External processes like SSH passphrase prompts can write to the terminal between progress updates. The previous renderer used `ansi-diff`, which only overwrites the characters it knows changed, so leftover characters from the external output stayed visible on the progress line — e.g. `added 0sa':`, where `sa':` is a fragment of `Enter passphrase for key '.../.ssh/id_rsa':`.
Closes https://github.com/pnpm/pnpm/issues/12350
## Summary
The interactive (non-append-only) reporter now redraws the whole frame in place on each update instead of incrementally diffing it:
- return the cursor to the top-left of the previous frame (`ESC[<rows>A` followed by a carriage return, so the redraw starts at column 0 even if an external process left the cursor mid-line),
- erase from there to the end of the display (`ESC[0J`),
- reprint the frame — all in a single atomic write, so there is no flicker.
Because the whole region is erased on every frame, any characters an external process wrote in between are cleared. This matches pacquet's `Output::Frame` rendering (the column-reset hardening was applied to both stacks). The now-unused `ansi-diff` dependency has been removed.
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Zoltan Kochan <z@kochan.io>
When the lockfile-verification gate short-circuits on a cached verdict,
it used to stay completely silent, which made it look like the
supply-chain policy gate never ran (pnpm/pnpm#12324). Emit a new
`cached` status on the pnpm:lockfile-verification channel carrying the
reused record's verifiedAt timestamp, and render it in the default
reporter as "Lockfile passes supply-chain policies (verified 2h ago)"
(falling back to "previously verified" for records that predate the
timestamp). The event fires only when policy verifiers are active, so
the shape-only check every install performs stays quiet.
Ported to pacquet in the same change: a `Cached` variant on the
reporter's LockfileVerificationMessage with the matching camelCase wire
shape, emitted from the same cache-hit point in
verify_lockfile_resolutions.
* feat: report lockfile verification progress
The lockfile resolution verifier introduced in #11705 runs an unbounded
registry round-trip on cache miss and was previously silent — on a cold
registry cache users saw nothing for several seconds. Emit pnpm:lockfile-verification
log events (started/done) around the actual verification pass and render
them in the default reporter as a transient progress line that collapses
into a final "verified" summary with entry count and elapsed time. The
cached short-circuit stays silent.
* feat: include lockfile path in verification log and render when non-standard
Add `lockfilePath` to the `pnpm:lockfile-verification` event payload so
consumers always know which lockfile a `started`/`done` pair refers to.
In the default reporter, render the path in the message only when the
lockfile lives outside the workspace root (or, for non-workspace
installs, outside cwd) — the common case stays uncluttered, while
custom `lockfileDir` setups now surface in the verification line.
* feat: name what the lockfile verification actually checks in the rendered message
"Verifying lockfile" was opaque about *what* was being verified. Reword
the rendered messages to explicitly name the check ("supply-chain
policies"), so users on a cold-cache pause understand what's happening
instead of just seeing the pause.
* fix: skip lockfile verification emission for empty candidate set
A non-empty lockfile.packages whose snapshots all fail name/version
extraction would still emit a "Verifying lockfile (0 entries)" line even
though no verifier work runs. Bail before emission when the candidate
map is empty so the no-op branch stays silent, matching the contract
for the other no-op branches (empty verifiers, no lockfile.packages).
* fix(reporter): always close out the verifying-lockfile frame
Address two Copilot review points on #11712:
1. The verifier emitted `started` but no terminal event when violations
were found or when the registry fan-out threw, leaving "Verifying
lockfile…" as the last frame for that block in ansi-diff mode (and
an unmatched line in CI logs). Add a `failed` status to the logger,
wrap the fan-out in try/finally so a terminal event is emitted on
every exit path that emitted `started`, and render a brief failure
line so the spinner-style frame is replaced before the PnpmError
block prints.
2. The path-suppression heuristic used strict `===` between
path.dirname(lockfilePath) and expectedDir, which broke on trailing
separators and slash-direction differences. Switch to a
path.relative-based check so a workspaceDir like `/repo/` or a
Windows path with mixed slashes still correctly suppresses the
redundant "at <path>" suffix.
* docs: update lockfile verification logging behavior
The lockfile verifier now emits log events during the registry round-trip pass, improving user visibility into the process.
