* fix(security): harden build-approval artifact identities on v10
Port of pnpm/pnpm#12294 (commit bf1b731ee6) to release/10.
Package-name entries in onlyBuiltDependencies (and allowBuilds) no longer
approve lifecycle scripts for artifacts whose identity a name cannot pin:
git, git-hosted tarball, direct tarball, and local directory dependencies.
To approve such an artifact explicitly, use its peer-suffix-free lockfile
depPath as the key — the GIT_DEP_PREPARE_NOT_ALLOWED hint, pnpm
ignored-builds, and pnpm approve-builds print exactly that key.
- AllowBuild policy functions identify packages by DepPath instead of
caller-supplied name/version. Identity trust is derived from the depPath
shape: a registry-style depPath (name@semver) is a trusted identity.
- The trust is sound because lockfile entries are structurally checked
wherever they are materialized into fetchable resolutions
(pkgSnapshotToResolution) and before rebuild runs scripts: a
registry-style key backed by a git, directory, or git-hosted tarball
resolution is rejected with ERR_PNPM_RESOLUTION_SHAPE_MISMATCH.
- preparePackage requires a pkgResolutionId and gates on the synthesized
name@<resolution id> depPath; scp-style git URLs are normalized to
ssh:// form in resolution ids and the git fetcher reuses
createGitHostedPkgId from the resolver.
- isGitHostedTarballUrl matches case-insensitively and is shared from
@pnpm/lockfile.utils; new removePeersSuffix() in @pnpm/dependency-path
and allowBuildKeyFromIgnoredBuild() in @pnpm/builder.policy.
- pnpm rebuild and approve-builds accept depPath specs for selecting and
approving artifact builds; installs rebuild ignored builds approved by
depPath keys.
- shell-quote is overridden to 1.8.4 (GHSA-w7jw-789q-3m8p /
CVE-2026-9277).
Differences from main: v10 has no lockfile resolution verifier, so the
structural pass lives in pkgSnapshotToResolution and the rebuild loop; the
AllowBuild policy keeps v10's boolean return; the revoked-approval
detection and global-virtual-store hash changes have no v10 counterpart.
* test: serve the direct-tarball fixture from an off-registry origin
The registry mock binds only localhost, so a hard-coded 127.0.0.1 URL is
refused in CI, and a tarball URL on the registry's own origin resolves as
a registry package, which defeats the direct-tarball identity the test
needs. An in-test HTTP server redirecting to the mock provides a separate
origin whose binding the test controls.
* test: approve the git-protocol licenses fixture by its depPath
A git-hosted artifact has an untrusted package identity, so the
ajv-keywords build has to be approved by its depPath. Pin the fixture to
the commit the depPath names.
* fix(run): fail when no packages have script in filtered recursive run
Previously, `pnpm run -r <script>` and `pnpm run --filter <filter> <script>`
would silently succeed with exit code 0 when no packages had the specified
script, as long as a filter was used. This was inconsistent with the
documentation which states "If none of the packages have the command, the
command fails."
This change makes the command fail with ERR_PNPM_RECURSIVE_RUN_NO_SCRIPT in
all cases where no packages have the script, regardless of whether a filter
is used. The `--if-present` flag can be used to suppress this error.
close#6844
* feat: check the engine when excute the create command
* chore: test case
* test: update
* fix: update
* fix: update
* refactor: use readProjectManifestOnly to do engine checks on dependencies executed by dlx
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
Prior to this commit, if `symlink` was set to `false` (such as in an RC
file), `dlx` would throw `ENOENT` because it expected the
`node_modules/the-package` symlink to exist:
```console
$ pnpm config get symlink
false
$ rm -rf ~/.cache/pnpm/
$ pnpm dlx the-package
Packages: +1
+
Progress: resolved 1, reused 1, downloaded 0, added 1, done
ENOENT ENOENT: no such file or directory, open '/home/${USER}/.cache/pnpm/dlx/.../
node_modules/the-package/package.json'
```
This commit filters the `symlink` option before installing the package,
allowing the symlink to be created, preventing the error.
Fixes#8732.
* fix(dlx/cache): account for customized registries
Different registries potentially return different packages for the same
name, so reusing dlx cache for packages from a different registry would
be incorrect.
* style: eslint
* refactor: dlx
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
* refactor: store link values before converting to references
* fix: use .sort() without localeCompare
https://github.com/pnpm/pnpm/pull/8128#discussion_r1614031566
> Nit, but you probably just want to call sort without a comparison
> function; these are already strings and locale compare is not a good
> comparison for anything but human readable strings since it will
> differ on different people's machines based on their language setting.
> I've hit this too many times before for code gen.
* feat: configure meta-updater to write test/tsconfig.json files
* fix: relative imports for __typings__
* chore: `pnpm run meta-updater`
* fix: explicitly use test/tsconfig.json for ts-jest