far less to verify timestamps. - -The publish time comes from `bundle.verificationMaterial.tlogEntries[].integratedTime` (the Rekor inclusion time, a couple of seconds after the actual publish — close enough for a policy that operates in minutes/hours/days). When the local full-metadata mirror already has the timestamp, or the attestation endpoint 404s / errors, the verifier falls back to the existing `fetchFullMetadataCached` path. Sigstore signature verification is not performed; the trust model is unchanged versus reading the registry's `time` field on the full metadata document [#11687](https://github.com/pnpm/pnpm/issues/11687). diff --git a/.changeset/auto-collect-minimum-release-age-exclude.md b/.changeset/auto-collect-minimum-release-age-exclude.md deleted file mode 100644 index 614d9b362d..0000000000 --- a/.changeset/auto-collect-minimum-release-age-exclude.md +++ /dev/null @@ -1,27 +0,0 @@ ---- -"@pnpm/resolving.resolver-base": minor -"@pnpm/store.controller-types": minor -"@pnpm/resolving.npm-resolver": minor -"@pnpm/resolving.default-resolver": minor -"@pnpm/installing.client": minor -"@pnpm/installing.deps-resolver": minor -"@pnpm/installing.deps-installer": minor -"@pnpm/installing.commands": minor -"@pnpm/store.connection-manager": minor -"@pnpm/deps.inspection.outdated": patch -"@pnpm/engine.pm.commands": patch -"@pnpm/exec.commands": patch -"@pnpm/cli.default-reporter": patch -"pnpm": minor ---- - -Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: - -1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. -2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. -3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct *and* transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. -4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. - -5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). - -Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. diff --git a/.changeset/cache-aware-minimum-release-age-gate.md b/.changeset/cache-aware-minimum-release-age-gate.md deleted file mode 100644 index 957872248e..0000000000 --- a/.changeset/cache-aware-minimum-release-age-gate.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -"@pnpm/resolving.resolver-base": minor -"@pnpm/resolving.npm-resolver": minor -"@pnpm/resolving.default-resolver": minor -"@pnpm/installing.client": minor -"@pnpm/store.connection-manager": minor -"@pnpm/testing.temp-store": minor -"@pnpm/installing.deps-installer": minor -"pnpm": patch ---- - -Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely. - -Verification results are memoized in JSON Lines at `/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687). diff --git a/.changeset/clear-password-padding.md b/.changeset/clear-password-padding.md deleted file mode 100644 index fa6f7b932d..0000000000 --- a/.changeset/clear-password-padding.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/config.reader": patch -"pnpm": patch ---- - -Allow redundant trailing base64 padding in `.npmrc` auth values and report invalid auth base64 with a pnpm error. diff --git a/.changeset/fix-11655-self-update-minimum-release-age.md b/.changeset/fix-11655-self-update-minimum-release-age.md deleted file mode 100644 index 4378407562..0000000000 --- a/.changeset/fix-11655-self-update-minimum-release-age.md +++ /dev/null @@ -1,14 +0,0 @@ ---- -"@pnpm/config.version-policy": minor -"@pnpm/deps.inspection.outdated": patch -"@pnpm/engine.pm.commands": patch -"@pnpm/exec.commands": patch -"@pnpm/installing.deps-resolver": patch -"pnpm": patch ---- - -Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. - -When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. - -Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. diff --git a/.changeset/fix-global-allow-builds.md b/.changeset/fix-global-allow-builds.md deleted file mode 100644 index 694534fb1c..0000000000 --- a/.changeset/fix-global-allow-builds.md +++ /dev/null @@ -1,13 +0,0 @@ ---- -"@pnpm/config.reader": patch -"pnpm": patch ---- - -**fix**: global installs respect global config build policy (e.g., `dangerouslyAllowAllBuilds` from config.yaml) when GVS is enabled [#9249](https://github.com/pnpm/pnpm/issues/9249). - -The global virtual-store (GVS) default `allowBuilds = {}` was applied before workspace manifest settings were read and before global config values (stripped by `extractAndRemoveDependencyBuildOptions`) were re-applied via `globalDepsBuildConfig`. This caused `hasDependencyBuildOptions` to return `true` (because `{}` is not null), blocking restoration of global config values like `dangerouslyAllowAllBuilds`. As a result, global installs skipped all build scripts even when the config explicitly allowed them. - -This fix moves the GVS default to **after** workspace manifest reading and `globalDepsBuildConfig` re-application, so that: -1. Workspace manifest `allowBuilds` takes precedence (if present) -2. Global config `dangerouslyAllowAllBuilds` is properly restored (if set and no workspace policy exists) -3. Empty `{}` is only applied as a last resort when no policy is configured anywhere diff --git a/.changeset/fix-verify-deps-silent-install.md b/.changeset/fix-verify-deps-silent-install.md deleted file mode 100644 index 32306f6c5e..0000000000 --- a/.changeset/fix-verify-deps-silent-install.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"@pnpm/exec.commands": patch -"@pnpm/exec.pnpm-cli-runner": patch -"pnpm": patch ---- - -Honor `--silent` when `verifyDepsBeforeRun: install` auto-installs dependencies before `pnpm run` or `pnpm exec`, preventing install output from being written to stdout [#11636](https://github.com/pnpm/pnpm/issues/11636). diff --git a/.changeset/floppy-parents-teach.md b/.changeset/floppy-parents-teach.md deleted file mode 100644 index 8eb8fcc95b..0000000000 --- a/.changeset/floppy-parents-teach.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/lockfile.fs": patch -"pnpm": patch ---- - -Fix lockfile parsing failures when `pnpm-lock.yaml` contains CRLF line endings and multiple YAML documents [#11612](https://github.com/pnpm/pnpm/issues/11612). diff --git a/.changeset/gvs-engine-name-shell-node.md b/.changeset/gvs-engine-name-shell-node.md deleted file mode 100644 index 9d72caf56b..0000000000 --- a/.changeset/gvs-engine-name-shell-node.md +++ /dev/null @@ -1,31 +0,0 @@ ---- -"@pnpm/building.after-install": patch -"@pnpm/building.during-install": patch -"@pnpm/deps.graph-builder": patch -"@pnpm/deps.graph-hasher": patch -"@pnpm/engine.runtime.system-node-version": minor -"@pnpm/installing.deps-installer": patch -"@pnpm/installing.deps-resolver": patch -"@pnpm/installing.deps-restorer": patch -"pnpm": patch ---- - -**fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. - -`ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: - -1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. -2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. - -Three changes: - -- `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. -- `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. -- Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. - -On upgrade, two one-time GVS slot churns are possible: - -- **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. -- **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. - -In both cases the old slots become prune-eligible. diff --git a/.changeset/gvs-engine-per-snapshot-runtime-pin.md b/.changeset/gvs-engine-per-snapshot-runtime-pin.md deleted file mode 100644 index 4fcd9f04da..0000000000 --- a/.changeset/gvs-engine-per-snapshot-runtime-pin.md +++ /dev/null @@ -1,17 +0,0 @@ ---- -"@pnpm/deps.graph-hasher": minor -"pnpm": patch ---- - -**fix**: resolve the GVS hash's engine portion per-snapshot when a dependency declares its own `engines.runtime`, instead of using an install-wide value. - -Pnpm's resolver desugars a dep's `engines.runtime` into `dependencies.node: 'runtime:'`, and the bin linker spawns that dep's lifecycle scripts through the pinned Node downloaded into `/node_modules/node/`. The GVS hash and the side-effects-cache key prefix were still anchored to the install-wide runtime — so a pinning snapshot's slot encoded the wrong Node major, and a reinstall on the same host could read the cached side-effects under a key whose `;;node` triple disagreed with the Node the build actually ran on. - -Per-snapshot resolution now matches what `bins/linker` already does on a per-package basis: - -- `@pnpm/deps.graph-hasher` adds `readSnapshotRuntimePin(children)` — reads the `node` entry from one snapshot's graph children and extracts the version from a `node@runtime:` value. Pairs with the existing `findRuntimeNodeVersion(snapshotKeys)` install-wide fallback (also now exported from `@pnpm/deps.graph-hasher` rather than `@pnpm/engine.runtime.system-node-version`, where it was a poor fit — `system-node-version` is about probing the host Node, not parsing lockfile-derived strings). -- `calcDepState` and `calcGraphNodeHash` consult `readSnapshotRuntimePin(graph[depPath].children)` first and only fall back to the install-wide `nodeVersion` parameter when the snapshot doesn't pin its own Node. - -Pacquet mirrors the same precedence at the `calc_graph_node_hash` call site in `package-manager/src/virtual_store_layout.rs` — a new `find_own_runtime_node_major(snapshot)` helper reads each snapshot's `dependencies` for a `node` entry with `Prefix::Runtime` and overrides the install-wide engine when present. - -On upgrade, snapshots of dependencies that declare their own `engines.runtime` re-hash under that dep's pinned Node instead of the install-wide value. The old slots become prune-eligible. Closes [#11690](https://github.com/pnpm/pnpm/issues/11690). diff --git a/.changeset/lockfile-verification-progress-logs.md b/.changeset/lockfile-verification-progress-logs.md deleted file mode 100644 index 647a14c68e..0000000000 --- a/.changeset/lockfile-verification-progress-logs.md +++ /dev/null @@ -1,10 +0,0 @@ ---- -"@pnpm/core-loggers": minor -"@pnpm/installing.deps-installer": patch -"@pnpm/cli.default-reporter": minor -"pnpm": patch ---- - -The lockfile verifier added in #11705 now emits `pnpm:lockfile-verification` log events (`status: 'started' | 'done'`) around the registry round-trip pass, and the default reporter renders them as a transient progress line so users can see that pnpm is doing work — on a cold registry cache the round-trip can take a noticeable beat, and the previous behavior was complete silence followed by either a long pause or an error. The cached short-circuit stays silent (no logs when no work happens), and the `done` line carries the number of distinct entries that were checked plus the elapsed time. - -Pacquet parity: not ported — pacquet doesn't carry the lockfile verifier yet (see the parity note on #11705). diff --git a/.changeset/oidc-unresolved-env-placeholder.md b/.changeset/oidc-unresolved-env-placeholder.md deleted file mode 100644 index a316969016..0000000000 --- a/.changeset/oidc-unresolved-env-placeholder.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/config.reader": patch -"pnpm": patch ---- - -Fixed `pnpm publish` failing with a 404 when authentication relied on OIDC trusted publishing alongside an `.npmrc` written by `actions/setup-node` (`_authToken=${NODE_AUTH_TOKEN}`) without `NODE_AUTH_TOKEN` being set. Unresolved `${VAR}` placeholders in auth values are now treated as empty rather than passed through verbatim, so the literal placeholder no longer surfaces as a bearer token when OIDC fallback is the intended auth source [#11513](https://github.com/pnpm/pnpm/issues/11513). diff --git a/.changeset/pmonfail-default-devengines-11676.md b/.changeset/pmonfail-default-devengines-11676.md deleted file mode 100644 index a25839e917..0000000000 --- a/.changeset/pmonfail-default-devengines-11676.md +++ /dev/null @@ -1,8 +0,0 @@ ---- -"@pnpm/config.reader": patch -"pnpm": patch ---- - -Fix `devEngines.packageManager` (singular form, without `onFail`) defaulting to `onFail: "error"` instead of the documented `pmOnFail: "download"`. As a result, a project that pinned a different pnpm version via `devEngines.packageManager` and ran `pnpm install` from a mismatched pnpm version failed with a hard error, even though the migration table from `managePackageManagerVersions: true` to `pmOnFail: download (default)` promises the install would auto-download the wanted version [#11676](https://github.com/pnpm/pnpm/issues/11676). - -The array form of `devEngines.packageManager` keeps its existing per-element defaults (`error` for the last entry, `ignore` for the rest), since those reflect explicit prioritization by the user. Explicit `onFail` values continue to win. diff --git a/.changeset/record-locally-resolved-lockfile-verified.md b/.changeset/record-locally-resolved-lockfile-verified.md deleted file mode 100644 index 9cbe71e8d1..0000000000 --- a/.changeset/record-locally-resolved-lockfile-verified.md +++ /dev/null @@ -1,7 +0,0 @@ ---- -"@pnpm/installing.deps-installer": patch -"@pnpm/lockfile.fs": minor -"pnpm": patch ---- - -Record the post-resolution lockfile in the verification cache. Previously the cache only captured the lockfile that was loaded at the start of an install, so a flow like `pnpm install ` followed by `rm -rf node_modules && pnpm install` re-ran the per-package registry round-trip against the newly written lockfile even though the local resolver had already enforced the policy when picking those versions. The fresh lockfile is now recorded immediately after each install-time write, so the second install takes the cache fast path. diff --git a/.changeset/revalidate-minimum-release-age.md b/.changeset/revalidate-minimum-release-age.md deleted file mode 100644 index cca69943e6..0000000000 --- a/.changeset/revalidate-minimum-release-age.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/installing.deps-installer": minor -"pnpm": patch ---- - -`minimumReleaseAge` is now re-checked against `pnpm-lock.yaml` before any tarball is installed, so a freshly-published version pinned in the lockfile (e.g. by a developer who bypassed the policy locally) is no longer installed silently by other consumers or CI. Violating entries abort the install with `ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION`; `minimumReleaseAgeExclude` is honored. [#10438](https://github.com/pnpm/pnpm/issues/10438). diff --git a/.changeset/sync-env-lockfile-when-missing-11674.md b/.changeset/sync-env-lockfile-when-missing-11674.md deleted file mode 100644 index 0550a6f3c3..0000000000 --- a/.changeset/sync-env-lockfile-when-missing-11674.md +++ /dev/null @@ -1,5 +0,0 @@ ---- -"pnpm": patch ---- - -Fix `devEngines.packageManager` not writing `packageManagerDependencies` to `pnpm-lock.yaml` when the lockfile lacks an env-doc entry. Previously the lockfile sync skipped resolution unless an existing `packageManagerDependencies.pnpm` entry needed refreshing, so a fresh install without `onFail: "download"` left the resolved pnpm version unrecorded — contradicting the documented behavior that the resolved version is stored in `pnpm-lock.yaml` [#11674](https://github.com/pnpm/pnpm/issues/11674). diff --git a/.changeset/warn-deprecated-pnpm-field-11677.md b/.changeset/warn-deprecated-pnpm-field-11677.md deleted file mode 100644 index 0c177c42ea..0000000000 --- a/.changeset/warn-deprecated-pnpm-field-11677.md +++ /dev/null @@ -1,6 +0,0 @@ ---- -"@pnpm/config.reader": patch -"pnpm": patch ---- - -Warn when `package.json` contains a legacy `pnpm` field with settings pnpm no longer reads from `package.json` (e.g. `pnpm.overrides`, `pnpm.patchedDependencies`). Previously these were silently ignored after the upgrade from v10, leaving users unaware that their overrides/patched dependencies had stopped taking effect [#11677](https://github.com/pnpm/pnpm/issues/11677). diff --git a/.meta-updater/CHANGELOG.md b/.meta-updater/CHANGELOG.md index f118548d29..0e597cbcb8 100644 --- a/.meta-updater/CHANGELOG.md +++ b/.meta-updater/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm-private/updater +## 1100.0.12 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/workspace.projects-reader@1101.0.5 + ## 1100.0.11 ### Patch Changes diff --git a/.meta-updater/package.json b/.meta-updater/package.json index ffce5bc0fc..1230dfdc93 100644 --- a/.meta-updater/package.json +++ b/.meta-updater/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm-private/updater", - "version": "1100.0.11", + "version": "1100.0.12", "private": true, "type": "module", "scripts": { diff --git a/__utils__/assert-project/CHANGELOG.md b/__utils__/assert-project/CHANGELOG.md index f4dbd15016..42692345bb 100644 --- a/__utils__/assert-project/CHANGELOG.md +++ b/__utils__/assert-project/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/assert-project +## 1100.0.9 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 +- @pnpm/assert-store@1100.0.9 + ## 1100.0.8 ### Patch Changes diff --git a/__utils__/assert-project/package.json b/__utils__/assert-project/package.json index 517cda1483..6846d4661b 100644 --- a/__utils__/assert-project/package.json +++ b/__utils__/assert-project/package.json @@ -1,7 +1,7 @@ { "name": "@pnpm/assert-project", "description": "Utils for testing projects that use pnpm", - "version": "1100.0.8", + "version": "1100.0.9", "author": { "name": "Zoltan Kochan", "email": "z@kochan.io", diff --git a/__utils__/assert-store/CHANGELOG.md b/__utils__/assert-store/CHANGELOG.md index b995eb0b31..37c528a5e1 100644 --- a/__utils__/assert-store/CHANGELOG.md +++ b/__utils__/assert-store/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/assert-store +## 1100.0.9 + +### Patch Changes + +- @pnpm/store.cafs@1100.1.5 + ## 1100.0.8 ### Patch Changes diff --git a/__utils__/assert-store/package.json b/__utils__/assert-store/package.json index 836cdedf64..a201554eee 100644 --- a/__utils__/assert-store/package.json +++ b/__utils__/assert-store/package.json @@ -1,7 +1,7 @@ { "name": "@pnpm/assert-store", "description": "Utils for testing pnpm store", - "version": "1100.0.8", + "version": "1100.0.9", "bugs": { "url": "https://github.com/pnpm/pnpm/issues" }, diff --git a/__utils__/jest-config/CHANGELOG.md b/__utils__/jest-config/CHANGELOG.md index 2fa8a0a2eb..c2e4a1b25b 100644 --- a/__utils__/jest-config/CHANGELOG.md +++ b/__utils__/jest-config/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/jest-config +## 1100.0.9 + +### Patch Changes + +- @pnpm/worker@1100.1.6 + ## 1100.0.8 ### Patch Changes diff --git a/__utils__/jest-config/package.json b/__utils__/jest-config/package.json index fe15dd091e..aac446ce62 100644 --- a/__utils__/jest-config/package.json +++ b/__utils__/jest-config/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/jest-config", - "version": "1100.0.8", + "version": "1100.0.9", "private": true, "main": "jest-preset.js", "type": "module", diff --git a/__utils__/prepare/CHANGELOG.md b/__utils__/prepare/CHANGELOG.md index 3b0c45c855..b2cbcb7e1a 100644 --- a/__utils__/prepare/CHANGELOG.md +++ b/__utils__/prepare/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/prepare +## 1100.0.9 + +### Patch Changes + +- @pnpm/assert-project@1100.0.9 + ## 1100.0.8 ### Patch Changes diff --git a/__utils__/prepare/package.json b/__utils__/prepare/package.json index e279dd670e..01606dc8a2 100644 --- a/__utils__/prepare/package.json +++ b/__utils__/prepare/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/prepare", - "version": "1100.0.8", + "version": "1100.0.9", "main": "lib/index.js", "types": "lib/index.d.ts", "type": "module", diff --git a/__utils__/scripts/CHANGELOG.md b/__utils__/scripts/CHANGELOG.md index 1c15762685..2ace3a32c4 100644 --- a/__utils__/scripts/CHANGELOG.md +++ b/__utils__/scripts/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/scripts +## 1100.0.8 + +### Patch Changes + +- @pnpm/workspace.projects-reader@1101.0.5 + ## 1100.0.7 ### Patch Changes diff --git a/__utils__/scripts/package.json b/__utils__/scripts/package.json index 3e43c3a28c..ad1f92925d 100644 --- a/__utils__/scripts/package.json +++ b/__utils__/scripts/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/scripts", - "version": "1100.0.7", + "version": "1100.0.8", "private": true, "type": "module", "scripts": { diff --git a/agent/client/CHANGELOG.md b/agent/client/CHANGELOG.md index 1c82f05ebe..2ce2228851 100644 --- a/agent/client/CHANGELOG.md +++ b/agent/client/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/agent.client +## 1.0.6 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 +- @pnpm/store.cafs@1100.1.5 +- @pnpm/worker@1100.1.6 + ## 1.0.5 ### Patch Changes diff --git a/agent/client/package.json b/agent/client/package.json index a8a7b54d61..9689a49348 100644 --- a/agent/client/package.json +++ b/agent/client/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/agent.client", - "version": "1.0.5", + "version": "1.0.6", "description": "Client for pnpm agent server — sends store state, receives resolved lockfile and missing files", "keywords": [ "pnpm", diff --git a/agent/server/CHANGELOG.md b/agent/server/CHANGELOG.md index 550a7adbe3..f45beeceb7 100644 --- a/agent/server/CHANGELOG.md +++ b/agent/server/CHANGELOG.md @@ -1,5 +1,23 @@ # pnpm-agent +## 0.0.15 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [6e93f35] +- Updated dependencies [3ddde2b] +- Updated dependencies [4a79336] +- Updated dependencies [2a9bd89] +- Updated dependencies [31538bf] + - @pnpm/installing.client@1100.1.0 + - @pnpm/installing.deps-installer@1101.2.0 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/store.controller@1101.0.7 + - @pnpm/store.cafs@1100.1.5 + ## 0.0.14 ### Patch Changes diff --git a/agent/server/package.json b/agent/server/package.json index 7cd17f5eb9..280e044ea5 100644 --- a/agent/server/package.json +++ b/agent/server/package.json @@ -1,6 +1,6 @@ { "name": "pnpm-agent", - "version": "0.0.14", + "version": "0.0.15", "description": "pnpm agent server for server-side resolution and store-aware downloads", "keywords": [ "pnpm", diff --git a/auth/commands/CHANGELOG.md b/auth/commands/CHANGELOG.md index de005ec7e5..6cafa97ffb 100644 --- a/auth/commands/CHANGELOG.md +++ b/auth/commands/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/auth.commands +## 1100.0.14 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/network.fetch@1100.0.5 + - @pnpm/cli.utils@1101.0.5 + ## 1100.0.13 ### Patch Changes diff --git a/auth/commands/package.json b/auth/commands/package.json index 2d555a739e..332a0b1d85 100644 --- a/auth/commands/package.json +++ b/auth/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/auth.commands", - "version": "1100.0.13", + "version": "1100.0.14", "description": "Commands for authentication with npm registries", "keywords": [ "pnpm", diff --git a/bins/linker/CHANGELOG.md b/bins/linker/CHANGELOG.md index ed9c25bbb1..c040e1b705 100644 --- a/bins/linker/CHANGELOG.md +++ b/bins/linker/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/link-bins +## 1100.0.7 + +### Patch Changes + +- @pnpm/pkg-manifest.utils@1100.1.4 +- @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1100.0.6 ### Patch Changes diff --git a/bins/linker/package.json b/bins/linker/package.json index 801b96618a..5becaa3083 100644 --- a/bins/linker/package.json +++ b/bins/linker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/bins.linker", - "version": "1100.0.6", + "version": "1100.0.7", "description": "Link bins to node_modules/.bin", "keywords": [ "pnpm", diff --git a/bins/remover/CHANGELOG.md b/bins/remover/CHANGELOG.md index c291c58334..16ebe3a38d 100644 --- a/bins/remover/CHANGELOG.md +++ b/bins/remover/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/remove-bins +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [4a79336] + - @pnpm/core-loggers@1100.1.0 + ## 1100.0.3 ### Patch Changes diff --git a/bins/remover/package.json b/bins/remover/package.json index 5f1e616f2b..3c76474135 100644 --- a/bins/remover/package.json +++ b/bins/remover/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/bins.remover", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Remove bins from .bin", "keywords": [ "pnpm", diff --git a/building/after-install/CHANGELOG.md b/building/after-install/CHANGELOG.md index ef6a6a361f..0d936c1f7f 100644 --- a/building/after-install/CHANGELOG.md +++ b/building/after-install/CHANGELOG.md @@ -1,5 +1,54 @@ # @pnpm/building.after-install +## 1101.0.13 + +### Patch Changes + +- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [3ddde2b] +- Updated dependencies [5dc8be8] +- Updated dependencies [4a79336] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/store.connection-manager@1100.2.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/deps.graph-hasher@1100.2.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/installing.context@1100.0.11 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/exec.lifecycle@1100.0.11 + - @pnpm/store.cafs@1100.1.5 + - @pnpm/building.policy@1100.0.5 + - @pnpm/lockfile.walker@1100.0.6 + - @pnpm/worker@1100.1.6 + - @pnpm/bins.linker@1100.0.7 + ## 1101.0.12 ### Patch Changes diff --git a/building/after-install/package.json b/building/after-install/package.json index 63886a136a..0284694868 100644 --- a/building/after-install/package.json +++ b/building/after-install/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/building.after-install", - "version": "1101.0.12", + "version": "1101.0.13", "description": "Rebuild packages that are already installed by running their lifecycle scripts", "keywords": [ "pnpm", diff --git a/building/commands/CHANGELOG.md b/building/commands/CHANGELOG.md index 33e34c903d..c2a0222797 100644 --- a/building/commands/CHANGELOG.md +++ b/building/commands/CHANGELOG.md @@ -1,5 +1,24 @@ # @pnpm/building.commands +## 1100.0.18 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [3ddde2b] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/installing.commands@1100.3.0 + - @pnpm/store.connection-manager@1100.2.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/building.after-install@1101.0.13 + - @pnpm/cli.utils@1101.0.5 + - @pnpm/config.writer@1100.0.8 + ## 1100.0.17 ### Patch Changes diff --git a/building/commands/package.json b/building/commands/package.json index 33c5d08857..22d82ae026 100644 --- a/building/commands/package.json +++ b/building/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/building.commands", - "version": "1100.0.17", + "version": "1100.0.18", "description": "Commands for rebuilding and managing dependency builds", "keywords": [ "pnpm", diff --git a/building/during-install/CHANGELOG.md b/building/during-install/CHANGELOG.md index 4d5fc17439..2725014fbe 100644 --- a/building/during-install/CHANGELOG.md +++ b/building/during-install/CHANGELOG.md @@ -1,5 +1,48 @@ # @pnpm/building.during-install +## 1101.0.11 + +### Patch Changes + +- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + +- Updated dependencies [4195766] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [3ddde2b] +- Updated dependencies [5dc8be8] +- Updated dependencies [4a79336] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/deps.graph-hasher@1100.2.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/exec.lifecycle@1100.0.11 + - @pnpm/worker@1100.1.6 + - @pnpm/bins.linker@1100.0.7 + - @pnpm/fs.hard-link-dir@1100.0.1 + - @pnpm/patching.apply-patch@1100.0.0 + ## 1101.0.10 ### Patch Changes diff --git a/building/during-install/package.json b/building/during-install/package.json index f04f482ddd..f8627e055f 100644 --- a/building/during-install/package.json +++ b/building/during-install/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/building.during-install", - "version": "1101.0.10", + "version": "1101.0.11", "description": "Build packages in node_modules", "keywords": [ "pnpm", diff --git a/building/policy/CHANGELOG.md b/building/policy/CHANGELOG.md index c578aeffe7..500ba6c26f 100644 --- a/building/policy/CHANGELOG.md +++ b/building/policy/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/building.policy +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [b6e2c8c] + - @pnpm/config.version-policy@1100.1.0 + ## 1100.0.4 ### Patch Changes diff --git a/building/policy/package.json b/building/policy/package.json index 9c67db607d..b71bdf946a 100644 --- a/building/policy/package.json +++ b/building/policy/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/building.policy", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Create a function for filtering out dependencies that are not allowed to be built", "keywords": [ "pnpm", diff --git a/cache/api/CHANGELOG.md b/cache/api/CHANGELOG.md index b997d5b5c6..b057735d85 100644 --- a/cache/api/CHANGELOG.md +++ b/cache/api/CHANGELOG.md @@ -1,5 +1,21 @@ # @pnpm/cache.api +## 1100.0.13 + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/store.cafs@1100.1.5 + ## 1100.0.12 ### Patch Changes diff --git a/cache/api/package.json b/cache/api/package.json index 9b5999398e..fe9629fef0 100644 --- a/cache/api/package.json +++ b/cache/api/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cache.api", - "version": "1100.0.12", + "version": "1100.0.13", "description": "API for controlling the cache", "keywords": [ "pnpm", diff --git a/cache/commands/CHANGELOG.md b/cache/commands/CHANGELOG.md index c46ad46eb8..1040b279ae 100644 --- a/cache/commands/CHANGELOG.md +++ b/cache/commands/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/cache.commands +## 1100.0.14 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/cache.api@1100.0.13 + - @pnpm/cli.utils@1101.0.5 + ## 1100.0.13 ### Patch Changes diff --git a/cache/commands/package.json b/cache/commands/package.json index 64380a416a..ced062499e 100644 --- a/cache/commands/package.json +++ b/cache/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cache.commands", - "version": "1100.0.13", + "version": "1100.0.14", "description": "Commands for controlling the cache", "keywords": [ "pnpm", diff --git a/cli/commands/CHANGELOG.md b/cli/commands/CHANGELOG.md index 13ecad8d56..690199b9da 100644 --- a/cli/commands/CHANGELOG.md +++ b/cli/commands/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/cli.commands +## 1100.0.13 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/cli.utils@1101.0.5 + - @pnpm/workspace.projects-reader@1101.0.5 + ## 1100.0.12 ### Patch Changes diff --git a/cli/commands/package.json b/cli/commands/package.json index 613ac8df5e..4db82637f0 100644 --- a/cli/commands/package.json +++ b/cli/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cli.commands", - "version": "1100.0.12", + "version": "1100.0.13", "description": "Commands for pnpm CLI", "keywords": [ "pnpm", diff --git a/cli/default-reporter/CHANGELOG.md b/cli/default-reporter/CHANGELOG.md index 1716ecb2aa..5b1e5e2853 100644 --- a/cli/default-reporter/CHANGELOG.md +++ b/cli/default-reporter/CHANGELOG.md @@ -1,5 +1,35 @@ # @pnpm/default-reporter +## 1100.2.0 + +### Minor Changes + +- 4a79336: The lockfile verifier added in #11705 now emits `pnpm:lockfile-verification` log events (`status: 'started' | 'done'`) around the registry round-trip pass, and the default reporter renders them as a transient progress line so users can see that pnpm is doing work — on a cold registry cache the round-trip can take a noticeable beat, and the previous behavior was complete silence followed by either a long pause or an error. The cached short-circuit stays silent (no logs when no work happens), and the `done` line carries the number of distinct entries that were checked plus the elapsed time. + + Pacquet parity: not ported — pacquet doesn't carry the lockfile verifier yet (see the parity note on #11705). + +### Patch Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [4a79336] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/core-loggers@1100.1.0 + ## 1100.1.2 ### Patch Changes diff --git a/cli/default-reporter/package.json b/cli/default-reporter/package.json index 94b44452bf..e63271b6b0 100644 --- a/cli/default-reporter/package.json +++ b/cli/default-reporter/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cli.default-reporter", - "version": "1100.1.2", + "version": "1100.2.0", "description": "The default reporter of pnpm", "keywords": [ "pnpm", diff --git a/cli/utils/CHANGELOG.md b/cli/utils/CHANGELOG.md index 354c45e026..25f3a1be47 100644 --- a/cli/utils/CHANGELOG.md +++ b/cli/utils/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/cli-utils +## 1101.0.5 + +### Patch Changes + +- @pnpm/config.package-is-installable@1100.0.5 +- @pnpm/pkg-manifest.utils@1100.1.4 +- @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1101.0.4 ### Patch Changes diff --git a/cli/utils/package.json b/cli/utils/package.json index c81373bf00..ef95bb7016 100644 --- a/cli/utils/package.json +++ b/cli/utils/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/cli.utils", - "version": "1101.0.4", + "version": "1101.0.5", "description": "Utils for pnpm commands", "keywords": [ "pnpm", diff --git a/config/commands/CHANGELOG.md b/config/commands/CHANGELOG.md index 33dbf8ace5..8df6812e5a 100644 --- a/config/commands/CHANGELOG.md +++ b/config/commands/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/plugin-commands-config +## 1100.0.14 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/workspace.workspace-manifest-writer@1100.0.8 + - @pnpm/cli.utils@1101.0.5 + ## 1100.0.13 ### Patch Changes diff --git a/config/commands/package.json b/config/commands/package.json index 95af5f0e0b..c757bfc4b6 100644 --- a/config/commands/package.json +++ b/config/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/config.commands", - "version": "1100.0.13", + "version": "1100.0.14", "description": "Commands for reading and writing settings to/from config files", "keywords": [ "pnpm", diff --git a/config/package-is-installable/CHANGELOG.md b/config/package-is-installable/CHANGELOG.md index ddb528e985..1708e170b8 100644 --- a/config/package-is-installable/CHANGELOG.md +++ b/config/package-is-installable/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/package-is-installable +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [3ddde2b] +- Updated dependencies [4a79336] + - @pnpm/engine.runtime.system-node-version@1100.1.0 + - @pnpm/core-loggers@1100.1.0 + ## 1100.0.4 ### Patch Changes diff --git a/config/package-is-installable/package.json b/config/package-is-installable/package.json index 74beeee613..6a82c56cab 100644 --- a/config/package-is-installable/package.json +++ b/config/package-is-installable/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/config.package-is-installable", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Checks if a package is installable on the current system", "keywords": [ "pnpm", diff --git a/config/reader/CHANGELOG.md b/config/reader/CHANGELOG.md index d7b6f33058..d083381f03 100644 --- a/config/reader/CHANGELOG.md +++ b/config/reader/CHANGELOG.md @@ -1,5 +1,30 @@ # @pnpm/config +## 1101.3.2 + +### Patch Changes + +- 020ac45: Allow redundant trailing base64 padding in `.npmrc` auth values and report invalid auth base64 with a pnpm error. +- d3f8408: **fix**: global installs respect global config build policy (e.g., `dangerouslyAllowAllBuilds` from config.yaml) when GVS is enabled [#9249](https://github.com/pnpm/pnpm/issues/9249). + + The global virtual-store (GVS) default `allowBuilds = {}` was applied before workspace manifest settings were read and before global config values (stripped by `extractAndRemoveDependencyBuildOptions`) were re-applied via `globalDepsBuildConfig`. This caused `hasDependencyBuildOptions` to return `true` (because `{}` is not null), blocking restoration of global config values like `dangerouslyAllowAllBuilds`. As a result, global installs skipped all build scripts even when the config explicitly allowed them. + + This fix moves the GVS default to **after** workspace manifest reading and `globalDepsBuildConfig` re-application, so that: + + 1. Workspace manifest `allowBuilds` takes precedence (if present) + 2. Global config `dangerouslyAllowAllBuilds` is properly restored (if set and no workspace policy exists) + 3. Empty `{}` is only applied as a last resort when no policy is configured anywhere + +- a62f959: Fixed `pnpm publish` failing with a 404 when authentication relied on OIDC trusted publishing alongside an `.npmrc` written by `actions/setup-node` (`_authToken=${NODE_AUTH_TOKEN}`) without `NODE_AUTH_TOKEN` being set. Unresolved `${VAR}` placeholders in auth values are now treated as empty rather than passed through verbatim, so the literal placeholder no longer surfaces as a bearer token when OIDC fallback is the intended auth source [#11513](https://github.com/pnpm/pnpm/issues/11513). +- ba2c884: Fix `devEngines.packageManager` (singular form, without `onFail`) defaulting to `onFail: "error"` instead of the documented `pmOnFail: "download"`. As a result, a project that pinned a different pnpm version via `devEngines.packageManager` and ran `pnpm install` from a mismatched pnpm version failed with a hard error, even though the migration table from `managePackageManagerVersions: true` to `pmOnFail: download (default)` promises the install would auto-download the wanted version [#11676](https://github.com/pnpm/pnpm/issues/11676). + + The array form of `devEngines.packageManager` keeps its existing per-element defaults (`error` for the last entry, `ignore` for the rest), since those reflect explicit prioritization by the user. Explicit `onFail` values continue to win. + +- 8df408c: Warn when `package.json` contains a legacy `pnpm` field with settings pnpm no longer reads from `package.json` (e.g. `pnpm.overrides`, `pnpm.patchedDependencies`). Previously these were silently ignored after the upgrade from v10, leaving users unaware that their overrides/patched dependencies had stopped taking effect [#11677](https://github.com/pnpm/pnpm/issues/11677). + - @pnpm/hooks.pnpmfile@1100.0.9 + - @pnpm/pkg-manifest.utils@1100.1.4 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1101.3.1 ### Patch Changes diff --git a/config/reader/package.json b/config/reader/package.json index 3fb3643a0e..31162337b7 100644 --- a/config/reader/package.json +++ b/config/reader/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/config.reader", - "version": "1101.3.1", + "version": "1101.3.2", "description": "Gets configuration options for pnpm", "keywords": [ "pnpm", diff --git a/config/version-policy/CHANGELOG.md b/config/version-policy/CHANGELOG.md index 00830cf1dc..e3683a74a5 100644 --- a/config/version-policy/CHANGELOG.md +++ b/config/version-policy/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/config.version-policy +## 1100.1.0 + +### Minor Changes + +- b6e2c8c: Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. + + When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. + + Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. + ## 1100.0.3 ### Patch Changes diff --git a/config/version-policy/package.json b/config/version-policy/package.json index 79c9a332d0..d7e2a385e8 100644 --- a/config/version-policy/package.json +++ b/config/version-policy/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/config.version-policy", - "version": "1100.0.3", + "version": "1100.1.0", "description": "Parses and evaluates package version policy specs and produces package-version matchers", "keywords": [ "pnpm", diff --git a/config/writer/CHANGELOG.md b/config/writer/CHANGELOG.md index 89e98681e9..92d3ec8397 100644 --- a/config/writer/CHANGELOG.md +++ b/config/writer/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/config.config-writer +## 1100.0.8 + +### Patch Changes + +- @pnpm/workspace.workspace-manifest-writer@1100.0.8 + ## 1100.0.7 ### Patch Changes diff --git a/config/writer/package.json b/config/writer/package.json index 708926be7e..d9ff221ab4 100644 --- a/config/writer/package.json +++ b/config/writer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/config.writer", - "version": "1100.0.7", + "version": "1100.0.8", "description": "Functions for updating the configuration settings", "keywords": [ "pnpm", diff --git a/core/core-loggers/CHANGELOG.md b/core/core-loggers/CHANGELOG.md index 8ba0944378..38eed410b5 100644 --- a/core/core-loggers/CHANGELOG.md +++ b/core/core-loggers/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/core-loggers +## 1100.1.0 + +### Minor Changes + +- 4a79336: The lockfile verifier added in #11705 now emits `pnpm:lockfile-verification` log events (`status: 'started' | 'done'`) around the registry round-trip pass, and the default reporter renders them as a transient progress line so users can see that pnpm is doing work — on a cold registry cache the round-trip can take a noticeable beat, and the previous behavior was complete silence followed by either a long pause or an error. The cached short-circuit stays silent (no logs when no work happens), and the `done` line carries the number of distinct entries that were checked plus the elapsed time. + + Pacquet parity: not ported — pacquet doesn't carry the lockfile verifier yet (see the parity note on #11705). + ## 1100.0.2 ### Patch Changes diff --git a/core/core-loggers/package.json b/core/core-loggers/package.json index 8ce60ade15..8799c2e46c 100644 --- a/core/core-loggers/package.json +++ b/core/core-loggers/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/core-loggers", - "version": "1100.0.2", + "version": "1100.1.0", "description": "Core loggers of pnpm", "keywords": [ "pnpm", diff --git a/deps/compliance/audit/CHANGELOG.md b/deps/compliance/audit/CHANGELOG.md index 8983023f7f..25730bbf4c 100644 --- a/deps/compliance/audit/CHANGELOG.md +++ b/deps/compliance/audit/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/audit +## 1101.0.8 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/network.fetch@1100.0.5 + - @pnpm/lockfile.detect-dep-types@1100.0.6 + - @pnpm/lockfile.walker@1100.0.6 + ## 1101.0.7 ### Patch Changes diff --git a/deps/compliance/audit/package.json b/deps/compliance/audit/package.json index 40776b1fe0..e19f2da522 100644 --- a/deps/compliance/audit/package.json +++ b/deps/compliance/audit/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.compliance.audit", - "version": "1101.0.7", + "version": "1101.0.8", "description": "Audit a lockfile", "keywords": [ "pnpm", diff --git a/deps/compliance/commands/CHANGELOG.md b/deps/compliance/commands/CHANGELOG.md index 3e4ccc9de6..906d3c6a07 100644 --- a/deps/compliance/commands/CHANGELOG.md +++ b/deps/compliance/commands/CHANGELOG.md @@ -1,5 +1,31 @@ # @pnpm/deps.compliance.commands +## 1101.2.3 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [6e93f35] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [8df408c] + - @pnpm/installing.commands@1100.3.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/deps.compliance.sbom@1100.1.2 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/deps.compliance.audit@1101.0.8 + - @pnpm/deps.compliance.license-scanner@1100.0.12 + - @pnpm/lockfile.walker@1100.0.6 + - @pnpm/cli.utils@1101.0.5 + - @pnpm/deps.security.signatures@1101.1.2 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + - @pnpm/config.writer@1100.0.8 + ## 1101.2.2 ### Patch Changes diff --git a/deps/compliance/commands/package.json b/deps/compliance/commands/package.json index 2c73a1bd03..a641d57b8a 100644 --- a/deps/compliance/commands/package.json +++ b/deps/compliance/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.compliance.commands", - "version": "1101.2.2", + "version": "1101.2.3", "description": "pnpm commands for audit, licenses, and sbom", "keywords": [ "pnpm", diff --git a/deps/compliance/license-scanner/CHANGELOG.md b/deps/compliance/license-scanner/CHANGELOG.md index b51e3ff194..cc44a7f373 100644 --- a/deps/compliance/license-scanner/CHANGELOG.md +++ b/deps/compliance/license-scanner/CHANGELOG.md @@ -1,5 +1,19 @@ # @pnpm/license-scanner +## 1100.0.12 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/store.pkg-finder@1100.0.10 + - @pnpm/config.package-is-installable@1100.0.5 + - @pnpm/lockfile.detect-dep-types@1100.0.6 + - @pnpm/lockfile.walker@1100.0.6 + ## 1100.0.11 ### Patch Changes diff --git a/deps/compliance/license-scanner/package.json b/deps/compliance/license-scanner/package.json index b059bddeaf..8f6ba95583 100644 --- a/deps/compliance/license-scanner/package.json +++ b/deps/compliance/license-scanner/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.compliance.license-scanner", - "version": "1100.0.11", + "version": "1100.0.12", "description": "Check for licenses packages", "keywords": [ "pnpm", diff --git a/deps/compliance/sbom/CHANGELOG.md b/deps/compliance/sbom/CHANGELOG.md index 8b905ce0d4..7335d5120b 100644 --- a/deps/compliance/sbom/CHANGELOG.md +++ b/deps/compliance/sbom/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/deps.compliance.sbom +## 1100.1.2 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/store.pkg-finder@1100.0.10 + - @pnpm/lockfile.detect-dep-types@1100.0.6 + - @pnpm/lockfile.walker@1100.0.6 + ## 1100.1.1 ### Patch Changes diff --git a/deps/compliance/sbom/package.json b/deps/compliance/sbom/package.json index a9c4b8b1ee..2340b2dded 100644 --- a/deps/compliance/sbom/package.json +++ b/deps/compliance/sbom/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.compliance.sbom", - "version": "1100.1.1", + "version": "1100.1.2", "description": "Generate SBOM from pnpm lockfile", "keywords": [ "pnpm", diff --git a/deps/graph-builder/CHANGELOG.md b/deps/graph-builder/CHANGELOG.md index 1210ab059d..8f0d843d49 100644 --- a/deps/graph-builder/CHANGELOG.md +++ b/deps/graph-builder/CHANGELOG.md @@ -1,5 +1,43 @@ # @pnpm/deps.graph-builder +## 1100.0.10 + +### Patch Changes + +- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + +- Updated dependencies [4195766] +- Updated dependencies [6e93f35] +- Updated dependencies [3ddde2b] +- Updated dependencies [5dc8be8] +- Updated dependencies [4a79336] +- Updated dependencies [2a9bd89] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/deps.graph-hasher@1100.2.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/config.package-is-installable@1100.0.5 + ## 1100.0.9 ### Patch Changes diff --git a/deps/graph-builder/package.json b/deps/graph-builder/package.json index bb059fafc9..e4f5f6d1ac 100644 --- a/deps/graph-builder/package.json +++ b/deps/graph-builder/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.graph-builder", - "version": "1100.0.9", + "version": "1100.0.10", "description": "A package for building a dependency graph from a lockfile", "keywords": [ "pnpm", diff --git a/deps/graph-hasher/CHANGELOG.md b/deps/graph-hasher/CHANGELOG.md index d2af412b7b..ebc2dbbdf0 100644 --- a/deps/graph-hasher/CHANGELOG.md +++ b/deps/graph-hasher/CHANGELOG.md @@ -1,5 +1,52 @@ # @pnpm/calc-dep-state +## 1100.2.0 + +### Minor Changes + +- 5dc8be8: **fix**: resolve the GVS hash's engine portion per-snapshot when a dependency declares its own `engines.runtime`, instead of using an install-wide value. + + Pnpm's resolver desugars a dep's `engines.runtime` into `dependencies.node: 'runtime:'`, and the bin linker spawns that dep's lifecycle scripts through the pinned Node downloaded into `/node_modules/node/`. The GVS hash and the side-effects-cache key prefix were still anchored to the install-wide runtime — so a pinning snapshot's slot encoded the wrong Node major, and a reinstall on the same host could read the cached side-effects under a key whose `;;node` triple disagreed with the Node the build actually ran on. + + Per-snapshot resolution now matches what `bins/linker` already does on a per-package basis: + + - `@pnpm/deps.graph-hasher` adds `readSnapshotRuntimePin(children)` — reads the `node` entry from one snapshot's graph children and extracts the version from a `node@runtime:` value. Pairs with the existing `findRuntimeNodeVersion(snapshotKeys)` install-wide fallback (also now exported from `@pnpm/deps.graph-hasher` rather than `@pnpm/engine.runtime.system-node-version`, where it was a poor fit — `system-node-version` is about probing the host Node, not parsing lockfile-derived strings). + - `calcDepState` and `calcGraphNodeHash` consult `readSnapshotRuntimePin(graph[depPath].children)` first and only fall back to the install-wide `nodeVersion` parameter when the snapshot doesn't pin its own Node. + + Pacquet mirrors the same precedence at the `calc_graph_node_hash` call site in `package-manager/src/virtual_store_layout.rs` — a new `find_own_runtime_node_major(snapshot)` helper reads each snapshot's `dependencies` for a `node` entry with `Prefix::Runtime` and overrides the install-wide engine when present. + + On upgrade, snapshots of dependencies that declare their own `engines.runtime` re-hash under that dep's pinned Node instead of the install-wide value. The old slots become prune-eligible. Closes [#11690](https://github.com/pnpm/pnpm/issues/11690). + +### Patch Changes + +- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [3ddde2b] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/engine.runtime.system-node-version@1100.1.0 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + ## 1100.1.5 ### Patch Changes diff --git a/deps/graph-hasher/package.json b/deps/graph-hasher/package.json index 608d44cdfe..9b829dae84 100644 --- a/deps/graph-hasher/package.json +++ b/deps/graph-hasher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.graph-hasher", - "version": "1100.1.5", + "version": "1100.2.0", "description": "Calculates the state of a dependency", "keywords": [ "pnpm", diff --git a/deps/inspection/commands/CHANGELOG.md b/deps/inspection/commands/CHANGELOG.md index 52af161454..dbbe3ec273 100644 --- a/deps/inspection/commands/CHANGELOG.md +++ b/deps/inspection/commands/CHANGELOG.md @@ -1,5 +1,31 @@ # @pnpm/deps.inspection.commands +## 1100.2.3 + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [b6e2c8c] +- Updated dependencies [d3f8408] +- Updated dependencies [6e93f35] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [8df408c] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/resolving.default-resolver@1100.2.0 + - @pnpm/deps.inspection.outdated@1100.0.16 + - @pnpm/config.reader@1101.3.2 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/global.commands@1100.0.18 + - @pnpm/deps.inspection.list@1100.0.11 + - @pnpm/deps.inspection.peers-checker@1100.0.9 + - @pnpm/network.fetch@1100.0.5 + - @pnpm/cli.utils@1101.0.5 + ## 1100.2.2 ### Patch Changes diff --git a/deps/inspection/commands/package.json b/deps/inspection/commands/package.json index 3bedc47d7a..9992ad6e33 100644 --- a/deps/inspection/commands/package.json +++ b/deps/inspection/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.commands", - "version": "1100.2.2", + "version": "1100.2.3", "description": "The list, ll, why, and outdated commands of pnpm", "keywords": [ "pnpm", diff --git a/deps/inspection/list/CHANGELOG.md b/deps/inspection/list/CHANGELOG.md index fae0feb043..422243120b 100644 --- a/deps/inspection/list/CHANGELOG.md +++ b/deps/inspection/list/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/list +## 1100.0.11 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/deps.inspection.tree-builder@1100.0.10 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1100.0.10 ### Patch Changes diff --git a/deps/inspection/list/package.json b/deps/inspection/list/package.json index e13ae1351c..d628470860 100644 --- a/deps/inspection/list/package.json +++ b/deps/inspection/list/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.list", - "version": "1100.0.10", + "version": "1100.0.11", "description": "List installed packages in a symlinked `node_modules`", "keywords": [ "pnpm", diff --git a/deps/inspection/outdated/CHANGELOG.md b/deps/inspection/outdated/CHANGELOG.md index 669f203a89..9d4e4a8505 100644 --- a/deps/inspection/outdated/CHANGELOG.md +++ b/deps/inspection/outdated/CHANGELOG.md @@ -1,5 +1,39 @@ # @pnpm/outdated +## 1100.0.16 + +### Patch Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- b6e2c8c: Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. + + When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. + + Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [b6e2c8c] +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/installing.client@1100.1.0 + - @pnpm/config.version-policy@1100.1.0 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/pkg-manifest.utils@1100.1.4 + ## 1100.0.15 ### Patch Changes diff --git a/deps/inspection/outdated/package.json b/deps/inspection/outdated/package.json index cd8fe788e6..c04dbab5ef 100644 --- a/deps/inspection/outdated/package.json +++ b/deps/inspection/outdated/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.outdated", - "version": "1100.0.15", + "version": "1100.0.16", "description": "Check for outdated packages", "keywords": [ "pnpm", diff --git a/deps/inspection/peers-checker/CHANGELOG.md b/deps/inspection/peers-checker/CHANGELOG.md index eb3d470fd2..58a0939ec5 100644 --- a/deps/inspection/peers-checker/CHANGELOG.md +++ b/deps/inspection/peers-checker/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/deps.inspection.peers-checker +## 1100.0.9 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.walker@1100.0.6 + ## 1100.0.8 ### Patch Changes diff --git a/deps/inspection/peers-checker/package.json b/deps/inspection/peers-checker/package.json index be368c7b36..06b1580292 100644 --- a/deps/inspection/peers-checker/package.json +++ b/deps/inspection/peers-checker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.peers-checker", - "version": "1100.0.8", + "version": "1100.0.9", "description": "Check for unmet and missing peer dependency issues from the lockfile", "keywords": [ "pnpm", diff --git a/deps/inspection/tree-builder/CHANGELOG.md b/deps/inspection/tree-builder/CHANGELOG.md index 2c5300edb2..8158a97662 100644 --- a/deps/inspection/tree-builder/CHANGELOG.md +++ b/deps/inspection/tree-builder/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/reviewing.dependencies-hierarchy +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/store.cafs@1100.1.5 + - @pnpm/lockfile.detect-dep-types@1100.0.6 + ## 1100.0.9 ### Patch Changes diff --git a/deps/inspection/tree-builder/package.json b/deps/inspection/tree-builder/package.json index 3a327cde37..4087d642b4 100644 --- a/deps/inspection/tree-builder/package.json +++ b/deps/inspection/tree-builder/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.inspection.tree-builder", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Creates a dependencies hierarchy for a symlinked `node_modules`", "keywords": [ "pnpm", diff --git a/deps/security/signatures/CHANGELOG.md b/deps/security/signatures/CHANGELOG.md index 28bdce64e2..80217fae50 100644 --- a/deps/security/signatures/CHANGELOG.md +++ b/deps/security/signatures/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/deps.security.signatures +## 1101.1.2 + +### Patch Changes + +- @pnpm/network.fetch@1100.0.5 + ## 1101.1.1 ### Patch Changes diff --git a/deps/security/signatures/package.json b/deps/security/signatures/package.json index dd0aacadf0..5c99c19a17 100644 --- a/deps/security/signatures/package.json +++ b/deps/security/signatures/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.security.signatures", - "version": "1101.1.1", + "version": "1101.1.2", "description": "Verify package signatures from npm registries", "keywords": [ "pnpm", diff --git a/deps/status/CHANGELOG.md b/deps/status/CHANGELOG.md index 2e66148c13..4443759fe2 100644 --- a/deps/status/CHANGELOG.md +++ b/deps/status/CHANGELOG.md @@ -1,5 +1,27 @@ # @pnpm/deps.status +## 1100.0.16 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [6e93f35] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [8df408c] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/installing.context@1100.0.11 + - @pnpm/lockfile.verification@1100.0.11 + - @pnpm/workspace.state@1100.0.13 + - @pnpm/lockfile.settings-checker@1100.0.11 + - @pnpm/workspace.projects-reader@1101.0.5 + ## 1100.0.15 ### Patch Changes diff --git a/deps/status/package.json b/deps/status/package.json index 11e18e6211..f0875bc181 100644 --- a/deps/status/package.json +++ b/deps/status/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/deps.status", - "version": "1100.0.15", + "version": "1100.0.16", "description": "Check dependencies status", "keywords": [ "pnpm", diff --git a/engine/pm/commands/CHANGELOG.md b/engine/pm/commands/CHANGELOG.md index 97828265ca..dea1ce5772 100644 --- a/engine/pm/commands/CHANGELOG.md +++ b/engine/pm/commands/CHANGELOG.md @@ -1,5 +1,56 @@ # @pnpm/engine.pm.commands +## 1101.1.13 + +### Patch Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- b6e2c8c: Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. + + When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. + + Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [b6e2c8c] +- Updated dependencies [d3f8408] +- Updated dependencies [6e93f35] +- Updated dependencies [3ddde2b] +- Updated dependencies [5dc8be8] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [8df408c] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/installing.client@1100.1.0 + - @pnpm/store.connection-manager@1100.2.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/config.version-policy@1100.1.0 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/deps.graph-hasher@1100.2.0 + - @pnpm/installing.deps-restorer@1101.1.3 + - @pnpm/installing.env-installer@1101.0.10 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/store.controller@1101.0.7 + - @pnpm/global.commands@1100.0.18 + - @pnpm/building.policy@1100.0.5 + - @pnpm/cli.utils@1101.0.5 + - @pnpm/bins.linker@1100.0.7 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1101.1.12 ### Patch Changes diff --git a/engine/pm/commands/package.json b/engine/pm/commands/package.json index bc85558202..900a801928 100644 --- a/engine/pm/commands/package.json +++ b/engine/pm/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.pm.commands", - "version": "1101.1.12", + "version": "1101.1.13", "description": "pnpm commands for self-updating and setting up pnpm", "keywords": [ "pnpm", diff --git a/engine/runtime/bun-resolver/CHANGELOG.md b/engine/runtime/bun-resolver/CHANGELOG.md index 431d320bb6..65296c911c 100644 --- a/engine/runtime/bun-resolver/CHANGELOG.md +++ b/engine/runtime/bun-resolver/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/resolving.bun-resolver +## 1101.0.7 + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/fetching.binary-fetcher@1101.0.6 + - @pnpm/worker@1100.1.6 + ## 1101.0.6 ### Patch Changes diff --git a/engine/runtime/bun-resolver/package.json b/engine/runtime/bun-resolver/package.json index a81894ba16..d006b1f32f 100644 --- a/engine/runtime/bun-resolver/package.json +++ b/engine/runtime/bun-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.bun-resolver", - "version": "1101.0.6", + "version": "1101.0.7", "description": "Resolves the Bun runtime", "keywords": [ "pnpm", diff --git a/engine/runtime/commands/CHANGELOG.md b/engine/runtime/commands/CHANGELOG.md index e67a649ae6..33412a345f 100644 --- a/engine/runtime/commands/CHANGELOG.md +++ b/engine/runtime/commands/CHANGELOG.md @@ -1,5 +1,21 @@ # @pnpm/engine.runtime.commands +## 1100.0.15 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [247d70b] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/exec.pnpm-cli-runner@1100.0.1 + - @pnpm/engine.runtime.node-resolver@1101.0.9 + - @pnpm/network.fetch@1100.0.5 + - @pnpm/cli.utils@1101.0.5 + ## 1100.0.14 ### Patch Changes diff --git a/engine/runtime/commands/package.json b/engine/runtime/commands/package.json index b0aeeb54ab..7a203af467 100644 --- a/engine/runtime/commands/package.json +++ b/engine/runtime/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.commands", - "version": "1100.0.14", + "version": "1100.0.15", "description": "pnpm commands for managing runtimes", "keywords": [ "pnpm", diff --git a/engine/runtime/deno-resolver/CHANGELOG.md b/engine/runtime/deno-resolver/CHANGELOG.md index f398bde312..7e6235ba7e 100644 --- a/engine/runtime/deno-resolver/CHANGELOG.md +++ b/engine/runtime/deno-resolver/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/resolving.deno-resolver +## 1101.0.7 + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/fetching.binary-fetcher@1101.0.6 + - @pnpm/worker@1100.1.6 + ## 1101.0.6 ### Patch Changes diff --git a/engine/runtime/deno-resolver/package.json b/engine/runtime/deno-resolver/package.json index 91c7fea836..4012b8c875 100644 --- a/engine/runtime/deno-resolver/package.json +++ b/engine/runtime/deno-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.deno-resolver", - "version": "1101.0.6", + "version": "1101.0.7", "description": "Resolves the Deno runtime", "keywords": [ "pnpm", diff --git a/engine/runtime/node-resolver/CHANGELOG.md b/engine/runtime/node-resolver/CHANGELOG.md index 4e1b912c77..251565aa86 100644 --- a/engine/runtime/node-resolver/CHANGELOG.md +++ b/engine/runtime/node-resolver/CHANGELOG.md @@ -1,5 +1,19 @@ # @pnpm/node.resolver +## 1101.0.9 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/config.reader@1101.3.2 + ## 1101.0.8 ### Patch Changes diff --git a/engine/runtime/node-resolver/package.json b/engine/runtime/node-resolver/package.json index 28424b24d9..eeb101de3a 100644 --- a/engine/runtime/node-resolver/package.json +++ b/engine/runtime/node-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.node-resolver", - "version": "1101.0.8", + "version": "1101.0.9", "description": "Resolves a Node.js version specifier to an exact Node.js version", "keywords": [ "pnpm", diff --git a/engine/runtime/system-node-version/CHANGELOG.md b/engine/runtime/system-node-version/CHANGELOG.md index 171097aec5..6eb4532b27 100644 --- a/engine/runtime/system-node-version/CHANGELOG.md +++ b/engine/runtime/system-node-version/CHANGELOG.md @@ -1,5 +1,29 @@ # @pnpm/env.system-node-version +## 1100.1.0 + +### Minor Changes + +- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + ## 1100.0.3 ### Patch Changes diff --git a/engine/runtime/system-node-version/package.json b/engine/runtime/system-node-version/package.json index e62f28d6de..311eab9149 100644 --- a/engine/runtime/system-node-version/package.json +++ b/engine/runtime/system-node-version/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/engine.runtime.system-node-version", - "version": "1100.0.3", + "version": "1100.1.0", "description": "Detects the current system node version", "keywords": [ "pnpm", diff --git a/exec/commands/CHANGELOG.md b/exec/commands/CHANGELOG.md index d66882b764..fee7b9fee7 100644 --- a/exec/commands/CHANGELOG.md +++ b/exec/commands/CHANGELOG.md @@ -1,5 +1,52 @@ # @pnpm/plugin-commands-script-runners +## 1100.1.8 + +### Patch Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- b6e2c8c: Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. + + When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. + + Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. + +- 247d70b: Honor `--silent` when `verifyDepsBeforeRun: install` auto-installs dependencies before `pnpm run` or `pnpm exec`, preventing install output from being written to stdout [#11636](https://github.com/pnpm/pnpm/issues/11636). +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [b6e2c8c] +- Updated dependencies [d3f8408] +- Updated dependencies [247d70b] +- Updated dependencies [4a79336] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/installing.client@1100.1.0 + - @pnpm/installing.commands@1100.3.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/config.version-policy@1100.1.0 + - @pnpm/exec.pnpm-cli-runner@1100.0.1 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/deps.status@1100.0.16 + - @pnpm/exec.lifecycle@1100.0.11 + - @pnpm/building.commands@1100.0.18 + - @pnpm/engine.runtime.commands@1100.0.15 + - @pnpm/workspace.injected-deps-syncer@1100.0.12 + - @pnpm/cli.utils@1101.0.5 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1100.1.7 ### Patch Changes diff --git a/exec/commands/package.json b/exec/commands/package.json index 7e72d75c99..0467cc7bb6 100644 --- a/exec/commands/package.json +++ b/exec/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exec.commands", - "version": "1100.1.7", + "version": "1100.1.8", "description": "Commands for running scripts", "keywords": [ "pnpm", diff --git a/exec/lifecycle/CHANGELOG.md b/exec/lifecycle/CHANGELOG.md index fc10b96db9..2ea470c8cb 100644 --- a/exec/lifecycle/CHANGELOG.md +++ b/exec/lifecycle/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/lifecycle +## 1100.0.11 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [4a79336] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/fetching.directory-fetcher@1100.0.10 + - @pnpm/bins.linker@1100.0.7 + ## 1100.0.10 ### Patch Changes diff --git a/exec/lifecycle/package.json b/exec/lifecycle/package.json index 073b46707a..dd54eae257 100644 --- a/exec/lifecycle/package.json +++ b/exec/lifecycle/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exec.lifecycle", - "version": "1100.0.10", + "version": "1100.0.11", "description": "Package lifecycle hook runner", "keywords": [ "pnpm", diff --git a/exec/pnpm-cli-runner/CHANGELOG.md b/exec/pnpm-cli-runner/CHANGELOG.md index b7718c90a9..5eedfd5b14 100644 --- a/exec/pnpm-cli-runner/CHANGELOG.md +++ b/exec/pnpm-cli-runner/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/exec.pnpm-cli-runner +## 1100.0.1 + +### Patch Changes + +- 247d70b: Honor `--silent` when `verifyDepsBeforeRun: install` auto-installs dependencies before `pnpm run` or `pnpm exec`, preventing install output from being written to stdout [#11636](https://github.com/pnpm/pnpm/issues/11636). + ## 1001.0.0 ### Major Changes diff --git a/exec/pnpm-cli-runner/package.json b/exec/pnpm-cli-runner/package.json index d4d57052fd..b3500c842d 100644 --- a/exec/pnpm-cli-runner/package.json +++ b/exec/pnpm-cli-runner/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exec.pnpm-cli-runner", - "version": "1100.0.0", + "version": "1100.0.1", "description": "Runs pnpm CLI", "keywords": [ "pnpm", diff --git a/exec/prepare-package/CHANGELOG.md b/exec/prepare-package/CHANGELOG.md index ec8d0c33f9..ba9b57cff8 100644 --- a/exec/prepare-package/CHANGELOG.md +++ b/exec/prepare-package/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/prepare-package +## 1100.0.11 + +### Patch Changes + +- @pnpm/exec.lifecycle@1100.0.11 + ## 1100.0.10 ### Patch Changes diff --git a/exec/prepare-package/package.json b/exec/prepare-package/package.json index 7751530b85..2855070177 100644 --- a/exec/prepare-package/package.json +++ b/exec/prepare-package/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exec.prepare-package", - "version": "1100.0.10", + "version": "1100.0.11", "description": "Prepares a Git-hosted package", "keywords": [ "pnpm", diff --git a/fetching/binary-fetcher/CHANGELOG.md b/fetching/binary-fetcher/CHANGELOG.md index e9e7e0f9af..6f489658e4 100644 --- a/fetching/binary-fetcher/CHANGELOG.md +++ b/fetching/binary-fetcher/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/fetching.binary-fetcher +## 1101.0.6 + +### Patch Changes + +- @pnpm/fetching.fetcher-base@1100.1.4 +- @pnpm/worker@1100.1.6 + ## 1101.0.5 ### Patch Changes diff --git a/fetching/binary-fetcher/package.json b/fetching/binary-fetcher/package.json index 1b382992cc..a39e9ab999 100644 --- a/fetching/binary-fetcher/package.json +++ b/fetching/binary-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.binary-fetcher", - "version": "1101.0.5", + "version": "1101.0.6", "description": "A fetcher for binary archives", "keywords": [ "pnpm", diff --git a/fetching/directory-fetcher/CHANGELOG.md b/fetching/directory-fetcher/CHANGELOG.md index f28b3b07aa..082cc27c04 100644 --- a/fetching/directory-fetcher/CHANGELOG.md +++ b/fetching/directory-fetcher/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/directory-fetcher +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1100.0.9 ### Patch Changes diff --git a/fetching/directory-fetcher/package.json b/fetching/directory-fetcher/package.json index 7c6a824b28..2a3bb85a81 100644 --- a/fetching/directory-fetcher/package.json +++ b/fetching/directory-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.directory-fetcher", - "version": "1100.0.9", + "version": "1100.0.10", "description": "A fetcher for local directory packages", "keywords": [ "pnpm", diff --git a/fetching/fetcher-base/CHANGELOG.md b/fetching/fetcher-base/CHANGELOG.md index 48a14d420e..0a3bf4404b 100644 --- a/fetching/fetcher-base/CHANGELOG.md +++ b/fetching/fetcher-base/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/fetcher-base +## 1100.1.4 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + ## 1100.1.3 ### Patch Changes diff --git a/fetching/fetcher-base/package.json b/fetching/fetcher-base/package.json index 354fb8f395..5e05d01351 100644 --- a/fetching/fetcher-base/package.json +++ b/fetching/fetcher-base/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.fetcher-base", - "version": "1100.1.3", + "version": "1100.1.4", "description": "Types for pnpm-compatible fetchers", "keywords": [ "pnpm", diff --git a/fetching/git-fetcher/CHANGELOG.md b/fetching/git-fetcher/CHANGELOG.md index 16e9feb106..0021afa178 100644 --- a/fetching/git-fetcher/CHANGELOG.md +++ b/fetching/git-fetcher/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/git-fetcher +## 1101.0.7 + +### Patch Changes + +- @pnpm/fetching.fetcher-base@1100.1.4 +- @pnpm/exec.prepare-package@1100.0.11 +- @pnpm/worker@1100.1.6 + ## 1101.0.6 ### Patch Changes diff --git a/fetching/git-fetcher/package.json b/fetching/git-fetcher/package.json index 655b10f1e3..e35c5c1c06 100644 --- a/fetching/git-fetcher/package.json +++ b/fetching/git-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.git-fetcher", - "version": "1101.0.6", + "version": "1101.0.7", "description": "A fetcher for git-hosted packages", "keywords": [ "pnpm", diff --git a/fetching/pick-fetcher/CHANGELOG.md b/fetching/pick-fetcher/CHANGELOG.md index 922f4f454a..139c6b967a 100644 --- a/fetching/pick-fetcher/CHANGELOG.md +++ b/fetching/pick-fetcher/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/pick-fetcher +## 1100.0.7 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/hooks.types@1100.0.7 + ## 1100.0.6 ### Patch Changes diff --git a/fetching/pick-fetcher/package.json b/fetching/pick-fetcher/package.json index c733665674..fecfdc17c7 100644 --- a/fetching/pick-fetcher/package.json +++ b/fetching/pick-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.pick-fetcher", - "version": "1100.0.6", + "version": "1100.0.7", "description": "Pick a package fetcher by type", "keywords": [ "pnpm", diff --git a/fetching/tarball-fetcher/CHANGELOG.md b/fetching/tarball-fetcher/CHANGELOG.md index cb8837eed5..a242a7a01b 100644 --- a/fetching/tarball-fetcher/CHANGELOG.md +++ b/fetching/tarball-fetcher/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/tarball-fetcher +## 1101.0.8 + +### Patch Changes + +- Updated dependencies [4a79336] + - @pnpm/core-loggers@1100.1.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/exec.prepare-package@1100.0.11 + - @pnpm/worker@1100.1.6 + ## 1101.0.7 ### Patch Changes diff --git a/fetching/tarball-fetcher/package.json b/fetching/tarball-fetcher/package.json index f119ac7ec1..ba46feee0d 100644 --- a/fetching/tarball-fetcher/package.json +++ b/fetching/tarball-fetcher/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fetching.tarball-fetcher", - "version": "1101.0.7", + "version": "1101.0.8", "description": "Fetcher for packages hosted as tarballs", "keywords": [ "pnpm", diff --git a/fs/indexed-pkg-importer/CHANGELOG.md b/fs/indexed-pkg-importer/CHANGELOG.md index f4ff80fc8f..90fd85d146 100644 --- a/fs/indexed-pkg-importer/CHANGELOG.md +++ b/fs/indexed-pkg-importer/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/fs.indexed-pkg-importer +## 1100.0.8 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [4a79336] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/core-loggers@1100.1.0 + ## 1100.0.7 ### Patch Changes diff --git a/fs/indexed-pkg-importer/package.json b/fs/indexed-pkg-importer/package.json index 9419fb48b8..d858713493 100644 --- a/fs/indexed-pkg-importer/package.json +++ b/fs/indexed-pkg-importer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fs.indexed-pkg-importer", - "version": "1100.0.7", + "version": "1100.0.8", "description": "Replicates indexed directories using hard links, copies, or cloning", "keywords": [ "pnpm", diff --git a/fs/symlink-dependency/CHANGELOG.md b/fs/symlink-dependency/CHANGELOG.md index 42041ba616..8e381e3e3e 100644 --- a/fs/symlink-dependency/CHANGELOG.md +++ b/fs/symlink-dependency/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/symlink-dependency +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [4a79336] + - @pnpm/core-loggers@1100.1.0 + ## 1100.0.3 ### Patch Changes diff --git a/fs/symlink-dependency/package.json b/fs/symlink-dependency/package.json index 59f907e294..563c57ffb5 100644 --- a/fs/symlink-dependency/package.json +++ b/fs/symlink-dependency/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/fs.symlink-dependency", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Symlink a dependency to node_modules", "keywords": [ "pnpm", diff --git a/global/commands/CHANGELOG.md b/global/commands/CHANGELOG.md index 35ac0d93eb..a117c3572f 100644 --- a/global/commands/CHANGELOG.md +++ b/global/commands/CHANGELOG.md @@ -1,5 +1,29 @@ # @pnpm/global.commands +## 1100.0.18 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [3ddde2b] +- Updated dependencies [4a79336] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [31538bf] +- Updated dependencies [8df408c] + - @pnpm/installing.deps-installer@1101.2.0 + - @pnpm/store.connection-manager@1100.2.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/deps.inspection.list@1100.0.11 + - @pnpm/bins.remover@1100.0.4 + - @pnpm/cli.utils@1101.0.5 + - @pnpm/bins.linker@1100.0.7 + ## 1100.0.17 ### Patch Changes diff --git a/global/commands/package.json b/global/commands/package.json index ca2ae9d31e..f48f0bddcb 100644 --- a/global/commands/package.json +++ b/global/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/global.commands", - "version": "1100.0.17", + "version": "1100.0.18", "description": "Global package command handlers for pnpm", "keywords": [ "pnpm", diff --git a/hooks/pnpmfile/CHANGELOG.md b/hooks/pnpmfile/CHANGELOG.md index 5c6f93a6e6..a91475dea6 100644 --- a/hooks/pnpmfile/CHANGELOG.md +++ b/hooks/pnpmfile/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/pnpmfile +## 1100.0.9 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [4a79336] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1100.0.8 ### Patch Changes diff --git a/hooks/pnpmfile/package.json b/hooks/pnpmfile/package.json index cfef2d0bb9..292e296b0c 100644 --- a/hooks/pnpmfile/package.json +++ b/hooks/pnpmfile/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/hooks.pnpmfile", - "version": "1100.0.8", + "version": "1100.0.9", "description": "Reading a .pnpmfile.cjs", "keywords": [ "pnpm", diff --git a/hooks/types/CHANGELOG.md b/hooks/types/CHANGELOG.md index d92415d709..a9b54152e1 100644 --- a/hooks/types/CHANGELOG.md +++ b/hooks/types/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/hooks.types +## 1100.0.7 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/lockfile.types@1100.0.6 + ## 1100.0.6 ### Patch Changes diff --git a/hooks/types/package.json b/hooks/types/package.json index fa27396b42..9e95c835b6 100644 --- a/hooks/types/package.json +++ b/hooks/types/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/hooks.types", - "version": "1100.0.6", + "version": "1100.0.7", "description": "Types for hooks", "keywords": [ "pnpm", diff --git a/installing/client/CHANGELOG.md b/installing/client/CHANGELOG.md index 966c91dd21..286a55c25d 100644 --- a/installing/client/CHANGELOG.md +++ b/installing/client/CHANGELOG.md @@ -1,5 +1,40 @@ # @pnpm/client +## 1100.1.0 + +### Minor Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- 31538bf: Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely. + + Verification results are memoized in JSON Lines at `/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687). + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/resolving.default-resolver@1100.2.0 + - @pnpm/engine.runtime.node-resolver@1101.0.9 + - @pnpm/fetching.directory-fetcher@1100.0.10 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/fetching.tarball-fetcher@1101.0.8 + - @pnpm/network.fetch@1100.0.5 + - @pnpm/fetching.binary-fetcher@1101.0.6 + - @pnpm/fetching.git-fetcher@1101.0.7 + ## 1100.0.15 ### Patch Changes diff --git a/installing/client/package.json b/installing/client/package.json index 0e35f53dca..c6a384199d 100644 --- a/installing/client/package.json +++ b/installing/client/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.client", - "version": "1100.0.15", + "version": "1100.1.0", "description": "Creates the package resolve and fetch functions", "keywords": [ "pnpm", diff --git a/installing/commands/CHANGELOG.md b/installing/commands/CHANGELOG.md index c87559231a..12d8592455 100644 --- a/installing/commands/CHANGELOG.md +++ b/installing/commands/CHANGELOG.md @@ -1,5 +1,60 @@ # @pnpm/plugin-commands-installation +## 1100.3.0 + +### Minor Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [b6e2c8c] +- Updated dependencies [d3f8408] +- Updated dependencies [3ddde2b] +- Updated dependencies [4a79336] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [31538bf] +- Updated dependencies [8df408c] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/installing.deps-installer@1101.2.0 + - @pnpm/store.connection-manager@1100.2.0 + - @pnpm/deps.inspection.outdated@1100.0.16 + - @pnpm/config.reader@1101.3.2 + - @pnpm/building.after-install@1101.0.13 + - @pnpm/installing.env-installer@1101.0.10 + - @pnpm/workspace.projects-graph@1100.0.9 + - @pnpm/deps.status@1100.0.16 + - @pnpm/installing.context@1100.0.11 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/store.controller@1101.0.7 + - @pnpm/hooks.pnpmfile@1100.0.9 + - @pnpm/global.commands@1100.0.18 + - @pnpm/workspace.state@1100.0.13 + - @pnpm/pkg-manifest.utils@1100.1.4 + - @pnpm/workspace.projects-filter@1100.0.12 + - @pnpm/installing.dedupe.check@1100.0.6 + - @pnpm/workspace.workspace-manifest-writer@1100.0.8 + - @pnpm/cli.utils@1101.0.5 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + - @pnpm/config.writer@1100.0.8 + - @pnpm/workspace.projects-reader@1101.0.5 + ## 1100.2.2 ### Patch Changes diff --git a/installing/commands/package.json b/installing/commands/package.json index 72230fb0a9..faf64bceaa 100644 --- a/installing/commands/package.json +++ b/installing/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.commands", - "version": "1100.2.2", + "version": "1100.3.0", "description": "Commands for installation", "keywords": [ "pnpm", diff --git a/installing/context/CHANGELOG.md b/installing/context/CHANGELOG.md index 914f757b03..3102e07cac 100644 --- a/installing/context/CHANGELOG.md +++ b/installing/context/CHANGELOG.md @@ -1,5 +1,20 @@ # @pnpm/get-context +## 1100.0.11 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [6e93f35] +- Updated dependencies [4a79336] +- Updated dependencies [2a9bd89] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/store.controller@1101.0.7 + - @pnpm/installing.read-projects-context@1100.0.10 + ## 1100.0.10 ### Patch Changes diff --git a/installing/context/package.json b/installing/context/package.json index 34f584d104..20ed56b45f 100644 --- a/installing/context/package.json +++ b/installing/context/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.context", - "version": "1100.0.10", + "version": "1100.0.11", "description": "Gets context information about a project", "keywords": [ "pnpm", diff --git a/installing/dedupe/check/CHANGELOG.md b/installing/dedupe/check/CHANGELOG.md index 05cebf55a3..41cb628275 100644 --- a/installing/dedupe/check/CHANGELOG.md +++ b/installing/dedupe/check/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/dedupe.check +## 1100.0.6 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 + ## 1100.0.5 ### Patch Changes diff --git a/installing/dedupe/check/package.json b/installing/dedupe/check/package.json index 68bfbb2de1..ddd3ec7f33 100644 --- a/installing/dedupe/check/package.json +++ b/installing/dedupe/check/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.dedupe.check", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Visualize pnpm dedupe --check issues.", "keywords": [ "pnpm", diff --git a/installing/deps-installer/CHANGELOG.md b/installing/deps-installer/CHANGELOG.md index 8eef3f5639..e242fa3cd0 100644 --- a/installing/deps-installer/CHANGELOG.md +++ b/installing/deps-installer/CHANGELOG.md @@ -1,5 +1,95 @@ # @pnpm/core +## 1101.2.0 + +### Minor Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- 31538bf: Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely. + + Verification results are memoized in JSON Lines at `/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687). + +- 31538bf: `minimumReleaseAge` is now re-checked against `pnpm-lock.yaml` before any tarball is installed, so a freshly-published version pinned in the lockfile (e.g. by a developer who bypassed the policy locally) is no longer installed silently by other consumers or CI. Violating entries abort the install with `ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION`; `minimumReleaseAgeExclude` is honored. [#10438](https://github.com/pnpm/pnpm/issues/10438). + +### Patch Changes + +- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + +- 4a79336: The lockfile verifier added in #11705 now emits `pnpm:lockfile-verification` log events (`status: 'started' | 'done'`) around the registry round-trip pass, and the default reporter renders them as a transient progress line so users can see that pnpm is doing work — on a cold registry cache the round-trip can take a noticeable beat, and the previous behavior was complete silence followed by either a long pause or an error. The cached short-circuit stays silent (no logs when no work happens), and the `done` line carries the number of distinct entries that were checked plus the elapsed time. + + Pacquet parity: not ported — pacquet doesn't carry the lockfile verifier yet (see the parity note on #11705). + +- 2a9bd89: Record the post-resolution lockfile in the verification cache. Previously the cache only captured the lockfile that was loaded at the start of an install, so a flow like `pnpm install ` followed by `rm -rf node_modules && pnpm install` re-ran the per-package registry round-trip against the newly written lockfile even though the local resolver had already enforced the policy when picking those versions. The fresh lockfile is now recorded immediately after each install-time write, so the second install takes the cache fast path. +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [b6e2c8c] +- Updated dependencies [6e93f35] +- Updated dependencies [3ddde2b] +- Updated dependencies [5dc8be8] +- Updated dependencies [4a79336] +- Updated dependencies [2a9bd89] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/installing.deps-resolver@1100.1.0 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/building.after-install@1101.0.13 + - @pnpm/building.during-install@1101.0.11 + - @pnpm/deps.graph-hasher@1100.2.0 + - @pnpm/installing.deps-restorer@1101.1.3 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/installing.context@1100.0.11 + - @pnpm/installing.package-requester@1101.0.7 + - @pnpm/lockfile.preferred-versions@1100.0.10 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/lockfile.verification@1100.0.11 + - @pnpm/exec.lifecycle@1100.0.11 + - @pnpm/installing.linking.modules-cleaner@1100.1.2 + - @pnpm/building.policy@1100.0.5 + - @pnpm/lockfile.to-pnp@1100.0.9 + - @pnpm/bins.remover@1100.0.4 + - @pnpm/fs.symlink-dependency@1100.0.4 + - @pnpm/installing.linking.direct-dep-linker@1100.0.4 + - @pnpm/installing.linking.hoist@1100.0.7 + - @pnpm/pkg-manifest.utils@1100.1.4 + - @pnpm/agent.client@1.0.6 + - @pnpm/lockfile.filtering@1100.1.1 + - @pnpm/lockfile.pruner@1100.0.6 + - @pnpm/lockfile.settings-checker@1100.0.11 + - @pnpm/lockfile.walker@1100.0.6 + - @pnpm/worker@1100.1.6 + - @pnpm/bins.linker@1100.0.7 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1101.1.2 ### Patch Changes diff --git a/installing/deps-installer/package.json b/installing/deps-installer/package.json index c5d5b20e90..fec1036011 100644 --- a/installing/deps-installer/package.json +++ b/installing/deps-installer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.deps-installer", - "version": "1101.1.2", + "version": "1101.2.0", "description": "Fast, disk space efficient installation engine", "keywords": [ "pnpm", diff --git a/installing/deps-resolver/CHANGELOG.md b/installing/deps-resolver/CHANGELOG.md index 90c67d86f3..1c0c19c46c 100644 --- a/installing/deps-resolver/CHANGELOG.md +++ b/installing/deps-resolver/CHANGELOG.md @@ -1,5 +1,69 @@ # @pnpm/resolve-dependencies +## 1100.1.0 + +### Minor Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +### Patch Changes + +- b6e2c8c: Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. + + When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. + + Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. + +- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [b6e2c8c] +- Updated dependencies [3ddde2b] +- Updated dependencies [5dc8be8] +- Updated dependencies [4a79336] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/config.version-policy@1100.1.0 + - @pnpm/deps.graph-hasher@1100.2.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/fetching.pick-fetcher@1100.0.7 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/lockfile.preferred-versions@1100.0.10 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/pkg-manifest.utils@1100.1.4 + - @pnpm/lockfile.pruner@1100.0.6 + ## 1100.0.10 ### Patch Changes diff --git a/installing/deps-resolver/package.json b/installing/deps-resolver/package.json index e4ae5774b4..8748278a3e 100644 --- a/installing/deps-resolver/package.json +++ b/installing/deps-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.deps-resolver", - "version": "1100.0.10", + "version": "1100.1.0", "description": "Resolves dependency graph of a package", "keywords": [ "pnpm", diff --git a/installing/deps-restorer/CHANGELOG.md b/installing/deps-restorer/CHANGELOG.md index dad8f97b71..d4733e329f 100644 --- a/installing/deps-restorer/CHANGELOG.md +++ b/installing/deps-restorer/CHANGELOG.md @@ -1,5 +1,57 @@ # @pnpm/headless +## 1101.1.3 + +### Patch Changes + +- 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + +- Updated dependencies [4195766] +- Updated dependencies [6e93f35] +- Updated dependencies [3ddde2b] +- Updated dependencies [5dc8be8] +- Updated dependencies [4a79336] +- Updated dependencies [2a9bd89] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/building.during-install@1101.0.11 + - @pnpm/deps.graph-builder@1100.0.10 + - @pnpm/deps.graph-hasher@1100.2.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/installing.package-requester@1101.0.7 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/exec.lifecycle@1100.0.11 + - @pnpm/installing.linking.modules-cleaner@1100.1.2 + - @pnpm/building.policy@1100.0.5 + - @pnpm/installing.linking.real-hoist@1100.0.8 + - @pnpm/lockfile.to-pnp@1100.0.9 + - @pnpm/config.package-is-installable@1100.0.5 + - @pnpm/fs.symlink-dependency@1100.0.4 + - @pnpm/installing.linking.direct-dep-linker@1100.0.4 + - @pnpm/installing.linking.hoist@1100.0.7 + - @pnpm/lockfile.filtering@1100.1.1 + - @pnpm/worker@1100.1.6 + - @pnpm/bins.linker@1100.0.7 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1101.1.2 ### Patch Changes diff --git a/installing/deps-restorer/package.json b/installing/deps-restorer/package.json index 82f12cb173..08162a9f39 100644 --- a/installing/deps-restorer/package.json +++ b/installing/deps-restorer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.deps-restorer", - "version": "1101.1.2", + "version": "1101.1.3", "description": "Fast installation using only pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/installing/env-installer/CHANGELOG.md b/installing/env-installer/CHANGELOG.md index ef62fc9d26..02e1180984 100644 --- a/installing/env-installer/CHANGELOG.md +++ b/installing/env-installer/CHANGELOG.md @@ -1,5 +1,32 @@ # @pnpm/config.deps-installer +## 1101.0.10 + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [b6e2c8c] +- Updated dependencies [6e93f35] +- Updated dependencies [3ddde2b] +- Updated dependencies [5dc8be8] +- Updated dependencies [4a79336] +- Updated dependencies [2a9bd89] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/installing.deps-resolver@1100.1.0 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/deps.graph-hasher@1100.2.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/store.controller@1101.0.7 + - @pnpm/network.fetch@1100.0.5 + - @pnpm/lockfile.pruner@1100.0.6 + - @pnpm/worker@1100.1.6 + - @pnpm/config.writer@1100.0.8 + ## 1101.0.9 ### Patch Changes diff --git a/installing/env-installer/package.json b/installing/env-installer/package.json index f7a29f6c29..7bff3bb9f6 100644 --- a/installing/env-installer/package.json +++ b/installing/env-installer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.env-installer", - "version": "1101.0.9", + "version": "1101.0.10", "description": "Installer for configurational dependencies", "keywords": [ "pnpm", diff --git a/installing/linking/direct-dep-linker/CHANGELOG.md b/installing/linking/direct-dep-linker/CHANGELOG.md index c9c9dcbbb7..2af38028be 100644 --- a/installing/linking/direct-dep-linker/CHANGELOG.md +++ b/installing/linking/direct-dep-linker/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/pkg-manager.direct-dep-linker +## 1100.0.4 + +### Patch Changes + +- Updated dependencies [4a79336] + - @pnpm/core-loggers@1100.1.0 + - @pnpm/fs.symlink-dependency@1100.0.4 + ## 1100.0.3 ### Patch Changes diff --git a/installing/linking/direct-dep-linker/package.json b/installing/linking/direct-dep-linker/package.json index 9f26529645..9d4deb046b 100644 --- a/installing/linking/direct-dep-linker/package.json +++ b/installing/linking/direct-dep-linker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.linking.direct-dep-linker", - "version": "1100.0.3", + "version": "1100.0.4", "description": "Fast installation using only pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/installing/linking/hoist/CHANGELOG.md b/installing/linking/hoist/CHANGELOG.md index b50dc090ce..a393b2a20e 100644 --- a/installing/linking/hoist/CHANGELOG.md +++ b/installing/linking/hoist/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/hoist +## 1100.0.7 + +### Patch Changes + +- Updated dependencies [4a79336] + - @pnpm/core-loggers@1100.1.0 + - @pnpm/bins.linker@1100.0.7 + ## 1100.0.6 ### Patch Changes diff --git a/installing/linking/hoist/package.json b/installing/linking/hoist/package.json index 8722223413..bdfa180f53 100644 --- a/installing/linking/hoist/package.json +++ b/installing/linking/hoist/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.linking.hoist", - "version": "1100.0.6", + "version": "1100.0.7", "description": "Hoists dependencies in a node_modules created by pnpm", "keywords": [ "pnpm", diff --git a/installing/linking/modules-cleaner/CHANGELOG.md b/installing/linking/modules-cleaner/CHANGELOG.md index 29286916d5..3911b38188 100644 --- a/installing/linking/modules-cleaner/CHANGELOG.md +++ b/installing/linking/modules-cleaner/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/modules-cleaner +## 1100.1.2 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [4a79336] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/bins.remover@1100.0.4 + - @pnpm/lockfile.filtering@1100.1.1 + ## 1100.1.1 ### Patch Changes diff --git a/installing/linking/modules-cleaner/package.json b/installing/linking/modules-cleaner/package.json index b77ae55012..1281c916d7 100644 --- a/installing/linking/modules-cleaner/package.json +++ b/installing/linking/modules-cleaner/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.linking.modules-cleaner", - "version": "1100.1.1", + "version": "1100.1.2", "description": "Exports util functions to clean up node_modules", "keywords": [ "pnpm", diff --git a/installing/linking/real-hoist/CHANGELOG.md b/installing/linking/real-hoist/CHANGELOG.md index 6f60df2f9f..2ab30ab2f6 100644 --- a/installing/linking/real-hoist/CHANGELOG.md +++ b/installing/linking/real-hoist/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/real-hoist +## 1100.0.8 + +### Patch Changes + +- @pnpm/lockfile.utils@1100.0.8 + ## 1100.0.7 ### Patch Changes diff --git a/installing/linking/real-hoist/package.json b/installing/linking/real-hoist/package.json index 639f04f3f3..449581bd15 100644 --- a/installing/linking/real-hoist/package.json +++ b/installing/linking/real-hoist/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.linking.real-hoist", - "version": "1100.0.7", + "version": "1100.0.8", "description": "Hoists dependencies in a node_modules created by pnpm", "keywords": [ "pnpm", diff --git a/installing/package-requester/CHANGELOG.md b/installing/package-requester/CHANGELOG.md index 68ad065fe6..c0a3598b1e 100644 --- a/installing/package-requester/CHANGELOG.md +++ b/installing/package-requester/CHANGELOG.md @@ -1,5 +1,22 @@ # @pnpm/package-requester +## 1101.0.7 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [4a79336] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/fetching.pick-fetcher@1100.0.7 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/store.cafs@1100.1.5 + - @pnpm/config.package-is-installable@1100.0.5 + - @pnpm/worker@1100.1.6 + ## 1101.0.6 ### Patch Changes diff --git a/installing/package-requester/package.json b/installing/package-requester/package.json index d12a953906..1550fb91d4 100644 --- a/installing/package-requester/package.json +++ b/installing/package-requester/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.package-requester", - "version": "1101.0.6", + "version": "1101.0.7", "description": "Concurrent downloader of npm-compatible packages", "keywords": [ "pnpm", diff --git a/installing/read-projects-context/CHANGELOG.md b/installing/read-projects-context/CHANGELOG.md index ddc868d0d6..e61148e37d 100644 --- a/installing/read-projects-context/CHANGELOG.md +++ b/installing/read-projects-context/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/read-projects-context +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + ## 1100.0.9 ### Patch Changes diff --git a/installing/read-projects-context/package.json b/installing/read-projects-context/package.json index 2c8f5a6835..97f09c7d85 100644 --- a/installing/read-projects-context/package.json +++ b/installing/read-projects-context/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/installing.read-projects-context", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Reads the current state of projects from modules manifest", "keywords": [ "pnpm", diff --git a/lockfile/detect-dep-types/CHANGELOG.md b/lockfile/detect-dep-types/CHANGELOG.md index 09b62aeafc..1416fb4bfe 100644 --- a/lockfile/detect-dep-types/CHANGELOG.md +++ b/lockfile/detect-dep-types/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/lockfile.detect-dep-types +## 1100.0.6 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/detect-dep-types/package.json b/lockfile/detect-dep-types/package.json index 1f8105cc7c..10cea95499 100644 --- a/lockfile/detect-dep-types/package.json +++ b/lockfile/detect-dep-types/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.detect-dep-types", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Detect the types of dependencies", "keywords": [ "pnpm", diff --git a/lockfile/filtering/CHANGELOG.md b/lockfile/filtering/CHANGELOG.md index d3afb0fc42..58940f1ded 100644 --- a/lockfile/filtering/CHANGELOG.md +++ b/lockfile/filtering/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/filter-lockfile +## 1100.1.1 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 +- @pnpm/lockfile.utils@1100.0.8 +- @pnpm/config.package-is-installable@1100.0.5 +- @pnpm/lockfile.walker@1100.0.6 + ## 1100.1.0 ### Minor Changes diff --git a/lockfile/filtering/package.json b/lockfile/filtering/package.json index 892447fa8b..9fb96acac9 100644 --- a/lockfile/filtering/package.json +++ b/lockfile/filtering/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.filtering", - "version": "1100.1.0", + "version": "1100.1.1", "description": "Filters a lockfile", "keywords": [ "pnpm", diff --git a/lockfile/fs/CHANGELOG.md b/lockfile/fs/CHANGELOG.md index 18a3c7642b..72efbb16dc 100644 --- a/lockfile/fs/CHANGELOG.md +++ b/lockfile/fs/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/lockfile-file +## 1100.1.0 + +### Minor Changes + +- 2a9bd89: Record the post-resolution lockfile in the verification cache. Previously the cache only captured the lockfile that was loaded at the start of an install, so a flow like `pnpm install ` followed by `rm -rf node_modules && pnpm install` re-ran the per-package registry round-trip against the newly written lockfile even though the local resolver had already enforced the policy when picking those versions. The fresh lockfile is now recorded immediately after each install-time write, so the second install takes the cache fast path. + +### Patch Changes + +- 6e93f35: Fix lockfile parsing failures when `pnpm-lock.yaml` contains CRLF line endings and multiple YAML documents [#11612](https://github.com/pnpm/pnpm/issues/11612). + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/lockfile.merger@1100.0.6 + ## 1100.0.8 ### Patch Changes diff --git a/lockfile/fs/package.json b/lockfile/fs/package.json index 92a60f40ad..44014b89df 100644 --- a/lockfile/fs/package.json +++ b/lockfile/fs/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.fs", - "version": "1100.0.8", + "version": "1100.1.0", "description": "Read/write pnpm-lock.yaml files", "keywords": [ "pnpm", diff --git a/lockfile/make-dedicated-lockfile/CHANGELOG.md b/lockfile/make-dedicated-lockfile/CHANGELOG.md index 404176797e..bc52131836 100644 --- a/lockfile/make-dedicated-lockfile/CHANGELOG.md +++ b/lockfile/make-dedicated-lockfile/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/make-dedicated-lockfile +## 1100.0.11 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.pruner@1100.0.6 + - @pnpm/releasing.exportable-manifest@1100.0.6 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1100.0.10 ### Patch Changes diff --git a/lockfile/make-dedicated-lockfile/package.json b/lockfile/make-dedicated-lockfile/package.json index 6945cdbd75..0e45ed116e 100644 --- a/lockfile/make-dedicated-lockfile/package.json +++ b/lockfile/make-dedicated-lockfile/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.make-dedicated-lockfile", - "version": "1100.0.10", + "version": "1100.0.11", "description": "Creates a dedicated lockfile for a subset of workspace projects", "keywords": [ "pnpm", diff --git a/lockfile/merger/CHANGELOG.md b/lockfile/merger/CHANGELOG.md index 3915ec9efc..d7153c2c65 100644 --- a/lockfile/merger/CHANGELOG.md +++ b/lockfile/merger/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/merge-lockfile-changes +## 1100.0.6 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/merger/package.json b/lockfile/merger/package.json index 0d4f1c5c5e..0b8ec69e62 100644 --- a/lockfile/merger/package.json +++ b/lockfile/merger/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.merger", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Merges lockfiles. Can automatically fix merge conflicts", "keywords": [ "pnpm", diff --git a/lockfile/preferred-versions/CHANGELOG.md b/lockfile/preferred-versions/CHANGELOG.md index 211d9679aa..9e9b18ac6f 100644 --- a/lockfile/preferred-versions/CHANGELOG.md +++ b/lockfile/preferred-versions/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/lockfile.preferred-versions +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/pkg-manifest.utils@1100.1.4 + ## 1100.0.9 ### Patch Changes diff --git a/lockfile/preferred-versions/package.json b/lockfile/preferred-versions/package.json index 82dc16fea8..96c5a9ea70 100644 --- a/lockfile/preferred-versions/package.json +++ b/lockfile/preferred-versions/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.preferred-versions", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Get preferred version from lockfile", "keywords": [ "pnpm", diff --git a/lockfile/pruner/CHANGELOG.md b/lockfile/pruner/CHANGELOG.md index 24acd9e682..afe0de8232 100644 --- a/lockfile/pruner/CHANGELOG.md +++ b/lockfile/pruner/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/prune-lockfile +## 1100.0.6 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/pruner/package.json b/lockfile/pruner/package.json index e005df55b8..8546246cef 100644 --- a/lockfile/pruner/package.json +++ b/lockfile/pruner/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.pruner", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Prune a pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/lockfile/settings-checker/CHANGELOG.md b/lockfile/settings-checker/CHANGELOG.md index f486928df1..8a3f2cb7c3 100644 --- a/lockfile/settings-checker/CHANGELOG.md +++ b/lockfile/settings-checker/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/lockfile.settings-checker +## 1100.0.11 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 +- @pnpm/lockfile.verification@1100.0.11 +- @pnpm/crypto.hash@1100.0.1 + ## 1100.0.10 ### Patch Changes diff --git a/lockfile/settings-checker/package.json b/lockfile/settings-checker/package.json index 75ab4e87c7..d8b1c43115 100644 --- a/lockfile/settings-checker/package.json +++ b/lockfile/settings-checker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.settings-checker", - "version": "1100.0.10", + "version": "1100.0.11", "description": "Utilities to check if lockfile settings are out-of-date", "keywords": [ "pnpm", diff --git a/lockfile/to-pnp/CHANGELOG.md b/lockfile/to-pnp/CHANGELOG.md index 9400a6d77b..78552e397a 100644 --- a/lockfile/to-pnp/CHANGELOG.md +++ b/lockfile/to-pnp/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/lockfile-to-pnp +## 1100.0.9 + +### Patch Changes + +- Updated dependencies [6e93f35] +- Updated dependencies [2a9bd89] + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.utils@1100.0.8 + ## 1100.0.8 ### Patch Changes diff --git a/lockfile/to-pnp/package.json b/lockfile/to-pnp/package.json index eb5f278887..d9ffdce7bd 100644 --- a/lockfile/to-pnp/package.json +++ b/lockfile/to-pnp/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.to-pnp", - "version": "1100.0.8", + "version": "1100.0.9", "description": "Creates a Plug'n'Play file from a pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/lockfile/types/CHANGELOG.md b/lockfile/types/CHANGELOG.md index f915c0b20f..e355cb26c2 100644 --- a/lockfile/types/CHANGELOG.md +++ b/lockfile/types/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/lockfile-types +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/types/package.json b/lockfile/types/package.json index d97006ad74..0e5f745742 100644 --- a/lockfile/types/package.json +++ b/lockfile/types/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.types", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Types for the pnpm-lock.yaml lockfile", "keywords": [ "pnpm", diff --git a/lockfile/utils/CHANGELOG.md b/lockfile/utils/CHANGELOG.md index ecfc936f65..3aa3f4136f 100644 --- a/lockfile/utils/CHANGELOG.md +++ b/lockfile/utils/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/lockfile-utils +## 1100.0.8 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/lockfile.types@1100.0.6 + ## 1100.0.7 ### Patch Changes diff --git a/lockfile/utils/package.json b/lockfile/utils/package.json index c4d2020158..9ff788f679 100644 --- a/lockfile/utils/package.json +++ b/lockfile/utils/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.utils", - "version": "1100.0.7", + "version": "1100.0.8", "description": "Utils for dealing with pnpm-lock.yaml", "keywords": [ "pnpm", diff --git a/lockfile/verification/CHANGELOG.md b/lockfile/verification/CHANGELOG.md index 92ca527364..6beeaaef09 100644 --- a/lockfile/verification/CHANGELOG.md +++ b/lockfile/verification/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/lockfile.verification +## 1100.0.11 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/installing.context@1100.0.11 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/crypto.hash@1100.0.1 + ## 1100.0.10 ### Patch Changes diff --git a/lockfile/verification/package.json b/lockfile/verification/package.json index 3de39ec402..6b4229800a 100644 --- a/lockfile/verification/package.json +++ b/lockfile/verification/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.verification", - "version": "1100.0.10", + "version": "1100.0.11", "description": "Checks a lockfile", "keywords": [ "pnpm", diff --git a/lockfile/walker/CHANGELOG.md b/lockfile/walker/CHANGELOG.md index b36fd198c5..27c6935b3b 100644 --- a/lockfile/walker/CHANGELOG.md +++ b/lockfile/walker/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/lockfile-walker +## 1100.0.6 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 + ## 1100.0.5 ### Patch Changes diff --git a/lockfile/walker/package.json b/lockfile/walker/package.json index dc5fa459e6..22531e77f2 100644 --- a/lockfile/walker/package.json +++ b/lockfile/walker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/lockfile.walker", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Walk over all the dependencies in a lockfile", "keywords": [ "pnpm", diff --git a/modules-mounter/daemon/CHANGELOG.md b/modules-mounter/daemon/CHANGELOG.md index 04a684b67b..348bfc6fa3 100644 --- a/modules-mounter/daemon/CHANGELOG.md +++ b/modules-mounter/daemon/CHANGELOG.md @@ -1,5 +1,21 @@ # @pnpm/mount-modules +## 1100.0.14 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [6e93f35] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/store.cafs@1100.1.5 + ## 1100.0.13 ### Patch Changes diff --git a/modules-mounter/daemon/package.json b/modules-mounter/daemon/package.json index daf6cb56a6..fadc78bee9 100644 --- a/modules-mounter/daemon/package.json +++ b/modules-mounter/daemon/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/modules-mounter.daemon", - "version": "1100.0.13", + "version": "1100.0.14", "description": "Mounts a node_modules directory with FUSE", "keywords": [ "pnpm", diff --git a/network/fetch/CHANGELOG.md b/network/fetch/CHANGELOG.md index bb65f304fe..701eadda60 100644 --- a/network/fetch/CHANGELOG.md +++ b/network/fetch/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/fetch +## 1100.0.5 + +### Patch Changes + +- Updated dependencies [4a79336] + - @pnpm/core-loggers@1100.1.0 + ## 1100.0.4 ### Patch Changes diff --git a/network/fetch/package.json b/network/fetch/package.json index 10f498fbbd..d2c15d6336 100644 --- a/network/fetch/package.json +++ b/network/fetch/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/network.fetch", - "version": "1100.0.4", + "version": "1100.0.5", "description": "Native fetch with retries", "keywords": [ "pnpm", diff --git a/patching/commands/CHANGELOG.md b/patching/commands/CHANGELOG.md index c6042d06ab..2fb4996ce1 100644 --- a/patching/commands/CHANGELOG.md +++ b/patching/commands/CHANGELOG.md @@ -1,5 +1,30 @@ # @pnpm/plugin-commands-patching +## 1100.0.18 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [6e93f35] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [8df408c] + - @pnpm/installing.commands@1100.3.0 + - @pnpm/store.connection-manager@1100.2.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/fetching.pick-fetcher@1100.0.7 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/cli.utils@1101.0.5 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + - @pnpm/config.writer@1100.0.8 + - @pnpm/crypto.hash@1100.0.1 + - @pnpm/patching.apply-patch@1100.0.0 + ## 1100.0.17 ### Patch Changes diff --git a/patching/commands/package.json b/patching/commands/package.json index e6855e211b..b7e6b88640 100644 --- a/patching/commands/package.json +++ b/patching/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/patching.commands", - "version": "1100.0.17", + "version": "1100.0.18", "description": "Commands for creating patches", "keywords": [ "pnpm", diff --git a/pkg-manifest/utils/CHANGELOG.md b/pkg-manifest/utils/CHANGELOG.md index 4cbbf8397b..2f336e7bdc 100644 --- a/pkg-manifest/utils/CHANGELOG.md +++ b/pkg-manifest/utils/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/manifest-utils +## 1100.1.4 + +### Patch Changes + +- Updated dependencies [4a79336] + - @pnpm/core-loggers@1100.1.0 + ## 1100.1.3 ### Patch Changes diff --git a/pkg-manifest/utils/package.json b/pkg-manifest/utils/package.json index 9acadc37f2..e19be5954a 100644 --- a/pkg-manifest/utils/package.json +++ b/pkg-manifest/utils/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/pkg-manifest.utils", - "version": "1100.1.3", + "version": "1100.1.4", "description": "Utils for dealing with package manifest", "keywords": [ "pnpm", diff --git a/pnpm/CHANGELOG.md b/pnpm/CHANGELOG.md index dbc963d7c2..b523267950 100644 --- a/pnpm/CHANGELOG.md +++ b/pnpm/CHANGELOG.md @@ -1,5 +1,78 @@ # pnpm +## 11.1.3 + +### Patch Changes + +- `pnpm install` now re-validates `pnpm-lock.yaml` entries against the active `minimumReleaseAge` and `trustPolicy: 'no-downgrade'` policies before any tarball is fetched. Lockfiles resolved elsewhere (committed to the repo, restored from a CI cache, produced by an older pnpm) under a weaker or absent policy can no longer install a freshly-published or trust-downgraded version silently. Violating entries abort the install with `ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION`, `ERR_PNPM_TRUST_DOWNGRADE`, or the generic `ERR_PNPM_LOCKFILE_RESOLUTION_VERIFICATION` when both policies trip in the same batch; `minimumReleaseAgeExclude` and `trustPolicyExclude` are honored. Verification results are cached so repeat installs against an unchanged lockfile take a fast path, and pnpm shows a transient progress line while the registry round-trip runs. + + When fresh resolution picks an immature version, the behavior depends on `minimumReleaseAgeStrict`: + + - **Loose mode** — the default, in effect whenever `minimumReleaseAge` keeps its built-in 24-hour value — auto-adds the immature picks to `minimumReleaseAgeExclude` in `pnpm-workspace.yaml` and lets the install proceed. A single info message lists what was persisted. + - **Strict mode** in an interactive terminal collects every immature direct AND transitive pick in one pass and prompts once with the full list. Approving adds them to `minimumReleaseAgeExclude` and the install continues; declining aborts before the lockfile, `package.json`, or `node_modules` is touched. + - **Strict mode** in CI (or any non-TTY context) aborts with `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing every offending entry, instead of failing on the first one the resolver hit. + + `minimumReleaseAgeStrict` auto-enables whenever the user explicitly sets `minimumReleaseAge` (CLI flag, env var, global `config.yaml`, or `pnpm-workspace.yaml`); set `minimumReleaseAgeStrict: false` to keep loose-mode auto-collect even with an explicit `minimumReleaseAge` value. Closes [#10438](https://github.com/pnpm/pnpm/issues/10438), [#10488](https://github.com/pnpm/pnpm/issues/10488), [#11687](https://github.com/pnpm/pnpm/issues/11687). +- Allow redundant trailing base64 padding in `.npmrc` auth values and report invalid auth base64 with a pnpm error. +- Make `pnpm self-update` respect `minimumReleaseAge` (and `minimumReleaseAgeExclude`) when resolving which pnpm version to install. + + When the `latest` dist-tag points to a version newer than the configured age threshold, `self-update` now selects the newest mature version instead unless excluded by `minimumReleaseAgeExclude`. + + Also makes `dlx` and `outdated` surface invalid `minimumReleaseAgeExclude` patterns under the same `ERR_PNPM_INVALID_MINIMUM_RELEASE_AGE_EXCLUDE` error code already used by `install`, instead of leaking the internal `ERR_PNPM_INVALID_VERSION_UNION` / `ERR_PNPM_NAME_PATTERN_IN_VERSION_UNION` codes. + +- Global installs respect global config build policy (e.g., `dangerouslyAllowAllBuilds` from config.yaml) when GVS is enabled [#9249](https://github.com/pnpm/pnpm/issues/9249). + + The global virtual-store (GVS) default `allowBuilds = {}` was applied before workspace manifest settings were read and before global config values (stripped by `extractAndRemoveDependencyBuildOptions`) were re-applied via `globalDepsBuildConfig`. This caused `hasDependencyBuildOptions` to return `true` (because `{}` is not null), blocking restoration of global config values like `dangerouslyAllowAllBuilds`. As a result, global installs skipped all build scripts even when the config explicitly allowed them. + + This fix moves the GVS default to **after** workspace manifest reading and `globalDepsBuildConfig` re-application, so that: + + 1. Workspace manifest `allowBuilds` takes precedence (if present) + 2. Global config `dangerouslyAllowAllBuilds` is properly restored (if set and no workspace policy exists) + 3. Empty `{}` is only applied as a last resort when no policy is configured anywhere + +- Honor `--silent` when `verifyDepsBeforeRun: install` auto-installs dependencies before `pnpm run` or `pnpm exec`, preventing install output from being written to stdout [#11636](https://github.com/pnpm/pnpm/issues/11636). +- Fix lockfile parsing failures when `pnpm-lock.yaml` contains CRLF line endings and multiple YAML documents [#11612](https://github.com/pnpm/pnpm/issues/11612). +- Anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime. + + `ENGINE_NAME` (the `;;node` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations: + + 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`. + 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node. + + Three changes: + + - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`. + - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up. + - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through. + + On upgrade, two one-time GVS slot churns are possible: + + - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce. + - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on. + + In both cases the old slots become prune-eligible. + +- Resolve the GVS hash's engine portion per-snapshot when a dependency declares its own `engines.runtime`, instead of using an install-wide value. + + Pnpm's resolver desugars a dep's `engines.runtime` into `dependencies.node: 'runtime:'`, and the bin linker spawns that dep's lifecycle scripts through the pinned Node downloaded into `/node_modules/node/`. The GVS hash and the side-effects-cache key prefix were still anchored to the install-wide runtime — so a pinning snapshot's slot encoded the wrong Node major, and a reinstall on the same host could read the cached side-effects under a key whose `;;node` triple disagreed with the Node the build actually ran on. + + Per-snapshot resolution now matches what `bins/linker` already does on a per-package basis: + + - `@pnpm/deps.graph-hasher` adds `readSnapshotRuntimePin(children)` — reads the `node` entry from one snapshot's graph children and extracts the version from a `node@runtime:` value. Pairs with the existing `findRuntimeNodeVersion(snapshotKeys)` install-wide fallback (also now exported from `@pnpm/deps.graph-hasher` rather than `@pnpm/engine.runtime.system-node-version`, where it was a poor fit — `system-node-version` is about probing the host Node, not parsing lockfile-derived strings). + - `calcDepState` and `calcGraphNodeHash` consult `readSnapshotRuntimePin(graph[depPath].children)` first and only fall back to the install-wide `nodeVersion` parameter when the snapshot doesn't pin its own Node. + + Pacquet mirrors the same precedence at the `calc_graph_node_hash` call site in `package-manager/src/virtual_store_layout.rs` — a new `find_own_runtime_node_major(snapshot)` helper reads each snapshot's `dependencies` for a `node` entry with `Prefix::Runtime` and overrides the install-wide engine when present. + + On upgrade, snapshots of dependencies that declare their own `engines.runtime` re-hash under that dep's pinned Node instead of the install-wide value. The old slots become prune-eligible. Closes [#11690](https://github.com/pnpm/pnpm/issues/11690). + +- Fixed `pnpm publish` failing with a 404 when authentication relied on OIDC trusted publishing alongside an `.npmrc` written by `actions/setup-node` (`_authToken=${NODE_AUTH_TOKEN}`) without `NODE_AUTH_TOKEN` being set. Unresolved `${VAR}` placeholders in auth values are now treated as empty rather than passed through verbatim, so the literal placeholder no longer surfaces as a bearer token when OIDC fallback is the intended auth source [#11513](https://github.com/pnpm/pnpm/issues/11513). +- Fix `devEngines.packageManager` (singular form, without `onFail`) defaulting to `onFail: "error"` instead of the documented `pmOnFail: "download"`. As a result, a project that pinned a different pnpm version via `devEngines.packageManager` and ran `pnpm install` from a mismatched pnpm version failed with a hard error, even though the migration table from `managePackageManagerVersions: true` to `pmOnFail: download (default)` promises the install would auto-download the wanted version [#11676](https://github.com/pnpm/pnpm/issues/11676). + + The array form of `devEngines.packageManager` keeps its existing per-element defaults (`error` for the last entry, `ignore` for the rest), since those reflect explicit prioritization by the user. Explicit `onFail` values continue to win. + +- Fix `devEngines.packageManager` not writing `packageManagerDependencies` to `pnpm-lock.yaml` when the lockfile lacks an env-doc entry. Previously the lockfile sync skipped resolution unless an existing `packageManagerDependencies.pnpm` entry needed refreshing, so a fresh install without `onFail: "download"` left the resolved pnpm version unrecorded — contradicting the documented behavior that the resolved version is stored in `pnpm-lock.yaml` [#11674](https://github.com/pnpm/pnpm/issues/11674). +- Warn when `package.json` contains a legacy `pnpm` field with settings pnpm no longer reads from `package.json` (e.g. `pnpm.overrides`, `pnpm.patchedDependencies`). Previously these were silently ignored after the upgrade from v10, leaving users unaware that their overrides/patched dependencies had stopped taking effect [#11677](https://github.com/pnpm/pnpm/issues/11677). + ## 11.1.2 ### Patch Changes diff --git a/pnpm/artifacts/darwin-arm64/package.json b/pnpm/artifacts/darwin-arm64/package.json index 592575fc57..8320fea26c 100644 --- a/pnpm/artifacts/darwin-arm64/package.json +++ b/pnpm/artifacts/darwin-arm64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/macos-arm64", - "version": "11.1.2", + "version": "11.1.3", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/exe/package.json b/pnpm/artifacts/exe/package.json index 5870bfaf6e..d128f7ddf1 100644 --- a/pnpm/artifacts/exe/package.json +++ b/pnpm/artifacts/exe/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/exe", - "version": "11.1.2", + "version": "11.1.3", "description": "Fast, disk space efficient package manager", "keywords": [ "pnpm", diff --git a/pnpm/artifacts/linux-arm64-musl/package.json b/pnpm/artifacts/linux-arm64-musl/package.json index 9ddba1ad63..7e51f28a2a 100644 --- a/pnpm/artifacts/linux-arm64-musl/package.json +++ b/pnpm/artifacts/linux-arm64-musl/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/linuxstatic-arm64", - "version": "11.1.2", + "version": "11.1.3", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/linux-arm64/package.json b/pnpm/artifacts/linux-arm64/package.json index 04f2ba772f..214db2ec65 100644 --- a/pnpm/artifacts/linux-arm64/package.json +++ b/pnpm/artifacts/linux-arm64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/linux-arm64", - "version": "11.1.2", + "version": "11.1.3", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/linux-x64-musl/package.json b/pnpm/artifacts/linux-x64-musl/package.json index da90c39948..7f449fe88a 100644 --- a/pnpm/artifacts/linux-x64-musl/package.json +++ b/pnpm/artifacts/linux-x64-musl/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/linuxstatic-x64", - "version": "11.1.2", + "version": "11.1.3", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/linux-x64/package.json b/pnpm/artifacts/linux-x64/package.json index 181bda2033..6a27514d81 100644 --- a/pnpm/artifacts/linux-x64/package.json +++ b/pnpm/artifacts/linux-x64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/linux-x64", - "version": "11.1.2", + "version": "11.1.3", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/win32-arm64/package.json b/pnpm/artifacts/win32-arm64/package.json index 22bf639e50..830545213d 100644 --- a/pnpm/artifacts/win32-arm64/package.json +++ b/pnpm/artifacts/win32-arm64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/win-arm64", - "version": "11.1.2", + "version": "11.1.3", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/artifacts/win32-x64/package.json b/pnpm/artifacts/win32-x64/package.json index eac1748f48..a572042db6 100644 --- a/pnpm/artifacts/win32-x64/package.json +++ b/pnpm/artifacts/win32-x64/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/win-x64", - "version": "11.1.2", + "version": "11.1.3", "keywords": [ "pnpm", "pnpm11", diff --git a/pnpm/dev/CHANGELOG.md b/pnpm/dev/CHANGELOG.md index 1a6526be11..e3c0ef6b05 100644 --- a/pnpm/dev/CHANGELOG.md +++ b/pnpm/dev/CHANGELOG.md @@ -1,5 +1,11 @@ # pd +## 1100.0.8 + +### Patch Changes + +- @pnpm/workspace.projects-reader@1101.0.5 + ## 1100.0.7 ### Patch Changes diff --git a/pnpm/dev/package.json b/pnpm/dev/package.json index 9ea9d0c6ab..79329d05bd 100644 --- a/pnpm/dev/package.json +++ b/pnpm/dev/package.json @@ -1,6 +1,6 @@ { "name": "pd", - "version": "1100.0.7", + "version": "1100.0.8", "bin": "pd.js", "private": true, "type": "module", diff --git a/pnpm/package.json b/pnpm/package.json index 83e4f4a7dc..4802506f78 100644 --- a/pnpm/package.json +++ b/pnpm/package.json @@ -1,6 +1,6 @@ { "name": "pnpm", - "version": "11.1.2", + "version": "11.1.3", "description": "Fast, disk space efficient package manager", "keywords": [ "pnpm", diff --git a/registry-access/commands/CHANGELOG.md b/registry-access/commands/CHANGELOG.md index 1e57571261..9c49821467 100644 --- a/registry-access/commands/CHANGELOG.md +++ b/registry-access/commands/CHANGELOG.md @@ -1,5 +1,18 @@ # @pnpm/registry-access.commands +## 1100.2.12 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/network.fetch@1100.0.5 + - @pnpm/cli.utils@1101.0.5 + ## 1100.2.11 ### Patch Changes diff --git a/registry-access/commands/package.json b/registry-access/commands/package.json index b678cf1753..57dbfb28c9 100644 --- a/registry-access/commands/package.json +++ b/registry-access/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/registry-access.commands", - "version": "1100.2.11", + "version": "1100.2.12", "description": "Commands for managing packages on the registry", "keywords": [ "pnpm", diff --git a/releasing/commands/CHANGELOG.md b/releasing/commands/CHANGELOG.md index 8b4572d651..2a3551cdaa 100644 --- a/releasing/commands/CHANGELOG.md +++ b/releasing/commands/CHANGELOG.md @@ -1,5 +1,36 @@ # @pnpm/releasing.commands +## 1100.2.15 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [247d70b] +- Updated dependencies [6e93f35] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [2a9bd89] +- Updated dependencies [8df408c] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/installing.client@1100.1.0 + - @pnpm/installing.commands@1100.3.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/exec.pnpm-cli-runner@1100.0.1 + - @pnpm/lockfile.fs@1100.1.0 + - @pnpm/engine.runtime.node-resolver@1101.0.9 + - @pnpm/fetching.directory-fetcher@1100.0.10 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/exec.lifecycle@1100.0.11 + - @pnpm/fs.indexed-pkg-importer@1100.0.8 + - @pnpm/engine.runtime.commands@1100.0.15 + - @pnpm/network.fetch@1100.0.5 + - @pnpm/workspace.projects-filter@1100.0.12 + - @pnpm/releasing.exportable-manifest@1100.0.6 + - @pnpm/cli.utils@1101.0.5 + ## 1100.2.14 ### Patch Changes diff --git a/releasing/commands/package.json b/releasing/commands/package.json index 7a0b7e1862..3a6b221685 100644 --- a/releasing/commands/package.json +++ b/releasing/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/releasing.commands", - "version": "1100.2.14", + "version": "1100.2.15", "description": "Commands for deploy, pack, and publish", "keywords": [ "pnpm", diff --git a/releasing/exportable-manifest/CHANGELOG.md b/releasing/exportable-manifest/CHANGELOG.md index 37b74943a7..cc4fc7405c 100644 --- a/releasing/exportable-manifest/CHANGELOG.md +++ b/releasing/exportable-manifest/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/exportable-manifest +## 1100.0.6 + +### Patch Changes + +- @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1100.0.5 ### Patch Changes diff --git a/releasing/exportable-manifest/package.json b/releasing/exportable-manifest/package.json index 1fc2e94674..893ba35229 100644 --- a/releasing/exportable-manifest/package.json +++ b/releasing/exportable-manifest/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/releasing.exportable-manifest", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Creates an exportable manifest", "keywords": [ "pnpm", diff --git a/resolving/default-resolver/CHANGELOG.md b/resolving/default-resolver/CHANGELOG.md index 6cc4587e2b..af8ab5dc1a 100644 --- a/resolving/default-resolver/CHANGELOG.md +++ b/resolving/default-resolver/CHANGELOG.md @@ -1,5 +1,39 @@ # @pnpm/default-resolver +## 1100.2.0 + +### Minor Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- 31538bf: Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely. + + Verification results are memoized in JSON Lines at `/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687). + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.npm-resolver@1101.2.0 + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/engine.runtime.bun-resolver@1101.0.7 + - @pnpm/engine.runtime.deno-resolver@1101.0.7 + - @pnpm/engine.runtime.node-resolver@1101.0.9 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/resolving.git-resolver@1100.0.8 + - @pnpm/resolving.local-resolver@1101.0.2 + - @pnpm/resolving.tarball-resolver@1100.0.6 + ## 1100.1.2 ### Patch Changes diff --git a/resolving/default-resolver/package.json b/resolving/default-resolver/package.json index 5d87054822..54240017b7 100644 --- a/resolving/default-resolver/package.json +++ b/resolving/default-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.default-resolver", - "version": "1100.1.2", + "version": "1100.2.0", "description": "pnpm's default package resolver", "keywords": [ "pnpm", diff --git a/resolving/git-resolver/CHANGELOG.md b/resolving/git-resolver/CHANGELOG.md index 3c10840199..d71067bc29 100644 --- a/resolving/git-resolver/CHANGELOG.md +++ b/resolving/git-resolver/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/git-resolver +## 1100.0.8 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/network.fetch@1100.0.5 + ## 1100.0.7 ### Patch Changes diff --git a/resolving/git-resolver/package.json b/resolving/git-resolver/package.json index d21c70d5c4..0112bd8a73 100644 --- a/resolving/git-resolver/package.json +++ b/resolving/git-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.git-resolver", - "version": "1100.0.7", + "version": "1100.0.8", "description": "Resolver for git-hosted packages", "keywords": [ "pnpm", diff --git a/resolving/local-resolver/CHANGELOG.md b/resolving/local-resolver/CHANGELOG.md index 04e75d1d5a..57ba45d163 100644 --- a/resolving/local-resolver/CHANGELOG.md +++ b/resolving/local-resolver/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/local-resolver +## 1101.0.2 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/workspace.project-manifest-reader@1100.0.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1101.0.1 ### Patch Changes diff --git a/resolving/local-resolver/package.json b/resolving/local-resolver/package.json index 6ff13416a9..e8c5c1cce5 100644 --- a/resolving/local-resolver/package.json +++ b/resolving/local-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.local-resolver", - "version": "1101.0.1", + "version": "1101.0.2", "description": "Resolver for local packages", "keywords": [ "pnpm", diff --git a/resolving/npm-resolver/CHANGELOG.md b/resolving/npm-resolver/CHANGELOG.md index bdc6344401..dd63c24e92 100644 --- a/resolving/npm-resolver/CHANGELOG.md +++ b/resolving/npm-resolver/CHANGELOG.md @@ -1,5 +1,41 @@ # @pnpm/npm-resolver +## 1101.2.0 + +### Minor Changes + +- 963861c: Sped up the `minimumReleaseAge` lockfile verification gate on cold-cache installs by trying npm's `/-/npm/v1/attestations/@` endpoint before fetching the full metadata document. The attestation response is tens of KB versus the multi-MB full metadata, so `--frozen-lockfile` installs against a fleet of provenance-published packages download far less to verify timestamps. + + The publish time comes from `bundle.verificationMaterial.tlogEntries[].integratedTime` (the Rekor inclusion time, a couple of seconds after the actual publish — close enough for a policy that operates in minutes/hours/days). When the local full-metadata mirror already has the timestamp, or the attestation endpoint 404s / errors, the verifier falls back to the existing `fetchFullMetadataCached` path. Sigstore signature verification is not performed; the trust model is unchanged versus reading the registry's `time` field on the full metadata document [#11687](https://github.com/pnpm/pnpm/issues/11687). + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- 31538bf: Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely. + + Verification results are memoized in JSON Lines at `/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687). + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [b6e2c8c] +- Updated dependencies [4a79336] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/config.version-policy@1100.1.0 + - @pnpm/core-loggers@1100.1.0 + - @pnpm/store.cafs@1100.1.5 + - @pnpm/worker@1100.1.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1101.1.1 ### Patch Changes diff --git a/resolving/npm-resolver/package.json b/resolving/npm-resolver/package.json index 5cfd3e2daf..11f8f4e9b1 100644 --- a/resolving/npm-resolver/package.json +++ b/resolving/npm-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.npm-resolver", - "version": "1101.1.1", + "version": "1101.2.0", "description": "Resolver for npm-hosted packages", "keywords": [ "pnpm", diff --git a/resolving/resolver-base/CHANGELOG.md b/resolving/resolver-base/CHANGELOG.md index a6bda17aec..9f169ccddc 100644 --- a/resolving/resolver-base/CHANGELOG.md +++ b/resolving/resolver-base/CHANGELOG.md @@ -1,5 +1,24 @@ # @pnpm/resolver-base +## 1100.2.0 + +### Minor Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- 31538bf: Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely. + + Verification results are memoized in JSON Lines at `/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687). + ## 1100.1.3 ### Patch Changes diff --git a/resolving/resolver-base/package.json b/resolving/resolver-base/package.json index 96bcb5ca93..eba989ca41 100644 --- a/resolving/resolver-base/package.json +++ b/resolving/resolver-base/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.resolver-base", - "version": "1100.1.3", + "version": "1100.2.0", "description": "Types for pnpm-compatible resolvers", "keywords": [ "pnpm", diff --git a/resolving/tarball-resolver/CHANGELOG.md b/resolving/tarball-resolver/CHANGELOG.md index 9c17a683bd..59b734a5af 100644 --- a/resolving/tarball-resolver/CHANGELOG.md +++ b/resolving/tarball-resolver/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/tarball-resolver +## 1100.0.6 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + ## 1100.0.5 ### Patch Changes diff --git a/resolving/tarball-resolver/package.json b/resolving/tarball-resolver/package.json index b0e5d992a2..a7e8a83870 100644 --- a/resolving/tarball-resolver/package.json +++ b/resolving/tarball-resolver/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/resolving.tarball-resolver", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Resolver for tarball dependencies", "keywords": [ "pnpm", diff --git a/store/cafs/CHANGELOG.md b/store/cafs/CHANGELOG.md index d175e7a638..ba2c20f99f 100644 --- a/store/cafs/CHANGELOG.md +++ b/store/cafs/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/store.cafs +## 1100.1.5 + +### Patch Changes + +- Updated dependencies [4195766] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + ## 1100.1.4 ### Patch Changes diff --git a/store/cafs/package.json b/store/cafs/package.json index 98d382cccb..f2149d0d69 100644 --- a/store/cafs/package.json +++ b/store/cafs/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.cafs", - "version": "1100.1.4", + "version": "1100.1.5", "description": "A content-addressable filesystem for the packages storage", "keywords": [ "pnpm", diff --git a/store/commands/CHANGELOG.md b/store/commands/CHANGELOG.md index 3ae78be009..e3f7f31dac 100644 --- a/store/commands/CHANGELOG.md +++ b/store/commands/CHANGELOG.md @@ -1,5 +1,26 @@ # @pnpm/store.commands +## 1100.0.17 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/installing.client@1100.1.0 + - @pnpm/store.connection-manager@1100.2.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/installing.context@1100.0.11 + - @pnpm/lockfile.types@1100.0.6 + - @pnpm/lockfile.utils@1100.0.8 + - @pnpm/store.cafs@1100.1.5 + - @pnpm/cli.utils@1101.0.5 + ## 1100.0.16 ### Patch Changes diff --git a/store/commands/package.json b/store/commands/package.json index 15b9bc88ea..a365d63f23 100644 --- a/store/commands/package.json +++ b/store/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.commands", - "version": "1100.0.16", + "version": "1100.0.17", "description": "Commands for controlling and inspecting the store", "keywords": [ "pnpm", diff --git a/store/connection-manager/CHANGELOG.md b/store/connection-manager/CHANGELOG.md index cfaaa13a8e..fc7be33c96 100644 --- a/store/connection-manager/CHANGELOG.md +++ b/store/connection-manager/CHANGELOG.md @@ -1,5 +1,38 @@ # @pnpm/store-connection-manager +## 1100.2.0 + +### Minor Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +- 31538bf: Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely. + + Verification results are memoized in JSON Lines at `/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687). + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/installing.client@1100.1.0 + - @pnpm/config.reader@1101.3.2 + - @pnpm/store.controller@1101.0.7 + ## 1100.1.2 ### Patch Changes diff --git a/store/connection-manager/package.json b/store/connection-manager/package.json index cb78379b90..7f039f6bb7 100644 --- a/store/connection-manager/package.json +++ b/store/connection-manager/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.connection-manager", - "version": "1100.1.2", + "version": "1100.2.0", "description": "Create a pnpm store controller", "keywords": [ "pnpm", diff --git a/store/controller-types/CHANGELOG.md b/store/controller-types/CHANGELOG.md index 91c35edb01..a981c6e7bb 100644 --- a/store/controller-types/CHANGELOG.md +++ b/store/controller-types/CHANGELOG.md @@ -1,5 +1,27 @@ # @pnpm/store-controller-types +## 1100.1.0 + +### Minor Changes + +- 4195766: Tightened the `minimumReleaseAge` story so the bypass becomes explicit on disk instead of silent, and removed the discover-by-loop dance for strict-mode users: + + 1. Fresh resolutions in loose mode (`minimumReleaseAgeStrict: false`) that fall back to a version newer than the cutoff auto-collect the picked `name@version` into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists the additions; entries already on the list are left alone. + 2. The post-resolution lockfile verifier introduced in #11583 now runs in loose mode too — every accepted-immature pin must be on `minimumReleaseAgeExclude`, just like strict mode requires. A lockfile produced under a weaker (or absent) policy that still has immature entries is rejected the same way strict mode would reject it. + 3. **Strict mode (interactive)** no longer aborts on the first immature pick. The resolver gathers every immature direct _and_ transitive in one pass; before peer-dependency resolution runs, pnpm prompts the user with the full list and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues and the workspace manifest is written at the end. Decline → resolution aborts before the lockfile or package.json is touched (tarballs already in the store stay, since the store is idempotent). This closes the [#10488](https://github.com/pnpm/pnpm/issues/10488) loop where security bumps to packages with platform-specific transitives (e.g. `next` + the `@next/swc-*` shims) made users re-run `pnpm add` once per transitive. + 4. **Strict mode (non-interactive / CI)** now aborts with the full immature set in the error message instead of the first pick. The resolver always collects every immature direct + transitive; the install command then throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing each entry's `name@version` and publish time. Deterministic CI behavior is preserved (same exit code, same error code), but the error pinpoints every offending entry instead of forcing the discover-by-loop dance. The expected workflow is interactive approval locally → the lockfile + workspace manifest get committed → CI runs cleanly against the populated exclude list. + + 5. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache). + + Pacquet parity: not ported — pacquet's `minimumReleaseAge` policy is itself only stubbed today (see `pacquet/crates/package-manager/src/version_policy.rs`). The auto-exclude, loose-mode verifier, prompt, and the new trust-policy verifier check will travel with the broader policy port whenever that happens. + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + ## 1100.0.7 ### Patch Changes diff --git a/store/controller-types/package.json b/store/controller-types/package.json index 9f0d84f8f1..354fcb37da 100644 --- a/store/controller-types/package.json +++ b/store/controller-types/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.controller-types", - "version": "1100.0.7", + "version": "1100.1.0", "description": "Types for the store controller", "keywords": [ "pnpm", diff --git a/store/controller/CHANGELOG.md b/store/controller/CHANGELOG.md index 28b9c5450b..565f841d2f 100644 --- a/store/controller/CHANGELOG.md +++ b/store/controller/CHANGELOG.md @@ -1,5 +1,21 @@ # @pnpm/package-store +## 1101.0.7 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/hooks.types@1100.0.7 + - @pnpm/installing.package-requester@1101.0.7 + - @pnpm/store.cafs@1100.1.5 + - @pnpm/store.create-cafs-store@1100.0.8 + - @pnpm/worker@1100.1.6 + - @pnpm/crypto.hash@1100.0.1 + ## 1101.0.6 ### Patch Changes diff --git a/store/controller/package.json b/store/controller/package.json index 3277d19283..522cea0d8a 100644 --- a/store/controller/package.json +++ b/store/controller/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.controller", - "version": "1101.0.6", + "version": "1101.0.7", "description": "A storage for packages", "keywords": [ "pnpm", diff --git a/store/create-cafs-store/CHANGELOG.md b/store/create-cafs-store/CHANGELOG.md index 0198bb53c1..4bd892aed5 100644 --- a/store/create-cafs-store/CHANGELOG.md +++ b/store/create-cafs-store/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/create-cafs-store +## 1100.0.8 + +### Patch Changes + +- Updated dependencies [4195766] + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/fetching.fetcher-base@1100.1.4 + - @pnpm/fs.indexed-pkg-importer@1100.0.8 + - @pnpm/store.cafs@1100.1.5 + ## 1100.0.7 ### Patch Changes diff --git a/store/create-cafs-store/package.json b/store/create-cafs-store/package.json index 00099f286e..ddaf7c74dd 100644 --- a/store/create-cafs-store/package.json +++ b/store/create-cafs-store/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.create-cafs-store", - "version": "1100.0.7", + "version": "1100.0.8", "description": "Create a CAFS store controller", "keywords": [ "pnpm", diff --git a/store/pkg-finder/CHANGELOG.md b/store/pkg-finder/CHANGELOG.md index 454b571ba9..d028098322 100644 --- a/store/pkg-finder/CHANGELOG.md +++ b/store/pkg-finder/CHANGELOG.md @@ -1,5 +1,15 @@ # @pnpm/store.pkg-finder +## 1100.0.10 + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/fetching.directory-fetcher@1100.0.10 + - @pnpm/store.cafs@1100.1.5 + ## 1100.0.9 ### Patch Changes diff --git a/store/pkg-finder/package.json b/store/pkg-finder/package.json index 61612d25e6..07df2bc627 100644 --- a/store/pkg-finder/package.json +++ b/store/pkg-finder/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/store.pkg-finder", - "version": "1100.0.9", + "version": "1100.0.10", "description": "Read a package's file map from the content-addressable store", "keywords": [ "pnpm", diff --git a/testing/mock-agent/CHANGELOG.md b/testing/mock-agent/CHANGELOG.md index 94a243d061..f3a9bb1e56 100644 --- a/testing/mock-agent/CHANGELOG.md +++ b/testing/mock-agent/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/testing.mock-agent +## 1100.0.5 + +### Patch Changes + +- @pnpm/network.fetch@1100.0.5 + ## 1100.0.4 ### Patch Changes diff --git a/testing/mock-agent/package.json b/testing/mock-agent/package.json index 18f3a63eb8..a05ac33c3d 100644 --- a/testing/mock-agent/package.json +++ b/testing/mock-agent/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/testing.mock-agent", - "version": "1100.0.4", + "version": "1100.0.5", "private": true, "description": "Shared undici MockAgent helpers for pnpm tests", "keywords": [ diff --git a/testing/temp-store/CHANGELOG.md b/testing/temp-store/CHANGELOG.md index 1e1e27eda8..1de25534db 100644 --- a/testing/temp-store/CHANGELOG.md +++ b/testing/temp-store/CHANGELOG.md @@ -1,5 +1,22 @@ # @pnpm/testing.temp-store +## 1100.1.0 + +### Minor Changes + +- 31538bf: Restructured the `minimumReleaseAge` lockfile revalidation gate around a generic `ResolutionVerifier` interface. Each resolver may now export a sibling verifier factory (today: `createNpmResolutionVerifier`) that re-checks an already-resolved lockfile entry against its policies; the resolver chain returns the verifier list as `resolutionVerifiers` and the install side fans out across it. A `ResolutionVerifier` carries `verify` plus `policy` and `canTrustPastCheck` — the cache contract that lets repeat installs against an unchanged lockfile skip the per-package registry round trip entirely. + + Verification results are memoized in JSON Lines at `/lockfile-verified.jsonl`: a stat-only fast path matches on lockfile size, mtime, and inode, falling back to a content hash when those drift (typical after a CI checkout). Every active verifier's policy contribution is merged into a single `policy` bag on the record; the gate runs in full whenever the lockfile changes, any verifier rejects the cached policy, or no record exists [#11687](https://github.com/pnpm/pnpm/issues/11687). + +### Patch Changes + +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.resolver-base@1100.2.0 + - @pnpm/store.controller-types@1100.1.0 + - @pnpm/installing.client@1100.1.0 + - @pnpm/store.controller@1101.0.7 + ## 1100.0.16 ### Patch Changes diff --git a/testing/temp-store/package.json b/testing/temp-store/package.json index 9ebcaff038..d426c42e4a 100644 --- a/testing/temp-store/package.json +++ b/testing/temp-store/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/testing.temp-store", - "version": "1100.0.16", + "version": "1100.1.0", "description": "A temporary store for testing purposes", "keywords": [ "pnpm", diff --git a/worker/CHANGELOG.md b/worker/CHANGELOG.md index 4c103a2f02..4379bbfabd 100644 --- a/worker/CHANGELOG.md +++ b/worker/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/worker +## 1100.1.6 + +### Patch Changes + +- @pnpm/store.cafs@1100.1.5 +- @pnpm/store.create-cafs-store@1100.0.8 +- @pnpm/fs.symlink-dependency@1100.0.4 +- @pnpm/fs.hard-link-dir@1100.0.1 + ## 1100.1.5 ### Patch Changes diff --git a/worker/package.json b/worker/package.json index 1bca4f7575..3217a263e9 100644 --- a/worker/package.json +++ b/worker/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/worker", - "version": "1100.1.5", + "version": "1100.1.6", "description": "A worker for extracting package taralls to the store", "keywords": [ "pnpm", diff --git a/workspace/commands/CHANGELOG.md b/workspace/commands/CHANGELOG.md index 53c7e3e8bd..475e49a5d6 100644 --- a/workspace/commands/CHANGELOG.md +++ b/workspace/commands/CHANGELOG.md @@ -1,5 +1,17 @@ # @pnpm/plugin-commands-init +## 1100.1.12 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + - @pnpm/cli.utils@1101.0.5 + ## 1100.1.11 ### Patch Changes diff --git a/workspace/commands/package.json b/workspace/commands/package.json index 1ac37d62a4..7484615ca0 100644 --- a/workspace/commands/package.json +++ b/workspace/commands/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.commands", - "version": "1100.1.11", + "version": "1100.1.12", "description": "Create a package.json file", "keywords": [ "pnpm", diff --git a/workspace/injected-deps-syncer/CHANGELOG.md b/workspace/injected-deps-syncer/CHANGELOG.md index b1f61b173a..7417ed803b 100644 --- a/workspace/injected-deps-syncer/CHANGELOG.md +++ b/workspace/injected-deps-syncer/CHANGELOG.md @@ -1,5 +1,13 @@ # @pnpm/workspace.injected-deps-syncer +## 1100.0.12 + +### Patch Changes + +- @pnpm/fetching.directory-fetcher@1100.0.10 +- @pnpm/bins.linker@1100.0.7 +- @pnpm/workspace.projects-reader@1101.0.5 + ## 1100.0.11 ### Patch Changes diff --git a/workspace/injected-deps-syncer/package.json b/workspace/injected-deps-syncer/package.json index f6d1416a0b..c51f0f8feb 100644 --- a/workspace/injected-deps-syncer/package.json +++ b/workspace/injected-deps-syncer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.injected-deps-syncer", - "version": "1100.0.11", + "version": "1100.0.12", "description": "Update all injected replica of a workspace package", "keywords": [ "pnpm", diff --git a/workspace/project-manifest-reader/CHANGELOG.md b/workspace/project-manifest-reader/CHANGELOG.md index 4f24153728..2fa7989733 100644 --- a/workspace/project-manifest-reader/CHANGELOG.md +++ b/workspace/project-manifest-reader/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/read-project-manifest +## 1100.0.6 + +### Patch Changes + +- @pnpm/pkg-manifest.utils@1100.1.4 + ## 1100.0.5 ### Patch Changes diff --git a/workspace/project-manifest-reader/package.json b/workspace/project-manifest-reader/package.json index 5d54d1c6be..c4401b362a 100644 --- a/workspace/project-manifest-reader/package.json +++ b/workspace/project-manifest-reader/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.project-manifest-reader", - "version": "1100.0.5", + "version": "1100.0.6", "description": "Read a project manifest (called package.json in most cases)", "keywords": [ "pnpm", diff --git a/workspace/projects-filter/CHANGELOG.md b/workspace/projects-filter/CHANGELOG.md index 2f3d473533..1c8c4591d1 100644 --- a/workspace/projects-filter/CHANGELOG.md +++ b/workspace/projects-filter/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/filter-workspace-packages +## 1100.0.12 + +### Patch Changes + +- @pnpm/workspace.projects-graph@1100.0.9 +- @pnpm/workspace.projects-reader@1101.0.5 + ## 1100.0.11 ### Patch Changes diff --git a/workspace/projects-filter/package.json b/workspace/projects-filter/package.json index 6f1bc9cddf..8b6e4956bb 100644 --- a/workspace/projects-filter/package.json +++ b/workspace/projects-filter/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.projects-filter", - "version": "1100.0.11", + "version": "1100.0.12", "description": "Filters packages in a workspace", "keywords": [ "pnpm", diff --git a/workspace/projects-graph/CHANGELOG.md b/workspace/projects-graph/CHANGELOG.md index 05c8722704..f27726310a 100644 --- a/workspace/projects-graph/CHANGELOG.md +++ b/workspace/projects-graph/CHANGELOG.md @@ -1,5 +1,14 @@ # @pnpm/workspace.pkgs-graph +## 1100.0.9 + +### Patch Changes + +- Updated dependencies [963861c] +- Updated dependencies [4195766] +- Updated dependencies [31538bf] + - @pnpm/resolving.npm-resolver@1101.2.0 + ## 1100.0.8 ### Patch Changes diff --git a/workspace/projects-graph/package.json b/workspace/projects-graph/package.json index e5e140f5de..d7ccede101 100644 --- a/workspace/projects-graph/package.json +++ b/workspace/projects-graph/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.projects-graph", - "version": "1100.0.8", + "version": "1100.0.9", "description": "Create a graph from an array of packages", "keywords": [ "pnpm", diff --git a/workspace/projects-reader/CHANGELOG.md b/workspace/projects-reader/CHANGELOG.md index e70b6c0f5a..35422bddf6 100644 --- a/workspace/projects-reader/CHANGELOG.md +++ b/workspace/projects-reader/CHANGELOG.md @@ -1,5 +1,12 @@ # @pnpm/find-workspace-packages +## 1101.0.5 + +### Patch Changes + +- @pnpm/cli.utils@1101.0.5 +- @pnpm/workspace.project-manifest-reader@1100.0.6 + ## 1101.0.4 ### Patch Changes diff --git a/workspace/projects-reader/package.json b/workspace/projects-reader/package.json index b4fd0a2e07..ca5e33fe30 100644 --- a/workspace/projects-reader/package.json +++ b/workspace/projects-reader/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.projects-reader", - "version": "1101.0.4", + "version": "1101.0.5", "description": "Finds packages inside a workspace", "keywords": [ "pnpm", diff --git a/workspace/state/CHANGELOG.md b/workspace/state/CHANGELOG.md index b889371389..62cd6a7f13 100644 --- a/workspace/state/CHANGELOG.md +++ b/workspace/state/CHANGELOG.md @@ -1,5 +1,16 @@ # @pnpm/workspace.state +## 1100.0.13 + +### Patch Changes + +- Updated dependencies [020ac45] +- Updated dependencies [d3f8408] +- Updated dependencies [a62f959] +- Updated dependencies [ba2c884] +- Updated dependencies [8df408c] + - @pnpm/config.reader@1101.3.2 + ## 1100.0.12 ### Patch Changes diff --git a/workspace/state/package.json b/workspace/state/package.json index a26dfa812e..59c9bcabc4 100644 --- a/workspace/state/package.json +++ b/workspace/state/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.state", - "version": "1100.0.12", + "version": "1100.0.13", "description": "Track the list of actual paths of workspace packages in a cache", "keywords": [ "pnpm", diff --git a/workspace/workspace-manifest-writer/CHANGELOG.md b/workspace/workspace-manifest-writer/CHANGELOG.md index dcf7855fcb..98470d7541 100644 --- a/workspace/workspace-manifest-writer/CHANGELOG.md +++ b/workspace/workspace-manifest-writer/CHANGELOG.md @@ -1,5 +1,11 @@ # @pnpm/workspace.manifest-writer +## 1100.0.8 + +### Patch Changes + +- @pnpm/lockfile.types@1100.0.6 + ## 1100.0.7 ### Patch Changes diff --git a/workspace/workspace-manifest-writer/package.json b/workspace/workspace-manifest-writer/package.json index 5f460d4df5..f692806b7b 100644 --- a/workspace/workspace-manifest-writer/package.json +++ b/workspace/workspace-manifest-writer/package.json @@ -1,6 +1,6 @@ { "name": "@pnpm/workspace.workspace-manifest-writer", - "version": "1100.0.7", + "version": "1100.0.8", "description": "Updates the workspace manifest file", "keywords": [ "pnpm",