* feat: add experimental use-inline-specifiers-lockfile-format
* fix(lockfile-file): check importers key for shared lockfile format
The `convertFromLockfileFileMutable` function reverts changes from
`normalizeLockfile` when not using the shared lockfile format.
- The non-shared lockfile format puts fields like `specifiers`,
`dependencies`, `devDependencies`, `optionalDependencies`, and
`dependenciesMeta` on the root of the lockfile. This is typically
the case for a repo not using pnpm workspaces.
- The shared lockfile format puts these under a `importers` block
scoped by a path.
The `use-inline-specifiers-lockfile-format` feature flag removes the
`specifiers` block in favor of putting each specifier next to the
resolved version within each `dependencies`, `devDependencies`, etc
block.
This means the `convertFromLockfileFileMutable` function can no longer
check for `specifiers` to detect the whether the "shared" format is
used. @zkochan suggested checking for `importers` instead, which should
have the same effect.
https://github.com/pnpm/pnpm/pull/5091#discussion_r929326835
* test(lockfile-file): add read & write test for useInlineSpecifiersFormat
A new setting supported: `prefer-symlinked-executables`
When `true`, on Posix systems pnpm will create symlinks to executables in
`node_modules/.bin` instead of command shims.
This setting is `true` by default when `node-linker` is set to
`hoisted`.
close#4782
Deprecating `extend-node-path` in pnpm v7 has caused issues with "next dev".
This change is bringing back extending `NODE_PATH` in bin command shims. However, only when `node-linker` is set to `isolated` and packages are hoisted to `node_modules/.pnpm/node_modules`. Only `node_modules/.pnpm/node_modules` is added to `NODE_PATH`, so it should not cause too long input errors (as it was sometimes the case in pnpm v6)
The configuration option `update-notifier` allows users to disable the
update verification. This is interesting when pnpm is installed from
another package manager because the given instructions will not be
accurate. The `update-notifier` option exists in NPM so it can also
ease the migration to pnpm.
(https://docs.npmjs.com/cli/v8/using-npm/config#update-notifier).
close#4158.
Co-authored-by: Zoltan Kochan <z@kochan.io>
* feat(config): add support for token helper
Use the new interface in `pnpm/credentials-by-uri` for supporting token
helpers. A token helper is an executable, set in the user's `.npmrc`
which outputs an auth token. This can be used in situations where the
`authToken` is not a constant value, but is something that refreshes
regularly, where a script or other tool can use an existing refresh
token to obtain a new access token.
The configuration for the path to the helper must be an absolute path,
with no arguments. In order to be secure, it is _only_ permitted to set
this value in the user `.npmrc`, otherwise a project could place a value
in a project local `.npmrc` and run arbitrary executables.
A similar feature is available in many similar tools. The implementation
in `credentials-by-uri` is modelled after the `vault` (vaultproject.io)
implementation - https://github.com/hashicorp/vault/blob/main/command/token/helper_external.go
* test: fix
* docs: add changesets
Co-authored-by: Zoltan Kochan <z@kochan.io>
