chore(release): 11.0.0-rc.3

deps/compliance/audit/CHANGELOG.md

@@ -1,5 +1,15 @@
 # @pnpm/audit
 
+## 1101.0.1
+
+### Patch Changes
+
+- @pnpm/lockfile.types@1100.0.2
+- @pnpm/lockfile.utils@1100.0.2
+- @pnpm/lockfile.detect-dep-types@1100.0.2
+- @pnpm/lockfile.fs@1100.0.2
+- @pnpm/lockfile.walker@1100.0.2
+
 ## 1101.0.0
 
 ### Major Changes

deps/compliance/audit/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.audit",
-  "version": "1101.0.0",
+  "version": "1101.0.1",
   "description": "Audit a lockfile",
   "keywords": [
     "pnpm",

deps/compliance/commands/CHANGELOG.md

@@ -1,5 +1,31 @@
 # @pnpm/deps.compliance.commands
 
+## 1101.1.0
+
+### Minor Changes
+
+- 390ee62: `pnpm audit --fix` now respects the `auditLevel` setting and supports a new interactive mode via `--interactive`/`-i`. Previously, `pnpm audit --fix` would fix all vulnerabilities regardless of the configured `auditLevel`, while `pnpm audit` (without `--fix`) correctly filtered by severity. Now both commands consistently filter advisories by the `auditLevel` setting, and you can use `pnpm audit --fix -i` to review and select which vulnerabilities to fix interactively.
+
+  Overrides emitted by `pnpm audit --fix` now use a caret range (`^X.Y.Z`) instead of an open-ended `>=X.Y.Z`, so applying a security fix can no longer silently promote a dependency across a major version boundary.
+
+### Patch Changes
+
+- 61952c2: `pnpm sbom` now detects licenses declared via the deprecated `licenses` array in `package.json` (e.g. `busboy`, `streamsearch`, `limiter`) and falls back to scanning on-disk `LICENSE` files — mirroring the resolution logic of `pnpm licenses`. Previously these packages were reported as `NOASSERTION`. Shared license resolution (manifest parsing + LICENSE-file fallback) lives in the new `@pnpm/deps.compliance.license-resolver` package. When a manifest sets both `license` and `licenses`, the modern `license` field now takes precedence for both commands (previously `pnpm licenses` preferred `licenses`) [#11248](https://github.com/pnpm/pnpm/issues/11248).
+- Updated dependencies [7d25bc1]
+- Updated dependencies [9e0833c]
+- Updated dependencies [61952c2]
+  - @pnpm/config.reader@1101.1.0
+  - @pnpm/deps.compliance.license-resolver@1100.0.0
+  - @pnpm/deps.compliance.sbom@1100.0.3
+  - @pnpm/deps.compliance.license-scanner@1100.0.3
+  - @pnpm/installing.commands@1100.1.1
+  - @pnpm/lockfile.types@1100.0.2
+  - @pnpm/lockfile.utils@1100.0.2
+  - @pnpm/deps.compliance.audit@1101.0.1
+  - @pnpm/lockfile.fs@1100.0.2
+  - @pnpm/lockfile.walker@1100.0.2
+  - @pnpm/config.writer@1100.0.2
+
 ## 1101.0.1
 
 ### Patch Changes

deps/compliance/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.commands",
-  "version": "1101.0.1",
+  "version": "1101.1.0",
   "description": "pnpm commands for audit, licenses, and sbom",
   "keywords": [
     "pnpm",

deps/compliance/license-resolver/CHANGELOG.md

@@ -0,0 +1,7 @@
+# @pnpm/deps.compliance.license-resolver
+
+## 1100.0.0
+
+### Minor Changes
+
+- 61952c2: `pnpm sbom` now detects licenses declared via the deprecated `licenses` array in `package.json` (e.g. `busboy`, `streamsearch`, `limiter`) and falls back to scanning on-disk `LICENSE` files — mirroring the resolution logic of `pnpm licenses`. Previously these packages were reported as `NOASSERTION`. Shared license resolution (manifest parsing + LICENSE-file fallback) lives in the new `@pnpm/deps.compliance.license-resolver` package. When a manifest sets both `license` and `licenses`, the modern `license` field now takes precedence for both commands (previously `pnpm licenses` preferred `licenses`) [#11248](https://github.com/pnpm/pnpm/issues/11248).

deps/compliance/license-resolver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.license-resolver",
-  "version": "1100.0.0-0",
+  "version": "1100.0.0",
   "description": "Resolve a package's license from its manifest or on-disk LICENSE file",
   "keywords": [
     "pnpm",

deps/compliance/license-scanner/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @pnpm/license-scanner
 
+## 1100.0.3
+
+### Patch Changes
+
+- 61952c2: `pnpm sbom` now detects licenses declared via the deprecated `licenses` array in `package.json` (e.g. `busboy`, `streamsearch`, `limiter`) and falls back to scanning on-disk `LICENSE` files — mirroring the resolution logic of `pnpm licenses`. Previously these packages were reported as `NOASSERTION`. Shared license resolution (manifest parsing + LICENSE-file fallback) lives in the new `@pnpm/deps.compliance.license-resolver` package. When a manifest sets both `license` and `licenses`, the modern `license` field now takes precedence for both commands (previously `pnpm licenses` preferred `licenses`) [#11248](https://github.com/pnpm/pnpm/issues/11248).
+- Updated dependencies [bcc88a1]
+- Updated dependencies [61952c2]
+  - @pnpm/store.pkg-finder@1100.0.3
+  - @pnpm/deps.compliance.license-resolver@1100.0.0
+  - @pnpm/lockfile.types@1100.0.2
+  - @pnpm/lockfile.utils@1100.0.2
+  - @pnpm/lockfile.detect-dep-types@1100.0.2
+  - @pnpm/lockfile.fs@1100.0.2
+  - @pnpm/lockfile.walker@1100.0.2
+
 ## 1100.0.2
 
 ### Patch Changes

deps/compliance/license-scanner/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.license-scanner",
-  "version": "1100.0.2",
+  "version": "1100.0.3",
   "description": "Check for licenses packages",
   "keywords": [
     "pnpm",

deps/compliance/sbom/CHANGELOG.md

@@ -1,5 +1,19 @@
 # @pnpm/deps.compliance.sbom
 
+## 1100.0.3
+
+### Patch Changes
+
+- 61952c2: `pnpm sbom` now detects licenses declared via the deprecated `licenses` array in `package.json` (e.g. `busboy`, `streamsearch`, `limiter`) and falls back to scanning on-disk `LICENSE` files — mirroring the resolution logic of `pnpm licenses`. Previously these packages were reported as `NOASSERTION`. Shared license resolution (manifest parsing + LICENSE-file fallback) lives in the new `@pnpm/deps.compliance.license-resolver` package. When a manifest sets both `license` and `licenses`, the modern `license` field now takes precedence for both commands (previously `pnpm licenses` preferred `licenses`) [#11248](https://github.com/pnpm/pnpm/issues/11248).
+- Updated dependencies [bcc88a1]
+- Updated dependencies [61952c2]
+  - @pnpm/store.pkg-finder@1100.0.3
+  - @pnpm/deps.compliance.license-resolver@1100.0.0
+  - @pnpm/lockfile.types@1100.0.2
+  - @pnpm/lockfile.utils@1100.0.2
+  - @pnpm/lockfile.detect-dep-types@1100.0.2
+  - @pnpm/lockfile.walker@1100.0.2
+
 ## 1100.0.2
 
 ### Patch Changes

deps/compliance/sbom/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.compliance.sbom",
-  "version": "1100.0.2",
+  "version": "1100.0.3",
   "description": "Generate SBOM from pnpm lockfile",
   "keywords": [
     "pnpm",

deps/graph-builder/CHANGELOG.md

@@ -1,5 +1,17 @@
 # @pnpm/deps.graph-builder
 
+## 1100.0.2
+
+### Patch Changes
+
+- 72c1e05: Fix: different platform variants of the same runtime (e.g. `node@runtime:25.9.0` glibc vs. musl) no longer share a single global-virtual-store entry. The virtual store path now incorporates the selected variant's integrity, so installs with different `--os`/`--cpu`/`--libc` end up in separate directories and `pnpm add --libc=musl node@runtime:<v>` reliably fetches the musl binary even when the glibc variant is already cached.
+- Updated dependencies [72c1e05]
+  - @pnpm/deps.graph-hasher@1100.1.0
+  - @pnpm/hooks.types@1100.0.2
+  - @pnpm/lockfile.utils@1100.0.2
+  - @pnpm/store.controller-types@1100.0.2
+  - @pnpm/lockfile.fs@1100.0.2
+
 ## 1100.0.1
 
 ### Patch Changes

deps/graph-builder/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.graph-builder",
-  "version": "1100.0.1",
+  "version": "1100.0.2",
   "description": "A package for building a dependency graph from a lockfile",
   "keywords": [
     "pnpm",

deps/graph-hasher/CHANGELOG.md

@@ -1,5 +1,18 @@
 # @pnpm/calc-dep-state
 
+## 1100.1.0
+
+### Minor Changes
+
+- 72c1e05: Fix: different platform variants of the same runtime (e.g. `node@runtime:25.9.0` glibc vs. musl) no longer share a single global-virtual-store entry. The virtual store path now incorporates the selected variant's integrity, so installs with different `--os`/`--cpu`/`--libc` end up in separate directories and `pnpm add --libc=musl node@runtime:<v>` reliably fetches the musl binary even when the glibc variant is already cached.
+
+### Patch Changes
+
+- Updated dependencies [72c1e05]
+  - @pnpm/resolving.resolver-base@1100.1.0
+  - @pnpm/lockfile.types@1100.0.2
+  - @pnpm/lockfile.utils@1100.0.2
+
 ## 1100.0.1
 
 ### Patch Changes

deps/graph-hasher/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.graph-hasher",
-  "version": "1100.0.1",
+  "version": "1100.1.0",
   "description": "Calculates the state of a dependency",
   "keywords": [
     "pnpm",

deps/inspection/commands/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @pnpm/deps.inspection.commands
 
+## 1100.1.2
+
+### Patch Changes
+
+- Updated dependencies [7d25bc1]
+- Updated dependencies [9e0833c]
+  - @pnpm/config.reader@1101.1.0
+  - @pnpm/resolving.npm-resolver@1100.1.0
+  - @pnpm/deps.inspection.outdated@1100.0.3
+  - @pnpm/global.commands@1100.0.3
+  - @pnpm/resolving.default-resolver@1100.0.3
+  - @pnpm/lockfile.fs@1100.0.2
+  - @pnpm/deps.inspection.list@1100.0.3
+  - @pnpm/deps.inspection.peers-checker@1100.0.2
+
 ## 1100.1.1
 
 ### Patch Changes

deps/inspection/commands/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.commands",
-  "version": "1100.1.1",
+  "version": "1100.1.2",
   "description": "The list, ll, why, and outdated commands of pnpm",
   "keywords": [
     "pnpm",

deps/inspection/list/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/list
 
+## 1100.0.3
+
+### Patch Changes
+
+- @pnpm/lockfile.fs@1100.0.2
+- @pnpm/deps.inspection.tree-builder@1100.0.2
+
 ## 1100.0.2
 
 ### Patch Changes

deps/inspection/list/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.list",
-  "version": "1100.0.2",
+  "version": "1100.0.3",
   "description": "List installed packages in a symlinked `node_modules`",
   "keywords": [
     "pnpm",

deps/inspection/outdated/CHANGELOG.md

@@ -1,5 +1,16 @@
 # @pnpm/outdated
 
+## 1100.0.3
+
+### Patch Changes
+
+- 9e0833c: Added a new setting `minimumReleaseAgeIgnoreMissingTime`, which is `true` by default. When enabled, pnpm skips the `minimumReleaseAge` maturity check if the registry metadata does not include the `time` field. Set to `false` to fail resolution instead.
+- Updated dependencies [9e0833c]
+  - @pnpm/resolving.npm-resolver@1100.1.0
+  - @pnpm/installing.client@1100.0.3
+  - @pnpm/lockfile.utils@1100.0.2
+  - @pnpm/lockfile.fs@1100.0.2
+
 ## 1100.0.2
 
 ### Patch Changes

deps/inspection/outdated/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.outdated",
-  "version": "1100.0.2",
+  "version": "1100.0.3",
   "description": "Check for outdated packages",
   "keywords": [
     "pnpm",

deps/inspection/peers-checker/CHANGELOG.md

@@ -1,5 +1,12 @@
 # @pnpm/deps.inspection.peers-checker
 
+## 1100.0.2
+
+### Patch Changes
+
+- @pnpm/lockfile.fs@1100.0.2
+- @pnpm/lockfile.walker@1100.0.2
+
 ## 1100.0.1
 
 ### Patch Changes

deps/inspection/peers-checker/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.peers-checker",
-  "version": "1100.0.1",
+  "version": "1100.0.2",
   "description": "Check for unmet and missing peer dependency issues from the lockfile",
   "keywords": [
     "pnpm",

deps/inspection/tree-builder/CHANGELOG.md

@@ -1,5 +1,14 @@
 # @pnpm/reviewing.dependencies-hierarchy
 
+## 1100.0.2
+
+### Patch Changes
+
+- @pnpm/lockfile.utils@1100.0.2
+- @pnpm/store.cafs@1100.0.2
+- @pnpm/lockfile.detect-dep-types@1100.0.2
+- @pnpm/lockfile.fs@1100.0.2
+
 ## 1100.0.1
 
 ### Patch Changes

deps/inspection/tree-builder/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.inspection.tree-builder",
-  "version": "1100.0.1",
+  "version": "1100.0.2",
   "description": "Creates a dependencies hierarchy for a symlinked `node_modules`",
   "keywords": [
     "pnpm",

deps/status/CHANGELOG.md

@@ -1,5 +1,20 @@
 # @pnpm/deps.status
 
+## 1100.0.3
+
+### Patch Changes
+
+- Updated dependencies [7d25bc1]
+- Updated dependencies [72c1e05]
+- Updated dependencies [9e0833c]
+  - @pnpm/config.reader@1101.1.0
+  - @pnpm/resolving.resolver-base@1100.1.0
+  - @pnpm/workspace.state@1100.0.3
+  - @pnpm/installing.context@1100.0.2
+  - @pnpm/lockfile.verification@1100.0.2
+  - @pnpm/lockfile.fs@1100.0.2
+  - @pnpm/lockfile.settings-checker@1100.0.2
+
 ## 1100.0.2
 
 ### Patch Changes

deps/status/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/deps.status",
-  "version": "1100.0.2",
+  "version": "1100.0.3",
   "description": "Check dependencies status",
   "keywords": [
     "pnpm",