chore(release): 11.3.0 (#11894)

.changeset-released/new-release.txt

@@ -0,0 +1,10 @@
+dlx-fall-back-to-alias-when-manifest-missing
+fix-cyclic-peer-determinism
+fix-unaliased-deps-dropped-from-manifest
+native-pkg-command
+native-repo-command
+native-set-script-command
+prune-env-lockfile-on-config-dep-update
+skip-manifest-obfuscation-opt-in
+stage-publish
+trust-lockfile-and-verifier-memory

.changeset/dlx-fall-back-to-alias-when-manifest-missing.md

@@ -1,6 +0,0 @@
----
-"@pnpm/exec.commands": patch
-pnpm: patch
----
-
-Fixed `pnpm dlx` failing with `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND` when the installed package's CAS slot is missing its `package.json`. Observed in the wild for `pnpm dlx node@runtime:<version>` when the GVS slot was populated without the synthesized manifest runtime archives need (they don't ship a `package.json` of their own, so the synthesized one is the only way it gets there; an existing slot from an earlier code path that skipped the synthesis stays incomplete). The bin link itself is wired up from the resolution and remains valid, so `dlx` now falls back to the scopeless package name when the slot's manifest is unreadable — for single-bin packages (the dlx common case, including every `runtime:` spec) this matches what `manifest.bin` would have named. Multi-bin packages already require `--package=<spec> <bin>` to disambiguate and don't enter this code path.

.changeset/fix-cyclic-peer-determinism.md

@@ -1,6 +0,0 @@
----
-"@pnpm/installing.deps-resolver": patch
-pnpm: patch
----
-
-Fixed non-determinism in `pnpm dedupe` and `pnpm install` when a dependency graph contains packages with transitive peer dependencies on each other (e.g. `@aws-sdk/client-sts` and `@aws-sdk/client-sso-oidc`) and `auto-install-peers` is enabled. The lockfile no longer flips between two equally-valid forms across consecutive runs. The root cause was that `resolveDependencies` pushed onto its `pkgAddresses` / `postponedResolutionsQueue` arrays from inside `Promise.all`-spawned callbacks, so completion-order timing leaked into the array order and downstream cyclic-peer suffix assignment. Fixes [#8155](https://github.com/pnpm/pnpm/issues/8155).

.changeset/fix-unaliased-deps-dropped-from-manifest.md

@@ -1,6 +0,0 @@
----
-"@pnpm/installing.deps-resolver": patch
-"pnpm": patch
----
-
-Fixed a regression introduced by [#11711](https://github.com/pnpm/pnpm/pull/11711) where `pnpm add <github-shorthand>` (and any other wanted-dependency whose alias can't be parsed from the user-supplied spec, e.g. tarball URLs or `pnpm/test-git-fetch#sha`) was silently dropped from the manifest update and from `pendingBuilds`. The alias-keyed lookup added in that PR couldn't find a `wantedDependency` whose `alias` was `undefined` at parse time but resolved to a package name only after fetching, so the entry never made it into `specsToUpsert`. Restored the original index-based pairing between `directDependencies` and `wantedDependencies`; the catalog-protocol preservation that PR was originally fixing is unaffected because it's driven by `rdd.catalogLookup.userSpecifiedBareSpecifier`, not by the lookup. Fixes the three `rebuilds dependencies` / `rebuilds specific dependencies` / `rebuild with pending option` failures in `building/commands/test/build/index.ts`.

.changeset/native-pkg-command.md

@@ -1,8 +0,0 @@
----
-"@pnpm/object.property-path": minor
-"@pnpm/pkg-manifest.commands": minor
-"@pnpm/workspace.project-manifest-reader": patch
-"pnpm": minor
----
-
-Implement `pnpm pkg` command natively, following `npm pkg` standards.

.changeset/native-repo-command.md

@@ -1,6 +0,0 @@
----
-"@pnpm/deps.inspection.commands": minor
-"pnpm": minor
----
-
-Implement `pnpm repo` command natively, following `npm repo` standards.

.changeset/native-set-script-command.md

@@ -1,6 +0,0 @@
----
-"@pnpm/pkg-manifest.commands": minor
-"pnpm": minor
----
-
-Implements `pnpm set-script` (alias `ss`) natively. Adds or updates an entry in the `scripts` field of the project manifest, supporting `package.json`, `package.json5`, and `package.yaml` formats.

.changeset/prune-env-lockfile-on-config-dep-update.md

@@ -1,6 +0,0 @@
----
-"@pnpm/installing.env-installer": patch
-"pnpm": patch
----
-
-Fixed `pnpm add --config` leaving orphan entries in `pnpm-lock.env.yaml` (the optional subdependencies of the previously resolved version of the updated config dependency).

.changeset/skip-manifest-obfuscation-opt-in.md

@@ -1,8 +0,0 @@
----
-"@pnpm/releasing.commands": minor
-"@pnpm/releasing.exportable-manifest": minor
-"@pnpm/config.reader": minor
-"pnpm": minor
----
-
-Add a `skip-manifest-obfuscation` option for `pnpm pack` and `pnpm publish`. When enabled, the original `packageManager` field and publish lifecycle scripts are kept in the packed/published manifest instead of being stripped. The pnpm-specific `pnpm` field continues to be omitted.

.changeset/stage-publish.md

@@ -1,6 +0,0 @@
----
-"@pnpm/releasing.commands": minor
-"pnpm": minor
----
-
-Added `pnpm stage` with `publish`, `list`, `view`, `approve`, `reject`, and `download` subcommands for npm staged publishing.

.changeset/trust-lockfile-and-verifier-memory.md

@@ -1,11 +0,0 @@
----
-"@pnpm/config": minor
-"@pnpm/installing.deps-installer": minor
-"@pnpm/installing.commands": minor
-"@pnpm/resolving.npm-resolver": patch
-"pnpm": minor
----
-
-Added a new setting `trustLockfile`. When `true`, `pnpm install` skips the supply-chain verification pass that re-applies `minimumReleaseAge` / `trustPolicy='no-downgrade'` to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author, or for CI runs against an already-verified lockfile. Defaults to `false`; verification stays on by default. Set in `pnpm-workspace.yaml`.
-
-Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (`~4k` lockfile entries with `minimumReleaseAge` + `trustPolicy: no-downgrade` enabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (`time`, per-version `_npmUser.trustedPublisher`, `dist.attestations.provenance`). The abbreviated-metadata cache is similarly projected to just the package-level `modified` field and the set of currently-listed version names. Fixes [#11860](https://github.com/pnpm/pnpm/issues/11860).

.meta-updater/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm-private/updater
 
+## 1100.0.14
+
+### Patch Changes
+
+- @pnpm/workspace.projects-reader@1101.0.7
+
 ## 1100.0.13
 
 ### Patch Changes

.meta-updater/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm-private/updater",
-  "version": "1100.0.13",
+  "version": "1100.0.14",
   "private": true,
   "type": "module",
   "scripts": {

__utils__/scripts/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/scripts
 
+## 1100.0.10
+
+### Patch Changes
+
+- @pnpm/workspace.projects-reader@1101.0.7
+
 ## 1100.0.9
 
 ### Patch Changes

__utils__/scripts/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/scripts",
-  "version": "1100.0.9",
+  "version": "1100.0.10",
   "private": true,
   "type": "module",
   "scripts": {

agent/server/CHANGELOG.md

@@ -1,5 +1,14 @@
 # pnpm-agent
 
+## 0.0.18
+
+### Patch Changes
+
+- Updated dependencies [212315d]
+  - @pnpm/installing.deps-installer@1101.4.0
+  - @pnpm/installing.client@1100.2.2
+  - @pnpm/store.controller@1101.0.8
+
 ## 0.0.17
 
 ### Patch Changes

agent/server/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pnpm-agent",
-  "version": "0.0.17",
+  "version": "0.0.18",
   "description": "pnpm agent server for server-side resolution and store-aware downloads",
   "keywords": [
     "pnpm",

auth/commands/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/auth.commands
 
+## 1100.1.1
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/cli.utils@1101.0.7
+
 ## 1100.1.0
 
 ### Minor Changes

auth/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/auth.commands",
-  "version": "1100.1.0",
+  "version": "1100.1.1",
   "description": "Commands for authentication with npm registries",
   "keywords": [
     "pnpm",

bins/linker/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/link-bins
 
+## 1100.0.9
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+
 ## 1100.0.8
 
 ### Patch Changes

bins/linker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/bins.linker",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
   "description": "Link bins to node_modules/.bin",
   "keywords": [
     "pnpm",

building/after-install/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @pnpm/building.after-install
 
+## 1101.0.16
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/bins.linker@1100.0.9
+  - @pnpm/store.connection-manager@1100.2.3
+  - @pnpm/exec.lifecycle@1100.0.13
+
 ## 1101.0.15
 
 ### Patch Changes

building/after-install/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/building.after-install",
-  "version": "1101.0.15",
+  "version": "1101.0.16",
   "description": "Rebuild packages that are already installed by running their lifecycle scripts",
   "keywords": [
     "pnpm",

building/commands/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/building.commands
 
+## 1100.0.22
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/installing.commands@1100.5.0
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/building.after-install@1101.0.16
+  - @pnpm/store.connection-manager@1100.2.3
+
 ## 1100.0.21
 
 ### Patch Changes

building/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/building.commands",
-  "version": "1100.0.21",
+  "version": "1100.0.22",
   "description": "Commands for rebuilding and managing dependency builds",
   "keywords": [
     "pnpm",

building/during-install/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/building.during-install
 
+## 1101.0.13
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/bins.linker@1100.0.9
+  - @pnpm/exec.lifecycle@1100.0.13
+
 ## 1101.0.12
 
 ### Patch Changes

building/during-install/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/building.during-install",
-  "version": "1101.0.12",
+  "version": "1101.0.13",
   "description": "Build packages in node_modules",
   "keywords": [
     "pnpm",

cache/api/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/cache.api
 
+## 1100.0.16
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/resolving.npm-resolver@1101.3.2
+
 ## 1100.0.15
 
 ### Patch Changes

cache/api/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cache.api",
-  "version": "1100.0.15",
+  "version": "1100.0.16",
   "description": "API for controlling the cache",
   "keywords": [
     "pnpm",

cache/commands/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/cache.commands
 
+## 1100.0.17
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/cache.api@1100.0.16
+
 ## 1100.0.16
 
 ### Patch Changes

cache/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cache.commands",
-  "version": "1100.0.16",
+  "version": "1100.0.17",
   "description": "Commands for controlling the cache",
   "keywords": [
     "pnpm",

cli/commands/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/cli.commands
 
+## 1100.0.15
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/workspace.projects-reader@1101.0.7
+
 ## 1100.0.14
 
 ### Patch Changes

cli/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cli.commands",
-  "version": "1100.0.14",
+  "version": "1100.0.15",
   "description": "Commands for pnpm CLI",
   "keywords": [
     "pnpm",

cli/default-reporter/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/default-reporter
 
+## 1100.2.2
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+
 ## 1100.2.1
 
 ### Patch Changes

cli/default-reporter/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cli.default-reporter",
-  "version": "1100.2.1",
+  "version": "1100.2.2",
   "description": "The default reporter of pnpm",
   "keywords": [
     "pnpm",

cli/utils/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/cli-utils
 
+## 1101.0.7
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+
 ## 1101.0.6
 
 ### Patch Changes

cli/utils/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/cli.utils",
-  "version": "1101.0.6",
+  "version": "1101.0.7",
   "description": "Utils for pnpm commands",
   "keywords": [
     "pnpm",

config/commands/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/plugin-commands-config
 
+## 1100.0.16
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/object.property-path@1100.1.0
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/workspace.workspace-manifest-writer@1100.0.9
+
 ## 1100.0.15
 
 ### Patch Changes

config/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/config.commands",
-  "version": "1100.0.15",
+  "version": "1100.0.16",
   "description": "Commands for reading and writing settings to/from config files",
   "keywords": [
     "pnpm",

config/reader/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @pnpm/config
 
+## 1101.4.0
+
+### Minor Changes
+
+- 3b62f9d: Add a `skip-manifest-obfuscation` option for `pnpm pack` and `pnpm publish`. When enabled, the original `packageManager` field and publish lifecycle scripts are kept in the packed/published manifest instead of being stripped. The pnpm-specific `pnpm` field continues to be omitted.
+- 212315d: Added a new setting `trustLockfile`. When `true`, `pnpm install` skips the supply-chain verification pass that re-applies `minimumReleaseAge` / `trustPolicy='no-downgrade'` to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author, or for CI runs against an already-verified lockfile. Defaults to `false`; verification stays on by default. Set in `pnpm-workspace.yaml`.
+
+  Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (`~4k` lockfile entries with `minimumReleaseAge` + `trustPolicy: no-downgrade` enabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (`time`, per-version `_npmUser.trustedPublisher`, `dist.attestations.provenance`). The abbreviated-metadata cache is similarly projected to just the package-level `modified` field and the set of currently-listed version names. Fixes [#11860](https://github.com/pnpm/pnpm/issues/11860).
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+
 ## 1101.3.3
 
 ### Patch Changes

config/reader/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/config.reader",
-  "version": "1101.3.3",
+  "version": "1101.4.0",
   "description": "Gets configuration options for pnpm",
   "keywords": [
     "pnpm",

deps/compliance/commands/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @pnpm/deps.compliance.commands
 
+## 1101.2.7
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/installing.commands@1100.5.0
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/deps.compliance.license-scanner@1100.0.14
+  - @pnpm/deps.compliance.sbom@1100.1.4
+
 ## 1101.2.6
 
 ### Patch Changes

deps/compliance/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.commands",
-  "version": "1101.2.6",
+  "version": "1101.2.7",
   "description": "pnpm commands for audit, licenses, and sbom",
   "keywords": [
     "pnpm",

deps/compliance/license-scanner/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/license-scanner
 
+## 1100.0.14
+
+### Patch Changes
+
+- @pnpm/store.pkg-finder@1100.0.12
+
 ## 1100.0.13
 
 ### Patch Changes

deps/compliance/license-scanner/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.license-scanner",
-  "version": "1100.0.13",
+  "version": "1100.0.14",
   "description": "Check for licenses packages",
   "keywords": [
     "pnpm",

deps/compliance/sbom/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/deps.compliance.sbom
 
+## 1100.1.4
+
+### Patch Changes
+
+- @pnpm/store.pkg-finder@1100.0.12
+
 ## 1100.1.3
 
 ### Patch Changes

deps/compliance/sbom/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.sbom",
-  "version": "1100.1.3",
+  "version": "1100.1.4",
   "description": "Generate SBOM from pnpm lockfile",
   "keywords": [
     "pnpm",

deps/inspection/commands/CHANGELOG.md

@@ -1,5 +1,23 @@
 # @pnpm/deps.inspection.commands
 
+## 1100.3.0
+
+### Minor Changes
+
+- 22cb743: Implement `pnpm repo` command natively, following `npm repo` standards.
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/resolving.npm-resolver@1101.3.2
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/deps.inspection.list@1100.0.13
+  - @pnpm/global.commands@1100.0.21
+  - @pnpm/deps.inspection.outdated@1100.1.2
+  - @pnpm/resolving.default-resolver@1100.3.2
+
 ## 1100.2.5
 
 ### Patch Changes

deps/inspection/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.commands",
-  "version": "1100.2.5",
+  "version": "1100.3.0",
   "description": "The list, ll, why, and outdated commands of pnpm",
   "keywords": [
     "pnpm",

deps/inspection/list/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/list
 
+## 1100.0.13
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+
 ## 1100.0.12
 
 ### Patch Changes

deps/inspection/list/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.list",
-  "version": "1100.0.12",
+  "version": "1100.0.13",
   "description": "List installed packages in a symlinked `node_modules`",
   "keywords": [
     "pnpm",

deps/inspection/outdated/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/outdated
 
+## 1100.1.2
+
+### Patch Changes
+
+- Updated dependencies [212315d]
+  - @pnpm/resolving.npm-resolver@1101.3.2
+  - @pnpm/installing.client@1100.2.2
+
 ## 1100.1.1
 
 ### Patch Changes

deps/inspection/outdated/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.outdated",
-  "version": "1100.1.1",
+  "version": "1100.1.2",
   "description": "Check for outdated packages",
   "keywords": [
     "pnpm",

deps/status/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/deps.status
 
+## 1100.0.18
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/workspace.projects-reader@1101.0.7
+  - @pnpm/workspace.state@1100.0.15
+
 ## 1100.0.17
 
 ### Patch Changes

deps/status/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.status",
-  "version": "1100.0.17",
+  "version": "1100.0.18",
   "description": "Check dependencies status",
   "keywords": [
     "pnpm",

engine/pm/commands/CHANGELOG.md

@@ -1,5 +1,25 @@
 # @pnpm/engine.pm.commands
 
+## 1101.1.16
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+- Updated dependencies [155af87]
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+  - @pnpm/installing.env-installer@1101.1.2
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/resolving.npm-resolver@1101.3.2
+  - @pnpm/bins.linker@1100.0.9
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/installing.deps-restorer@1101.1.5
+  - @pnpm/global.commands@1100.0.21
+  - @pnpm/store.connection-manager@1100.2.3
+  - @pnpm/installing.client@1100.2.2
+  - @pnpm/store.controller@1101.0.8
+
 ## 1101.1.15
 
 ### Patch Changes

engine/pm/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.pm.commands",
-  "version": "1101.1.15",
+  "version": "1101.1.16",
   "description": "pnpm commands for self-updating and setting up pnpm",
   "keywords": [
     "pnpm",

engine/runtime/bun-resolver/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/resolving.bun-resolver
 
+## 1101.1.2
+
+### Patch Changes
+
+- Updated dependencies [212315d]
+  - @pnpm/resolving.npm-resolver@1101.3.2
+
 ## 1101.1.1
 
 ### Patch Changes

engine/runtime/bun-resolver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.runtime.bun-resolver",
-  "version": "1101.1.1",
+  "version": "1101.1.2",
   "description": "Resolves the Bun runtime",
   "keywords": [
     "pnpm",

engine/runtime/commands/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/engine.runtime.commands
 
+## 1100.0.17
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/engine.runtime.node-resolver@1101.1.1
+
 ## 1100.0.16
 
 ### Patch Changes

engine/runtime/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.runtime.commands",
-  "version": "1100.0.16",
+  "version": "1100.0.17",
   "description": "pnpm commands for managing runtimes",
   "keywords": [
     "pnpm",

engine/runtime/deno-resolver/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/resolving.deno-resolver
 
+## 1101.1.2
+
+### Patch Changes
+
+- Updated dependencies [212315d]
+  - @pnpm/resolving.npm-resolver@1101.3.2
+
 ## 1101.1.1
 
 ### Patch Changes

engine/runtime/deno-resolver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.runtime.deno-resolver",
-  "version": "1101.1.1",
+  "version": "1101.1.2",
   "description": "Resolves the Deno runtime",
   "keywords": [
     "pnpm",

engine/runtime/node-resolver/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/node.resolver
 
+## 1101.1.1
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+
 ## 1101.1.0
 
 ### Minor Changes

engine/runtime/node-resolver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/engine.runtime.node-resolver",
-  "version": "1101.1.0",
+  "version": "1101.1.1",
   "description": "Resolves a Node.js version specifier to an exact Node.js version",
   "keywords": [
     "pnpm",

exec/commands/CHANGELOG.md

@@ -1,5 +1,24 @@
 # @pnpm/plugin-commands-script-runners
 
+## 1100.1.12
+
+### Patch Changes
+
+- 3d14385: Fixed `pnpm dlx` failing with `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND` when the installed package's CAS slot is missing its `package.json`. Observed in the wild for `pnpm dlx node@runtime:<version>` when the GVS slot was populated without the synthesized manifest runtime archives need (they don't ship a `package.json` of their own, so the synthesized one is the only way it gets there; an existing slot from an earlier code path that skipped the synthesis stays incomplete). The bin link itself is wired up from the resolution and remains valid, so `dlx` now falls back to the scopeless package name when the slot's manifest is unreadable — for single-bin packages (the dlx common case, including every `runtime:` spec) this matches what `manifest.bin` would have named. Multi-bin packages already require `--package=<spec> <bin>` to disambiguate and don't enter this code path.
+- Updated dependencies [d7da112]
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/installing.commands@1100.5.0
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/building.commands@1100.0.22
+  - @pnpm/deps.status@1100.0.18
+  - @pnpm/engine.runtime.commands@1100.0.17
+  - @pnpm/installing.client@1100.2.2
+  - @pnpm/exec.lifecycle@1100.0.13
+  - @pnpm/workspace.injected-deps-syncer@1100.0.14
+
 ## 1100.1.11
 
 ### Patch Changes

exec/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/exec.commands",
-  "version": "1100.1.11",
+  "version": "1100.1.12",
   "description": "Commands for running scripts",
   "keywords": [
     "pnpm",

exec/lifecycle/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/lifecycle
 
+## 1100.0.13
+
+### Patch Changes
+
+- @pnpm/bins.linker@1100.0.9
+- @pnpm/fetching.directory-fetcher@1100.0.12
+
 ## 1100.0.12
 
 ### Patch Changes

exec/lifecycle/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/exec.lifecycle",
-  "version": "1100.0.12",
+  "version": "1100.0.13",
   "description": "Package lifecycle hook runner",
   "keywords": [
     "pnpm",

exec/prepare-package/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/prepare-package
 
+## 1100.0.13
+
+### Patch Changes
+
+- @pnpm/exec.lifecycle@1100.0.13
+
 ## 1100.0.12
 
 ### Patch Changes

exec/prepare-package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/exec.prepare-package",
-  "version": "1100.0.12",
+  "version": "1100.0.13",
   "description": "Prepares a Git-hosted package",
   "keywords": [
     "pnpm",

fetching/directory-fetcher/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/directory-fetcher
 
+## 1100.0.12
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+
 ## 1100.0.11
 
 ### Patch Changes

fetching/directory-fetcher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/fetching.directory-fetcher",
-  "version": "1100.0.11",
+  "version": "1100.0.12",
   "description": "A fetcher for local directory packages",
   "keywords": [
     "pnpm",

fetching/git-fetcher/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/git-fetcher
 
+## 1101.0.9
+
+### Patch Changes
+
+- @pnpm/exec.prepare-package@1100.0.13
+
 ## 1101.0.8
 
 ### Patch Changes

fetching/git-fetcher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/fetching.git-fetcher",
-  "version": "1101.0.8",
+  "version": "1101.0.9",
   "description": "A fetcher for git-hosted packages",
   "keywords": [
     "pnpm",

fetching/tarball-fetcher/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/tarball-fetcher
 
+## 1101.0.10
+
+### Patch Changes
+
+- @pnpm/exec.prepare-package@1100.0.13
+
 ## 1101.0.9
 
 ### Patch Changes

fetching/tarball-fetcher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/fetching.tarball-fetcher",
-  "version": "1101.0.9",
+  "version": "1101.0.10",
   "description": "Fetcher for packages hosted as tarballs",
   "keywords": [
     "pnpm",

global/commands/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @pnpm/global.commands
 
+## 1100.0.21
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/installing.deps-installer@1101.4.0
+  - @pnpm/bins.linker@1100.0.9
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/deps.inspection.list@1100.0.13
+  - @pnpm/store.connection-manager@1100.2.3
+
 ## 1100.0.20
 
 ### Patch Changes

global/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/global.commands",
-  "version": "1100.0.20",
+  "version": "1100.0.21",
   "description": "Global package command handlers for pnpm",
   "keywords": [
     "pnpm",

installing/client/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/client
 
+## 1100.2.2
+
+### Patch Changes
+
+- Updated dependencies [212315d]
+  - @pnpm/resolving.npm-resolver@1101.3.2
+  - @pnpm/fetching.directory-fetcher@1100.0.12
+  - @pnpm/engine.runtime.node-resolver@1101.1.1
+  - @pnpm/resolving.default-resolver@1100.3.2
+  - @pnpm/fetching.git-fetcher@1101.0.9
+  - @pnpm/fetching.tarball-fetcher@1101.0.10
+
 ## 1100.2.1
 
 ### Patch Changes

installing/client/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/installing.client",
-  "version": "1100.2.1",
+  "version": "1100.2.2",
   "description": "Creates the package resolve and fetch functions",
   "keywords": [
     "pnpm",

installing/commands/CHANGELOG.md

@@ -1,5 +1,37 @@
 # @pnpm/plugin-commands-installation
 
+## 1100.5.0
+
+### Minor Changes
+
+- 212315d: Added a new setting `trustLockfile`. When `true`, `pnpm install` skips the supply-chain verification pass that re-applies `minimumReleaseAge` / `trustPolicy='no-downgrade'` to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author, or for CI runs against an already-verified lockfile. Defaults to `false`; verification stays on by default. Set in `pnpm-workspace.yaml`.
+
+  Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (`~4k` lockfile entries with `minimumReleaseAge` + `trustPolicy: no-downgrade` enabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (`time`, per-version `_npmUser.trustedPublisher`, `dist.attestations.provenance`). The abbreviated-metadata cache is similarly projected to just the package-level `modified` field and the set of currently-listed version names. Fixes [#11860](https://github.com/pnpm/pnpm/issues/11860).
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+- Updated dependencies [155af87]
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+  - @pnpm/installing.env-installer@1101.1.2
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/installing.deps-installer@1101.4.0
+  - @pnpm/resolving.npm-resolver@1101.3.2
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/workspace.projects-reader@1101.0.7
+  - @pnpm/building.after-install@1101.0.16
+  - @pnpm/deps.status@1100.0.18
+  - @pnpm/global.commands@1100.0.21
+  - @pnpm/store.connection-manager@1100.2.3
+  - @pnpm/workspace.state@1100.0.15
+  - @pnpm/deps.inspection.outdated@1100.1.2
+  - @pnpm/workspace.projects-graph@1100.0.12
+  - @pnpm/workspace.projects-filter@1100.0.15
+  - @pnpm/workspace.workspace-manifest-writer@1100.0.9
+  - @pnpm/store.controller@1101.0.8
+
 ## 1100.4.2
 
 ### Patch Changes

installing/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/installing.commands",
-  "version": "1100.4.2",
+  "version": "1100.5.0",
   "description": "Commands for installation",
   "keywords": [
     "pnpm",

installing/deps-installer/CHANGELOG.md

@@ -1,5 +1,28 @@
 # @pnpm/core
 
+## 1101.4.0
+
+### Minor Changes
+
+- 212315d: Added a new setting `trustLockfile`. When `true`, `pnpm install` skips the supply-chain verification pass that re-applies `minimumReleaseAge` / `trustPolicy='no-downgrade'` to every entry in the loaded lockfile. The install treats the lockfile as already-trusted — useful for closed-source projects where every commit comes from a trusted author, or for CI runs against an already-verified lockfile. Defaults to `false`; verification stays on by default. Set in `pnpm-workspace.yaml`.
+
+  Also cut the memory footprint of the verification pass itself: the per-(registry, name) trust-meta cache previously retained the full packument — dependency graphs, scripts, README, and per-version manifests — for the entire install. On large workspaces (`~4k` lockfile entries with `minimumReleaseAge` + `trustPolicy: no-downgrade` enabled) this could OOM CI runners with a 2GB heap cap. The cache now stores only the fields the trust check actually reads (`time`, per-version `_npmUser.trustedPublisher`, `dist.attestations.provenance`). The abbreviated-metadata cache is similarly projected to just the package-level `modified` field and the set of currently-listed version names. Fixes [#11860](https://github.com/pnpm/pnpm/issues/11860).
+
+### Patch Changes
+
+- Updated dependencies [3422cec]
+- Updated dependencies [e0bd879]
+- Updated dependencies [d7da112]
+  - @pnpm/installing.deps-resolver@1100.1.3
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+  - @pnpm/bins.linker@1100.0.9
+  - @pnpm/installing.deps-restorer@1101.1.5
+  - @pnpm/building.after-install@1101.0.16
+  - @pnpm/building.during-install@1101.0.13
+  - @pnpm/exec.lifecycle@1100.0.13
+  - @pnpm/installing.linking.hoist@1100.0.9
+  - @pnpm/installing.package-requester@1101.0.8
+
 ## 1101.3.1
 
 ### Patch Changes

installing/deps-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/installing.deps-installer",
-  "version": "1101.3.1",
+  "version": "1101.4.0",
   "description": "Fast, disk space efficient installation engine",
   "keywords": [
     "pnpm",

installing/deps-resolver/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/resolve-dependencies
 
+## 1100.1.3
+
+### Patch Changes
+
+- 3422cec: Fixed non-determinism in `pnpm dedupe` and `pnpm install` when a dependency graph contains packages with transitive peer dependencies on each other (e.g. `@aws-sdk/client-sts` and `@aws-sdk/client-sso-oidc`) and `auto-install-peers` is enabled. The lockfile no longer flips between two equally-valid forms across consecutive runs. The root cause was that `resolveDependencies` pushed onto its `pkgAddresses` / `postponedResolutionsQueue` arrays from inside `Promise.all`-spawned callbacks, so completion-order timing leaked into the array order and downstream cyclic-peer suffix assignment. Fixes [#8155](https://github.com/pnpm/pnpm/issues/8155).
+- e0bd879: Fixed a regression introduced by [#11711](https://github.com/pnpm/pnpm/pull/11711) where `pnpm add <github-shorthand>` (and any other wanted-dependency whose alias can't be parsed from the user-supplied spec, e.g. tarball URLs or `pnpm/test-git-fetch#sha`) was silently dropped from the manifest update and from `pendingBuilds`. The alias-keyed lookup added in that PR couldn't find a `wantedDependency` whose `alias` was `undefined` at parse time but resolved to a package name only after fetching, so the entry never made it into `specsToUpsert`. Restored the original index-based pairing between `directDependencies` and `wantedDependencies`; the catalog-protocol preservation that PR was originally fixing is unaffected because it's driven by `rdd.catalogLookup.userSpecifiedBareSpecifier`, not by the lookup. Fixes the three `rebuilds dependencies` / `rebuilds specific dependencies` / `rebuild with pending option` failures in `building/commands/test/build/index.ts`.
+- Updated dependencies [212315d]
+  - @pnpm/resolving.npm-resolver@1101.3.2
+  - @pnpm/fetching.pick-fetcher@1100.0.8
+
 ## 1100.1.2
 
 ### Patch Changes

installing/deps-resolver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/installing.deps-resolver",
-  "version": "1100.1.2",
+  "version": "1100.1.3",
   "description": "Resolves dependency graph of a package",
   "keywords": [
     "pnpm",

installing/deps-restorer/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/headless
 
+## 1101.1.5
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+  - @pnpm/bins.linker@1100.0.9
+  - @pnpm/building.during-install@1101.0.13
+  - @pnpm/exec.lifecycle@1100.0.13
+  - @pnpm/installing.linking.hoist@1100.0.9
+  - @pnpm/installing.package-requester@1101.0.8
+
 ## 1101.1.4
 
 ### Patch Changes

installing/deps-restorer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/installing.deps-restorer",
-  "version": "1101.1.4",
+  "version": "1101.1.5",
   "description": "Fast installation using only pnpm-lock.yaml",
   "keywords": [
     "pnpm",

installing/env-installer/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/config.deps-installer
 
+## 1101.1.2
+
+### Patch Changes
+
+- 155af87: Fixed `pnpm add --config` leaving orphan entries in `pnpm-lock.env.yaml` (the optional subdependencies of the previously resolved version of the updated config dependency).
+- Updated dependencies [3422cec]
+- Updated dependencies [e0bd879]
+- Updated dependencies [212315d]
+  - @pnpm/installing.deps-resolver@1100.1.3
+  - @pnpm/resolving.npm-resolver@1101.3.2
+  - @pnpm/store.controller@1101.0.8
+
 ## 1101.1.1
 
 ### Patch Changes

installing/env-installer/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/installing.env-installer",
-  "version": "1101.1.1",
+  "version": "1101.1.2",
   "description": "Installer for configurational dependencies",
   "keywords": [
     "pnpm",

installing/linking/hoist/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/hoist
 
+## 1100.0.9
+
+### Patch Changes
+
+- @pnpm/bins.linker@1100.0.9
+
 ## 1100.0.8
 
 ### Patch Changes

installing/linking/hoist/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/installing.linking.hoist",
-  "version": "1100.0.8",
+  "version": "1100.0.9",
   "description": "Hoists dependencies in a node_modules created by pnpm",
   "keywords": [
     "pnpm",

lockfile/make-dedicated-lockfile/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/make-dedicated-lockfile
 
+## 1100.0.13
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+- Updated dependencies [3b62f9d]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+  - @pnpm/releasing.exportable-manifest@1100.1.0
+
 ## 1100.0.12
 
 ### Patch Changes

lockfile/make-dedicated-lockfile/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/lockfile.make-dedicated-lockfile",
-  "version": "1100.0.12",
+  "version": "1100.0.13",
   "description": "Creates a dedicated lockfile for a subset of workspace projects",
   "keywords": [
     "pnpm",

modules-mounter/daemon/CHANGELOG.md

@@ -1,5 +1,13 @@
 # @pnpm/mount-modules
 
+## 1100.0.16
+
+### Patch Changes
+
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/config.reader@1101.4.0
+
 ## 1100.0.15
 
 ### Patch Changes

modules-mounter/daemon/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/modules-mounter.daemon",
-  "version": "1100.0.15",
+  "version": "1100.0.16",
   "description": "Mounts a node_modules directory with FUSE",
   "keywords": [
     "pnpm",

object/property-path/CHANGELOG.md

@@ -1,5 +1,11 @@
 # @pnpm/object.property-path
 
+## 1100.1.0
+
+### Minor Changes
+
+- d7da112: Implement `pnpm pkg` command natively, following `npm pkg` standards.
+
 ## 1001.0.0
 
 ### Major Changes

object/property-path/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/object.property-path",
-  "version": "1100.0.0",
+  "version": "1100.1.0",
   "description": "Basic library to manipulate object property path which includes dots and subscriptions",
   "keywords": [
     "pnpm",

patching/commands/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @pnpm/plugin-commands-patching
 
+## 1100.0.22
+
+### Patch Changes
+
+- Updated dependencies [d7da112]
+- Updated dependencies [3b62f9d]
+- Updated dependencies [212315d]
+  - @pnpm/workspace.project-manifest-reader@1100.0.8
+  - @pnpm/config.reader@1101.4.0
+  - @pnpm/installing.commands@1100.5.0
+  - @pnpm/cli.utils@1101.0.7
+  - @pnpm/store.connection-manager@1100.2.3
+  - @pnpm/fetching.pick-fetcher@1100.0.8
+
 ## 1100.0.21
 
 ### Patch Changes