Commit Graph

44 Commits

Author SHA1 Message Date
Zoltan Kochan
4195766f10 feat: tighten minimumReleaseAge — auto-exclude, lockfile verification, and interactive prompt (#11705)
Three coordinated changes that close the silent-bypass gap in loose `minimumReleaseAge` mode AND the discover-by-loop UX problem in strict mode (#10488), plus a parallel hardening of the lockfile verifier:

1. **Auto-collect into `minimumReleaseAgeExclude` (loose mode)** — fresh resolutions that fall back to a version newer than the cutoff are auto-recorded into the workspace manifest's `minimumReleaseAgeExclude`. A single info message lists what was persisted. The workspace manifest writer dedupes against existing entries.

2. **Lockfile verifier runs in loose mode too** — `createNpmResolutionVerifier` no longer gates on `minimumReleaseAgeStrict`. With auto-collect keeping the exclude list explicit, every accepted-immature pin must be on the list — same contract strict mode enforces. Lockfiles produced under a weaker (or absent) policy that still hold immature entries are rejected the same way strict mode would.

3. **Strict mode prompts on the aggregate set instead of throwing on the first** — the resolver always collects every immature direct and transitive in one pass; the install command's `handleResolutionPolicyViolations` checkpoint decides what to do with the set. Interactive (TTY) prompts the user once with the full list (default = No) and asks whether to add them all to `minimumReleaseAgeExclude` and proceed. Approve → install continues, persisted at the end. Decline → resolution aborts before the lockfile, package.json, or modules dir is touched. Non-interactive (CI) keeps `ERR_PNPM_NO_MATURE_MATCHING_VERSION` as the exit code but lists every offending entry instead of just the first one the resolver happened to hit.

4. **The lockfile verifier now also covers `trustPolicy: 'no-downgrade'`.** The same post-resolution gate that re-checks `minimumReleaseAge` on lockfile entries now re-runs `failIfTrustDowngraded` for every npm-registry entry whose name isn't on `trustPolicyExclude`. The two checks share a single full-metadata fetch per package, so the extra coverage doesn't cost an extra round trip when both policies are active. Resolver-time trust checks still run as before — this just closes the gap when an entry bypasses resolution (peek path, `--frozen-lockfile`, restored CI cache).

The steady-state flows:

- **Loose mode, `pnpm add foo@immature`**: lockfile clean, verifier no-op, resolver picks via lowest-version fallback, `foo@immature` lands in `minimumReleaseAgeExclude`, install succeeds. Subsequent `pnpm install --frozen-lockfile` in CI verifies against the populated list and succeeds.
- **Strict mode (interactive), security bump to `next@15.5.9`**: resolver collects `next@15.5.9` AND every immature `@next/swc-*@15.5.9` shim. pnpm prompts once with the full list. User approves → install completes, all entries persisted in `pnpm-workspace.yaml`. CI then runs the populated config cleanly.
- **Strict mode (non-interactive / CI)**: aborts with `ERR_PNPM_NO_MATURE_MATCHING_VERSION` listing every immature entry's `name@version` and publish time — no more discover-by-loop dance.
- **Teammate commits a poisoned lockfile**: single-policy batches reject with `ERR_PNPM_MINIMUM_RELEASE_AGE_VIOLATION` (or `ERR_PNPM_TRUST_DOWNGRADE`); a batch that trips both policies escalates to the generic `ERR_PNPM_LOCKFILE_RESOLUTION_VERIFICATION` and lists each entry's per-policy code in the breakdown.

### Implementation

- The npm resolver always falls back to the lowest matching version when no mature version satisfies the range, and flags the result with `ResolveResult.policyViolation` instead of throwing `NO_MATURE_MATCHING_VERSION`. `deferImmatureDecision` and `strictPublishedByCheck` are gone — every caller (install, dlx, outdated, self-update) inspects the violation and decides what to do.
- `policyViolation` flows from `ResolveResult` → `PackageResponse.body.policyViolation` → a shared accumulator in `ResolutionContext` → the `resolutionPolicyViolations` field on `resolveDependencyTree`'s return → out through `mutateModules` / `addDependenciesToPackage` to the install command.
- The violation type lives in `@pnpm/resolving.resolver-base` as `ResolutionPolicyViolation`; the npm resolver exports the two built-in codes (`MINIMUM_RELEASE_AGE_VIOLATION_CODE`, `TRUST_DOWNGRADE_VIOLATION_CODE`) as constants so consumers reference one source of truth.
- `handleResolutionPolicyViolations` runs between `resolveDependencyTree` and `resolvePeers` — the resolver-agnostic checkpoint where the install command's plan prompts (TTY) or aborts (no-TTY) with the full violation list.
- `setupPolicyHandlers` (in `installing/commands/src/policyHandlers.ts`) composes per-policy handlers behind a uniform plan interface: each handler has its own `handleResolutionPolicyViolations` (filter by code, decide what to do) and `pickManifestUpdates` (return a typed `WorkspaceManifestPolicyUpdates` patch the install command spreads into `updateWorkspaceManifest`). Today the only registered handler is `createMinimumReleaseAgeHandler` — strict + TTY prompts via `enquirer`, strict no-TTY throws `ERR_PNPM_NO_MATURE_MATCHING_VERSION` with every entry listed, loose mode auto-persists at the tail. Strict + `--no-save` is rejected up-front via `ERR_PNPM_STRICT_MIN_RELEASE_AGE_REQUIRES_SAVE`. Future policies plug in via a sibling factory + push into the handlers list, with no changes to `installDeps.ts` / `recursive.ts`.
- `installDeps` / `recursive` drain `pickManifestUpdates` after install and spread the patch into `updateWorkspaceManifest`. Plain `pnpm install` (no `--update`, no params) now still updates the workspace manifest when any handler contributes a patch. The `install` command's CLI schema gained `save: Boolean` so `--no-save` actually flows through to `opts.save = false` instead of being silently dropped by nopt.
- `makeResolutionStrict` (in `installing/client`) wraps a `ResolveFunction` and rethrows any `policyViolation` as a `PnpmError`. Used by `dlx` and `self-update` under strict `minimumReleaseAge` OR `trustPolicy: 'no-downgrade'`, since one-shot callers have nowhere to defer a violation to. Violation-code → error-code mapping lives in one place so future violation kinds get consistent UX.
- `createNpmResolutionVerifier` extends its check to `trustPolicy: 'no-downgrade'` — same per-entry fan-out, same cache key, sharing the full-metadata fetch with the maturity check. Trust-fetch errors now propagate up so the violation reason carries the underlying message (network code, 404 detail) instead of a generic "metadata is unavailable".
- `verifyLockfileResolutions`'s aggregate throw uses the per-policy code when every violation in the batch shares it, and escalates to a generic `LOCKFILE_RESOLUTION_VERIFICATION` (with per-entry codes in the breakdown) for mixed batches.
- The pnpm agent path refuses installs under `trustPolicy: 'no-downgrade'` (`ERR_PNPM_TRUST_POLICY_INCOMPATIBLE_WITH_AGENT`) — the agent has no server-side counterpart to that check yet, so silently allowing it would land a lockfile the local verifier would later reject. `minimumReleaseAge` is forwarded to the agent and enforced server-side, so that combination is fine.

### Pacquet parity

Pacquet only carries a stub reference to `minimumReleaseAgeExclude` (see `pacquet/crates/package-manager/src/version_policy.rs`); the broader `minimumReleaseAge` and `trustPolicy` policies aren't ported yet, so this feature is outside pacquet's current surface area. It'll come along when pacquet ports the policies.

### Closes

- Closes #10488 (resolves the discover-by-loop dance for security bumps without needing `withTransitives`).
2026-05-18 09:51:11 +02:00
Zoltan Kochan
7f6d356e65 fix(test): add pnpm-workspace.yaml to multiple-scripts-error-exit fixture
The errorHandler test runs pnpm from this fixture directory. Without its
own workspace manifest, pnpm walked up and discovered the monorepo root,
triggering verifyDepsBeforeRun which modified unrelated files.
2026-04-05 22:45:33 +02:00
Zoltan Kochan
dba4153767 refactor: rename packages and consolidate runtime resolvers (#10999)
* refactor: rename workspace.sort-packages and workspace.pkgs-graph

- workspace.sort-packages -> workspace.projects-sorter
- workspace.pkgs-graph -> workspace.projects-graph

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: rename packages/ to core/ and pkg-manifest.read-package-json to reader

- Rename packages/ directory to core/ for clarity
- Rename pkg-manifest/read-package-json to pkg-manifest/reader (@pnpm/pkg-manifest.reader)
- Update all tsconfig, package.json, and lockfile references

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* refactor: consolidate runtime resolvers under engine/runtime domain

- Remove unused @pnpm/engine.runtime.node.fetcher package
- Rename engine/runtime/node.resolver to node-resolver (dash convention)
- Move resolving/bun-resolver to engine/runtime/bun-resolver
- Move resolving/deno-resolver to engine/runtime/deno-resolver
- Update all package names, tsconfig paths, and lockfile references

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* chore: update lockfile after removing node.fetcher

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: sort tsconfig references and package.json deps alphabetically

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: auto-fix import sorting

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: update __typings__ paths in tsconfig.lint.json for moved resolvers

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

* fix: remove deno-resolver from deps of bun-resolver

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-18 00:19:58 +01:00
Zoltan Kochan
e46a652939 fix: the add command should not fail, when blockExoticSubdeps is true (#10327)
close #10324
2025-12-17 11:24:32 +01:00
Brandon Cheng
69ebe38764 fix: throw a frozen lockfile error when catalogs change (#10231)
* fix: throw a frozen lockfile error when catalogs change

* fix: work around lockfile mismatch when installing `__fixtures__`

```
> @ step1 /home/runner/work/pnpm/pnpm/__fixtures__
> node ../pnpm/dist/pnpm.mjs install -rf --frozen-lockfile --no-shared-workspace-lockfile --no-link-workspace-packages

.                                        |  WARN  using --force I sure hope you know what you are doing
Scope: all 26 workspace projects
circular                                 | Progress: resolved 1, reused 0, downloaded 0, added 0
circular                                 |   +4 +
fixture                                  | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture                                  |  +12 +
fixture-with-no-pkg-name-and-no-version  | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture-with-no-pkg-name-and-no-version  |  +12 +
fixture-with-no-pkg-version              | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture-with-no-pkg-version              |  +12 +
circular                                 | Progress: resolved 4, reused 0, downloaded 4, added 4, done
fixture                                  | Progress: resolved 12, reused 6, downloaded 6, added 12, done
fixture-with-no-pkg-name-and-no-version  | Progress: resolved 12, reused 0, downloaded 0, added 12, done
fixture-with-no-pkg-version              | Progress: resolved 12, reused 0, downloaded 0, added 12, done
general                                  | Progress: resolved 1, reused 0, downloaded 0, added 0
general                                  |  +13 +
has-2-outdated-deps                      | Progress: resolved 1, reused 0, downloaded 0, added 0
has-2-outdated-deps                      |   +2 +
undefined
/home/runner/work/pnpm/pnpm/__fixtures__/has-outdated-deps-using-catalog-protocol:
 ERR_PNPM_LOCKFILE_CONFIG_MISMATCH  Cannot proceed with the frozen installation. The current "catalogs" configuration doesn't match the value found in the lockfile

Update your lockfile using "pnpm install --no-frozen-lockfile"
```

close #9369
2025-11-26 01:09:37 +01:00
Zoltan Kochan
dab9abef5c Merge remote-tracking branch 'origin/main' into v11 2025-10-24 14:19:07 +02:00
Ryo Matsukawa
270c447017 fix: prevent table width error in pnpm outdated --long (#10050)
close #10040
2025-10-12 19:38:32 +02:00
Zoltan Kochan
f307b9a130 Merge remote-tracking branch 'origin/main' into v11 2025-09-24 10:51:53 +02:00
Zoltan Kochan
63805521f9 test: do not rely on hardcoded port numbers 2025-09-24 08:55:49 +02:00
Zoltan Kochan
491a84fb26 feat: use ESM instead of commonjs (#9870) 2025-08-25 10:02:00 +02:00
Zoltan Kochan
a014bb0e28 test: write settings to pnpm-workspace.yaml instead of .npmrc (#9523) 2025-05-14 15:02:58 +02:00
Zoltan Kochan
8fcc221394 feat: reading settings from pnpm-workspace.yaml (#9121)
Related discussion: https://github.com/orgs/pnpm/discussions/9037

close #9033
2025-02-22 02:10:43 +01:00
Zoltan Kochan
7ec017e13f chore: move all tarball files out from Git LFS to a package dependency (#8885) 2024-12-18 03:06:51 +01:00
Zoltan Kochan
a76da0c53c feat!: remove conversion of lockfile v6 to v9 (#8866) 2024-12-15 14:39:19 +01:00
Brandon Cheng
a724295578 fix: catalogs exception when running pnpm outdated with --compatible flag (#8825)
close #8566
2024-12-02 12:03:38 +01:00
Brandon Cheng
5fea44486e chore: use Git LFS for pnpm development (#8509)
* chore: set up git-lfs hooks

* ci: checkout lfs files on CI

According to https://github.com/actions/checkout, checkout out LFS files
defaults to false.

* chore: track .tgz files in Git LFS
2024-10-14 08:49:30 +02:00
Zoltan Kochan
7329b9afc4 ci: test on Node.js 22 (#8010) 2024-07-25 16:45:47 +02:00
Brandon Cheng
f6e7ace2a2 fix: pnpm outdated should work with catalog: protocol (#8304)
* fix: pnpm outdated works with catalog: protocol

* test: add has-outdated-deps-using-catalog-protocol fixture

* test: add pnpm outdated catalog protocol test

* chore: changeset

* refactor: outdated

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2024-07-15 18:45:10 +02:00
Brandon Cheng
75a98e12b3 refactor: improve type checking when finding workspace packages (#8214)
---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2024-06-17 17:34:54 +02:00
Zoltan Kochan
501133d30b refactor: bump lockfile version to v9 instead of v7 (#7861)
In order to align the lockfile version with pnpm version that ships it.
2024-04-06 17:12:37 +02:00
Zoltan Kochan
a22bdf0e29 feat!: remove the dev field from the lockfile (#7808) 2024-03-22 15:21:26 +01:00
Zoltan Kochan
21878e7ae4 feat(lockfile)!: change the keys format (#7752) 2024-03-17 23:01:39 +01:00
Zoltan Kochan
53594a3787 feat!: package ID should be an exact version spec (#7748) 2024-03-10 14:46:25 +01:00
Zoltan Kochan
5c20db0dd2 feat!: use the same lockfile format in 1-pkg workspace as in multi-pkg one (#7696) 2024-02-29 10:28:29 +01:00
Zoltan Kochan
7db98cae0f feat!: bump lockfile to v7 (#7666) 2024-02-17 12:57:58 +01:00
Zoltan Kochan
c7d0564225 refactor: lockfile-file (#7655) 2024-02-16 11:14:47 +01:00
Zoltan Kochan
c692f802f4 feat!: bump lockfile to v6.1 (#7643) 2024-02-13 01:41:51 +01:00
Zoltan Kochan
d381a6001c feat!: use dependency path format from lockfile v6 (#7470)
Drop lockfile v5 support.
2024-01-08 11:57:44 +01:00
Zoltan Kochan
ce809f6d91 chore: update registry-mock 2023-12-19 11:24:07 +01:00
await-ovo
f394cfccda fix(resolve-dependencies): not update git protocol dependency when add unrelated dependency (#7054)
close #7008
2023-09-23 14:11:48 +03:00
Brandon Cheng
e9aa6f682a chore(deps): update TypeScript 5.1.6 -> 5.2.2 (#7016)
* test: use sha512 integrity in fixtures to fix ci break

* test: update snapshots for sha512 fixture change

* chore(deps): remove unneeded peer dependency exception

The `peerDependencyRules.allowedVersions` exception on
`@typescript-eslint/eslint-plugin` no longer seems to be necessary.
Removing it does not introduce any new peer dependency errors on
`pnpm install`.

I suspect this was needed for the
`eslint-config-standard-with-typescript` dependency in the past, but a
@typescript-eslint/eslint-plugin upgrade made it no longer necessary.

* chore(deps): update @typescript-eslint dependencies 5.62.0 -> 6.5.0

@typescript-eslint 6.5.0 is the first version to introduce support for
TypeScript 5.2.

https://github.com/typescript-eslint/typescript-eslint/releases/tag/v6.5.0

```
=============

WARNING: You are currently running a version of TypeScript which is not officially supported by @typescript-eslint/typescript-estree.

You may find that it works just fine, or you may not.

SUPPORTED TYPESCRIPT VERSIONS: >=3.3.1 <5.2.0

YOUR TYPESCRIPT VERSION: 5.2.2

Please only submit bug reports when using the officially supported version.
```

* chore(deps): update eslint-config-standard-with-typescript 37.0.0 -> 39.0.0

Version 38.0.0 is the first version to support @typescript-eslint v6.
https://github.com/standard/eslint-config-standard-with-typescript/releases/tag/v38.0.0

Otherwise the following error appears.

```
> eslint "src/**/*.ts" "test/**/*.ts" "--fix"

Oops! Something went wrong! :(

ESLint: 8.47.0

Error: ../../.eslintrc.json » @pnpm/eslint-config » eslint-config-standard-with-typescript:
        Configuration for rule "@typescript-eslint/restrict-plus-operands" is invalid:
        Value {"checkCompoundAssignments":true} should NOT have additional properties.

    at ConfigValidator.validateRuleOptions (/Users/gluxon/Developer/pnpm/node_modules/.pnpm/@eslint+eslintrc@2.1.2/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:2039:23)
    at /Users/gluxon/Developer/pnpm/node_modules/.pnpm/@eslint+eslintrc@2.1.2/node_modules/@eslint/eslintrc/dist/eslintrc.cjs:2094:18
```

* chore: remove unnecessary disables for restrict-template-expressions

The `@typescript-eslint/restrict-template-expressions` rule relaxed
what types are allowed in template expressions.

c13ce0b4f7 (diff-b852e1e199d2976eee1183fc84ac12a5d42fc61f0ae4b1c290dd54d621546db0)

Many of these disables were for interpolated values that had an `any`
type.

* chore: remove unnecessary disables for restrict-plus-operands

The original error was:

```
Invalid operand for a '+' operation. Operands must each be a number or string. Got `any`. eslint@typescript-eslint/restrict-plus-operands
```

It look like the newer version now allows `any`.

* style: fix errors of prefer-optional-chain and prefer-nullish-coalescing

The `@typescript-eslint/prefer-optional-chain` and
`@typescript-eslint/prefer-nullish-coalescing` rules got a bit
smarter. This commit applies autofixes. I believe the changes should be
equivalent to what existed before.

Example of the new `@typescript-eslint/prefer-optional-chain` lints.

```
pnpm/pkg-manifest/exportable-manifest/src/index.ts
  71:10  error  Prefer using an optional chain expression instead, as it's more concise and easier to read  @typescript-eslint/prefer-optional-chain
  87:10  error  Prefer using an optional chain expression instead, as it's more concise and easier to read  @typescript-eslint/prefer-optional-chain
```

Example of the new `@typescript-eslint/prefer-nullish-coalescing` lints.

```
pnpm/fs/find-packages/src/index.ts
  32:38  error  Prefer using nullish coalescing operator (`??`) instead of a ternary expression, as it is simpler to read  @typescript-eslint/prefer-nullish-coalescing
```

* chore(deps): update TypeScript 5.1.6 -> 5.2.2

* chore(deps): update @yarnpkg/core->@types/lodash override to 4.14.197

This fixes a compilation error that appears on TypeScript 5.2.2. This
error was fixed in a later version of `@types/lodash`.

https://github.com/DefinitelyTyped/DefinitelyTyped/pull/66123

```
../node_modules/.pnpm/@types+lodash@4.14.181/node_modules/@types/lodash/index.d.ts:45:15 - error TS2428: All declarations of 'WeakMap' must have identical type parameters.

45     interface WeakMap<K extends object, V> { }
                 ~~~~~~~

Found 4 errors.
```
2023-08-31 16:27:01 +03:00
Nacho Aldama
bf21c9bf3a fix: add support for npm lockfile v3 in import (#6931)
closes #6233

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2023-08-17 16:51:30 +03:00
Zoltan Kochan
302ebffc54 fix: downgrade lockfile version to 6.0 (#6664)
close #6648
2023-06-11 21:31:11 +03:00
Zoltan Kochan
9c4ae87bd1 feat: include some settings as fields in the lockfile (#6557)
ref #6312
2023-05-21 02:40:39 +03:00
Zoltan Kochan
497b0a79c0 fix: only remove node_modules if the user confirms to do so (#6458) 2023-04-30 11:55:25 +03:00
Zoltan Kochan
158d8cf22f feat!: only allow lockfile v6 (#6240) 2023-03-19 04:23:51 +02:00
Zoltan Kochan
d66dcb452d Merge branch 'main' into v8 2023-03-14 03:48:44 +02:00
await-ovo
272de3e227 fix: clean up child processes when process exited (#6190)
close #6162
2023-03-11 02:02:14 +02:00
Zoltan Kochan
417c8ac595 fix!: always create a lockfile (#6073) 2023-02-13 22:33:10 +02:00
Zoltan Kochan
47e45d717d feat!: breaking config changes in v8 (#6035)
* auto-install-peers=true
* save-workspace-protocol=rolling
* publishConfig.linkDirectory true by default
* resolve-peers-from-workspace-root is true by default
* set dedupeDirectDeps to true by default in @pnpm/core.
2023-02-05 11:43:22 +02:00
await-ovo
19e823beab fix: path info in dependencies hierarchy tree (#6001)
* fix: get correct path info in dependencies hierarchy tree

* chore: test case for build dependencies hierarchy

* docs: update changeset

* chore: test cases

* fix: show full path in dependencies hierarchy tree
2023-02-02 03:34:16 +02:00
Brandon Cheng
e8f6ab6833 feat: add pnpm dedupe command (#5958) 2023-01-23 12:27:42 +02:00
Brandon Cheng
395a33a50c feat: traverse through workspace packages in why and list commands (#5863)
* refactor(dependencies-hierarchy): remove keypath argument from getTree

The `keypath` argument is an internal implementation detail of `getTree`
used to detect cycles in the package graph. Removing this from the call
signature of `getTree` since it exposes an implementation detail.

The start of a `getTree` call always passed in the starting node as the
initial value anyway.

```ts
const getChildrenTree = getTree.bind(null, { ... })
getChildrenTree([relativeId], relativeId)
```

It's simpler for that to happen in the first call to `getTreeHelper`
internally and better ensures the keypath is created correctly. A future
refactor makes construction of the keypath more involved.

* refactor(dependencies-hierarchy): remove refToRelative call in getPkgInfo

This removes an extra `refToRelative` call in `getPkgInfo`. The result
of this call wasn't used within the function and was simply passed back
to the caller.

Callers of `getPkgInfo` were checking the result of `refToRelative`,
from `getPkgInfo`'s return object only to call `refToRelative` again.
Calling `refToRelative` directly simplifies code a bit. We can remove an
unnecessary cast and an if statement.

* refactor(dependencies-hierarchy): create enum for getTree nodes

* feature(dependencies-hierarchy): traverse through workspace packages

This updates `pnpm list` and `pnpm why` to traverse through `link:`
packages by simply. This is done by simply implementing a new TreeNodeId
enum variant.

* test(dependencies-hierarchy): test transitive workspace package listing

* refactor(dependencies-hierarchy): create interface for GetPkgInfoOpts

A future commit adds new fields to `getPkgInfo`'s options. The dedicated
interface makes it easier to describe these new options with a JSDoc.

* fix(dependencies-hierarchy): fix path for link: deps in projects

This was a bug before the changes in this pull request. The bug was not
user facing since `pnpm list --json` doesn't print this computed path.

* fix(dependencies-hierarchy): print version paths rel to starting project

* feat(list): add --only-projects flag

* refactor: change description of --only-projects

Co-authored-by: Zoltan Kochan <z@kochan.io>
2023-01-03 15:28:20 +02:00
Zoltan Kochan
4ca53b0b50 refactor: group projects in different subdirectories (#5659) 2022-11-20 01:35:22 +02:00