mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-02-15 01:24:07 -05:00
Code Issues Packages Projects Releases Wiki Activity
10,313 Commits 332 Branches 1,839 Tags
52556a858a482ef91c67ea06ec0d2d54bd6dfd2a
Commit Graph

10313 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Khải
52556a858a refactor(test): some small polishments (#10603) 
* test: full message

* refactor: consistent indentation

* docs: remove extraneous comment

* test: more cases
 2026-02-12 22:54:13 +01:00
Zoltan Kochan
3e0a9acf5f fix: vulnerabilities 2026-02-12 22:41:33 +01:00
Zoltan Kochan
92f468b7bb chore: update pnpm-lock.yaml (#10580) 2026-02-12 22:35:02 +01:00
Khải
cc7c0d22df refactor!: replace npm publish with libnpmpublish (#10591) 
* chore(deps): add `libnpmpublish` to catalog

* chore(deps): install `libnpmpublish`

* feat: publishableManifest (wip)

* feat: publishableManifest (wip)

* chore(cspell): libnpmpublish

* test: fix

* feat: validate field and version

* chore: @npm/types

* chore: todo

* refactor: reorganize

* feat: transformRequiredFields

* chore(deps): patch `libnpmpublish`

* fix: `BaseManifest.config`

* fix: eslint

* chore(git): revert a patch that doesn't work

This reverts commit 45f2c6a6c2.

We will use type casting

* feat: `engines.runtime`

* feat: normalize bin

* fix: `bin === ''`

* test: fix

* refactor: inference friendly

* feat: `peerDependenciesMeta`

* refactor: group into a directory

* refactor: use `ramda.pipe`

* refactor: less intrusive type assertion

* feat!: returning `ExportedManifest`

* refactor: remove unnecessary file

* docs: add a todo

* refactor: getNetworkConfigs (#10458)

Some tests are added as a bonus

* feat: `publishPackedPkg` (wip)

* feat: replace `\t` with 4 spaces

* fix: newline

* fix: newline

* refactor: extract `FailedToPublishError`

* test: FailedToPublishError

* feat: registryConfigKeys

* feat: `publishPackedPkg` (wip)

* feat(config/getNetworkConfigs): load auth info

* feat(config/getNetworkConfigs): load auth info (#10491)

* feat: `publishPackedPkg` (wip)

* refactor: extract a `static` function

* fix: inheritance, override, and merge

* feat: `executeTokenHelper`

* fix: use the visible `globalWarn`

* feat: add options

* feat: add more options

* docs: more links

* fix: private packages

* fix: --dry-run

* feat: log more things

* fix: name

* fix: tag

* refactor: remove extraneous `assertPublicPackage`

* feat: use `publishPackedPkg` for directories

* refactor: require only necessary fields

* refactor: extractManifestFromPacked

* fix: extractManifestFromPacked

* test: extractManifestFromPacked

* feat: isTarballPath

* feat: use `publishPackedPkg` for tarballs

* style: add an empty line for clarity

* refactor: remove unnecessary works

* feat: --otp

* feat: PNPM_CONFIG_OTP

* feat: oidc

* test: fix name collision

* fix: eslint

* test: disable a false test

* feat: set `provenance`

* docs(todo): auto provenance

* refactor: run oidc in `createPublishOptions`

* fix: correct auth keys for `libnpmpublish`

* docs: changeset

* fix: incorrect `password` field

* fix: typo, grammar

* chore(git): resolve merge conflict ahead of time

In preparation for https://github.com/pnpm/pnpm/pull/10385

* fix: field name

* fix(config): decoding `_password`

* fix: edge case of partial `cert`/`key`

* fix: ensure `registry` always match its config key

* fix: `_password`

* test: correct a name

* test: more specific assertions

* fix: grammar

* docs(changeset): fix grammar

* docs: fix grammar

* fix: clean up after failure

* test: fix windows

* feat(provenance): auto detect

* refactor: consistent name

* fix: correct error names

* refactor: extract the `provenance` code

* feat: show code and body of an error

* refactor: use `encodeURIComponent`

* refactor: rename a type

* refactor: use the try-catch model

* refactor: move `normalizeBinObject`

* refactor: split `oidc` into `idToken` and `authToken`

* refactor: run `next` on `stream`'s `'end'`

* fix: use the correct encoding

* feat: guard against weird names

* test: `transform/engines`

Closes https://github.com/pnpm/pnpm/pull/10599

* test: `transformPeerDependenciesMeta`

Closes https://github.com/pnpm/pnpm/pull/10600

* refactor: dependency inject the `Date` too

* refactor: export an interface

* test: oidc

Closes https://github.com/pnpm/pnpm/pull/10598

* refactor: re-arrange imports

* refactor: remove unnecessary type casts

* refactor: improve test
 2026-02-12 21:10:54 +01:00
Brandon Cheng
5bf7768ca4 feat: skip confirm modules purge prompt if --yes is passed (#10383) 
* feat: add --yes command line option

* feat: skip confirm modules purge prompt if --yes is passed

* refactor: factor out `ExecPnpmSyncOpts`

* test: add end-to-end test for --yes flag
 2026-02-11 02:39:23 +01:00
Ryo Matsukawa
fa5ff08473 fix(dlx): respect minimumReleaseAgeExclude (#10572) 
close #10338
 2026-02-11 02:32:54 +01:00
Brandon Cheng
4c6c26a7e8 fix: disable global virtual store during pnpm deploy (#10577) 2026-02-11 02:19:43 +01:00
Karl Kaiser
1fd7370639 feat(workspace filtering): add support for filtering packages since last commit under git worktree (#10542) 
support managing repo in git worktree for filtering for packages changed since last commit
 2026-02-11 02:05:45 +01:00
Zoltan Kochan
a49b243573 fix: list command should not fail with an OOM error (#10586) 
close #8731
 2026-02-11 00:38:35 +01:00
Zoltan Kochan
f2a6d0684b docs: update sponsors 2026-02-10 21:22:23 +01:00
Zoltan Kochan
cbb366a7aa fix: virtual store race condition (#10589) 2026-02-10 12:05:17 +01:00
Zoltan Kochan
861dd2a8a8 revert: fix(reviewing): fix memory error in pnpm why (#10582) 
ref #7122
 2026-02-09 15:05:09 +01:00
Brandon Cheng
1a5b5beea2 build: replace ts-jest with simple transformer (#10579) 
* test: use `import type` in more places

Several tests are failing because a module isn't being mocked. This is
due to the mocked module being imported before the mock being set up.

Switching to `import type` should elide the import fully.

* build: replace ts-jest with simple transformer

* chore: remove `ts-jest`

* chore: remove babel dependencies from root project

* ci: use Node.js 22.13.0 (instead of 22.12.0)

Node.js 22.13.0 introduces the `stripTypeScriptTypes` function

* fix: copilot feedback
 2026-02-09 11:35:22 +01:00
Zoltan Kochan
5c29d21796 chore: update pnpm-lock.yaml (#10559) 
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2026-02-09 01:09:10 +01:00
Zoltan Kochan
1b4df57a01 feat!: drop Node.js 20 and 21 support (#10569) 2026-02-08 19:16:24 +01:00
Zoltan Kochan
4720175176 fix: pnpm help should correctly show if pnpm is bundled with Node.js (#10563) 
close #10561
 2026-02-07 02:09:45 +01:00
btea
4158906724 feat: support auditLevel (#10554) 
* feat: support `auditLevel`

* refactor: auditLevel

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-02-06 19:54:59 +01:00
Ryo Matsukawa
3c36e8d974 fix(audit): respect --audit-level in JSON output (#10547) 
* fix(audit): respect --audit-level in JSON output

* refactor: audit

* docs: fix changeset

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-02-06 18:53:10 +01:00
Luca Casonato
9428227d7e fix: exit with signal code when inner pnpm fails (#10549) 
close #10548
 2026-02-06 18:38:31 +01:00
Alessio Attilio
312226cbf0 fix: skip local file: protocol dependencies during pnpm fetch (#10514) 
This fixes an issue where pnpm fetch would fail in Docker builds when
local directory dependencies (file: protocol) were not available.

The fix adds an ignoreLocalPackages option that is passed from the fetch
command to skip local dependencies during graph building, since pnpm
fetch only downloads packages from the registry and doesn't need local
packages that won't be available in Docker builds.

close #10460
 2026-02-06 17:28:39 +01:00
Ryo Matsukawa
4f7cbaa9c6 fix: allow pnpm run -r to work with empty pnpm-workspace.yaml (#10520) 
close #10497
 2026-02-06 17:13:15 +01:00
btea
f72215107a fix: remove the prefix for view version info (#10498) 2026-02-06 16:50:49 +01:00
이종혁
5f5f1db2b8 fix(plugin-commands-store): support relative storeDir in store commands (#10490) 
close #10290

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-02-06 16:31:47 +01:00
Dennis Chen
559f903a90 fix: warn when directory contains PATH delimiter character (#10487) 
* fix: warn when directory contains PATH delimiter character

Add a warning when the current directory contains the PATH delimiter
character (colon on macOS/Linux, semicolon on Windows). On macOS,
folder names containing forward slashes (/) appear as colons (:) at
the Unix layer. Since colons are PATH separators in POSIX systems,
this breaks PATH injection for node_modules/.bin.

close #10457

* test: add tests for PATH delimiter warning

- Test warning is emitted when directory contains delimiter
- Test no warning for normal directories
 2026-02-06 16:04:19 +01:00
Zoltan Kochan
3cfffaad10 perf: save node_modules/.modules.yaml in JSON format (#10406) 2026-02-06 15:59:22 +01:00
Alessio Attilio
121f64ae99 fix: preserve reference overrides in pnpm audit --fix (#10478) 
close #10325

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-02-06 14:03:08 +01:00
Zoltan Kochan
57e99b6996 chore: update pnpm-lock.yaml (#10558) 
---------

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
 2026-02-06 03:28:39 +01:00
Zoltan Kochan
23f2ef96d0 ci: update-lockfile branch PR should trigger tests job 
Added a github token
 2026-02-06 01:02:26 +01:00
Zoltan Kochan
f3dc67280d ci: update-lockfile branch PR should trigger tests job 2026-02-06 00:45:04 +01:00
Zoltan Kochan
587e1939f5 ci: run all tests on the update-lockfile branch 2026-02-06 00:39:56 +01:00
Zoltan Kochan
89bdf4085d ci: update lockfile job 2026-02-06 00:32:21 +01:00
Trevor Burnham
680c543263 fix: allow env vars and updateConfig hook to override frozen-lockfile in CI (#10224) 
When CI=true, pnpm automatically enables frozen-lockfile mode. Previously,
this could only be overridden via .npmrc files or CLI flags because the
code checked rawLocalConfig (which excludes env vars and hook changes).

Now checks the fully resolved config values (frozenLockfile and
preferFrozenLockfile) instead of rawLocalConfig, allowing:
- Environment variables (pnpm_config_frozen_lockfile=false)
- updateConfig hook in .pnpmfile.cjs
- .npmrc files (already worked)
- CLI flags (already worked)

Fixes #9861
 2026-02-05 23:06:12 +01:00
Johan Quan Vo
12d58cce5f fix(deps): add override for @isaacs/brace-expansion@5.0.1 (#10545) 
* fix(deps): add override for @isaacs/brace-expansion@5.0.1

https://github.com/advisories/GHSA-7h2j-956f-4vf2

* revert: not needed override
 2026-02-05 23:00:53 +01:00
Ryo Matsukawa
3ed41f4811 fix: shamefullyHoist set via updateConfig in .pnpmfile.cjs (#10519) 
* fix: `shamefullyHoist` set via `updateConfig` in `.pnpmfile.cjs`

* refactor: consolidate derived config processing to cli-utils

Move shamefullyHoist → publicHoistPattern conversion from
config/config to cli-utils/getConfig.ts as suggested in review.

* test(config): update tests for derived config processing move

* refactor: move applyDerivedConfig to cli-utils

* refactor: move applyDerivedConfig to cli-utils

* test: use unit test for hoist: false in cli-utils

* revert: not needed changes

close #10271
 2026-02-05 22:45:20 +01:00
Lucas Gomes Santana
47e850180a fix(deps): update tar version to 7.5.7 to fix security vulnerability (pnpm#10530) (#10539) 
close #10530
 2026-02-03 01:47:37 +01:00
Diogo Correia
780af09808 fix(worker): inconsistent store structure due to race condition (#10536) 
close #10535
 2026-01-31 01:49:35 +01:00
Chanakya Sinde
8e2a66ece8 docs: fix grammar and use HTTPS links in Code of Conduct (#10523) 2026-01-27 23:34:45 +01:00
btea
e119c4ede6 feat: support check more invalid workspace file (#10319) 
close #10313

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-27 17:28:14 +01:00
Johan Quan Vo
7b1c189f2e feat!: remove deprecated patch options (#10505) 
* refactor: remove allowNonAppliedPatches

* refactor: remove ignorePatchFailures

* refactor: remove `strict` field in groupPatchedDependencies

* test: update test failure in package patching

* test: fix

* docs: update changesets

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-27 17:08:45 +01:00
Ryo Matsukawa
f8b4895e0a fix(list): correct dependency paths with global virtual store (#10375) 
* fix(list): correct dependency paths with global virtual store

* fix: global virtual store path

* fix: test

* fix: symlink resolution should only apply to top-level dependencies

* fix: resolve subdependency paths with global virtual store

* fix(list): resolve correct paths with global virtual store

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-27 16:25:58 +01:00
Alessio Attilio
94571fb2fe fix: prevent catalog: from leaking into pnpm-workspace.yaml (#10476) 
close #10176
 2026-01-27 15:52:31 +01:00
Maikel van Dort
f3cd9f7c05 feat: dlx timeout & retry (#10512) 2026-01-27 01:37:26 +01:00
Brandon Cheng
9a17bd74b0 fix: check updateSpec correctly when updating catalog snapshots (#10513) 2026-01-26 15:07:34 +01:00
dependabot[bot]
cda7187dbd chore(deps): bump the github-actions group across 1 directory with 5 updates (#10518) 
Bumps the github-actions group with 5 updates in the / directory:

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-01-26 15:06:30 +01:00
Maikel van Dort
c50357f1b8 docs: add codeblock highlight (#10510) 2026-01-26 15:04:22 +01:00
Yeom
4f66fbe6fa fix(workspace.manifest-writer): preserve formatting in pnpm-workspace.yaml when updating catalogs (#10430) 
* fix(workspace.manifest-writer): preserve yaml formatting in pnpm-workspace.yaml

Ensure that the original formatting (quotes, etc.) in pnpm-workspace.yaml
is preserved when running commands like \`pnpm update\`.

Close #10425

* docs: add changeset

* fix(workspace/manifest-writer): restore formats

* test: manifest writer preservers quotes in catalogs

* fix(workspace.manifest-writer): only update catalog when values change

* fix: remove redundant code

* test: adding catalog

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-26 07:07:28 +01:00
Maikel van Dort
8eee41691c feat: add support for catalogs with dlx (#10434) 
* feat: add support for catalogs with dlx

* fix: feedback

* Update .changeset/curly-dryers-jam.md

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>

* Update .changeset/curly-dryers-jam.md

Close #10249

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>

---------

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>
 2026-01-26 07:06:36 +01:00
Shunta Takemoto
0625e20442 feat: treat bare workspace: protocol as workspace:* (#10436) 
* feat: treat bare `workspace:` protocol as `workspace:*`

* chore: add chageset

* test(exportable-manifest): add test for `workspace` with explicit versions

* test: add tests and update changesets

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-26 07:06:01 +01:00
Brandon Cheng
af7a7efe00 chore: upgrade node-gyp to 11.5.0 (#10509) 2026-01-26 02:18:38 +01:00
Trevor Burnham
0ecff5b85c fix(completion): correct documentation URL in help output (#10511) 
The completion command's help text was showing a URL that redirects to a 404 page
(https://pnpm.io/10.x/cli/completion\). This changes it to the correct URL
(https://pnpm.io/completion\) where the documentation actually exists.

close #10281
 2026-01-26 01:30:08 +01:00