Commit Graph

955 Commits

Author SHA1 Message Date
Zoltan Kochan
2a1ffe1956 chore(release): 10.33.2 2026-04-23 13:39:20 +02:00
Zoltan Kochan
78951f2adb fix: global bin shim invokes pnpm instead of Node when installed via @pnpm/exe (#11335)
* fix(installation): skip pnpm exe when no Node.js is on PATH

When pnpm is installed as @pnpm/exe (a Single Executable Application
that bundles Node.js into the pnpm binary) and the user has no separate
Node.js on PATH, `which('node')` fails and `getNodeExecPath` used to
fall back to `process.execPath` - which in @pnpm/exe is the pnpm binary
itself, not a Node binary. That path got baked into generated global
bin shims via nodeExecPath, so running any globally-installed CLI
invoked pnpm with the target script as its first positional arg,
producing `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND` from the current
working directory.

Detect the @pnpm/exe case via `detectIfCurrentPkgIsExecutable` and
return undefined from the fallback so the shim emits a plain
`exec node <target>` instead.

Closes #11291
Refs #4645

* Update pkg-manager/plugin-commands-installation/src/nodeExecPath.ts

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
2026-04-22 14:41:12 +02:00
Zoltan Kochan
948bd8c7c5 chore(release): libs 2026-04-14 10:48:26 +02:00
Zoltan Kochan
83832f787b feat(core): add ignoreLockfileSettingsChecks option (#11259)
Allow skipping the lockfile settings validation during frozen and
preferFrozenLockfile installs. When enabled, pnpm proceeds as if the
lockfile settings are up to date.
2026-04-14 09:56:02 +02:00
Zoltan Kochan
be07631710 chore(release): 10.33.0 2026-03-24 17:15:56 +01:00
Zoltan Kochan
f3613f19c4 fix: handle non-string version selectors and invalid specifiers in hoistPeers (#11048, #11049)
Cherry-picked from main (021f70d0b0, f98a2db373).
2026-03-24 15:56:17 +01:00
Zoltan Kochan
2f3a745795 fix(core): improve no-TTY modules purge hint (#10973)
Cherry-picked from main (672e58c285).
2026-03-24 15:52:50 +01:00
Zoltan Kochan
d89edd050d fix: fail incompatible lockfile in frozen CI mode (#10978)
Cherry-picked from main (5d130c3aed).
2026-03-24 15:51:39 +01:00
Zoltan Kochan
28204a4c9a feat: add dedupePeers option to reduce peer dependency duplication (#11079)
When enabled, peer dependency suffixes use version-only identifiers
(name@version) instead of full dep paths, eliminating nested suffixes
like (foo@1.0.0(bar@2.0.0)). Transitive peers are still tracked but
identified by version instead of full dep path.

Backport of #11071 to v10.

Closes #11070
2026-03-24 13:51:52 +01:00
Zoltan Kochan
cb17c44e55 fix(dlx): fix race conditions in parallel dlx calls sharing
Global Virtual Store (#10939)

Content-verified skip in GVS mode, tolerate EPERM during
bin creation on Windows, handle EPERM in DLX cache symlink.

(cherry picked from commit 62f760ec3d)
2026-03-12 21:19:29 +01:00
Zoltan Kochan
eaae772717 chore(release): 10.32.1 2026-03-11 02:25:40 +01:00
Zoltan Kochan
49d249bf7f chore(release): 10.32.0 2026-03-09 22:43:09 +01:00
Zoltan Kochan
09ad1146b4 revert: "fix(lockfile): respect lockfile-include-tarball-url=false for non-standard URLs (#10621)"
This reverts commit 129d2541b1.
2026-03-09 22:17:22 +01:00
Zoltan Kochan
229c244e64 chore(release): 10.31.0 2026-03-08 00:30:23 +01:00
Zoltan Kochan
d18d7f341f feat: preserve comments when updating pnpm-workspace.yaml (#10402)
Cherry-pick of 2b14c742e from main, adapted for v10:
- Use CJS module type for @pnpm/yaml.document-sync
- Use ramda/src/equals import style (v10 CJS)
- Remove GLOBAL_CONFIG_YAML_FILENAME (v11-only)
- Replace write-yaml-file with yaml + write-file-atomic + patchDocument

Co-Authored-By: Brandon Cheng <gluxon@users.noreply.github.com>
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 23:52:12 +01:00
Zoltan Kochan
26cb5eac20 fix: adapt cherry-picked commits to v10 codebase
- Use Object.keys() instead of Map.keys() for Record<string, string> filenames
- Use tempy.directory() instead of temporaryDirectory() (v10 CJS style)
- Remove storeDir from ClientOptions (not in v10 API)
- Add missing WorkspaceState imports and mocks in test
- Fix lint: use commas in type literals, fix require import style
- Fix spellcheck in changeset

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-03-07 23:02:51 +01:00
Varun Chawla
129d2541b1 fix(lockfile): respect lockfile-include-tarball-url=false for non-standard URLs (#10621)
When lockfile-include-tarball-url is explicitly set to false, tarball URLs
are now always excluded from the lockfile. Previously, packages hosted under
non-standard tarball URLs would still have their tarball field written to the
lockfile even when the setting was false, causing flaky and inconsistent
behavior across environments.

The fix makes the option tri-state internally:
- true: always include tarball URLs
- false: never include tarball URLs
- undefined (not set): use the existing heuristic that includes tarball URLs
  only for packages with non-standard registry URLs

close #6667
2026-03-07 23:02:51 +01:00
Ryo Matsukawa
add108086a fix: dynamically calculate column widths in interactive update table (#10585)
* fix: dynamically calculate column widths in interactive update table

* test: implement copilot suggestions

* style: change order of functions

close #10316
2026-03-07 23:02:51 +01:00
Trevor Burnham
68999664a3 fix: allow env vars and updateConfig hook to override frozen-lockfile in CI (#10224)
When CI=true, pnpm automatically enables frozen-lockfile mode. Previously,
this could only be overridden via .npmrc files or CLI flags because the
code checked rawLocalConfig (which excludes env vars and hook changes).

Now checks the fully resolved config values (frozenLockfile and
preferFrozenLockfile) instead of rawLocalConfig, allowing:
- Environment variables (pnpm_config_frozen_lockfile=false)
- updateConfig hook in .pnpmfile.cjs
- .npmrc files (already worked)
- CLI flags (already worked)

Fixes #9861
2026-03-07 23:02:51 +01:00
Zoltan Kochan
2a56acc1b2 chore(release): 10.30.2 2026-02-24 00:36:58 +01:00
Zoltan Kochan
f1ab4b9966 fix(link-bins): use fs.promises.realpath in getBinNodePaths tests for Windows 8.3 paths
fs.realpathSync uses a JS-only implementation that only resolves symlinks,
not Windows 8.3 short names (e.g., RUNNER~1). Switch to fs.promises.realpath
which uses the native uv_fs_realpath (GetFinalPathNameByHandleW on Windows)
to properly resolve 8.3 short paths to their long form.
2026-02-23 22:22:25 +01:00
Zoltan Kochan
e0f7edeb91 fix(link-bins): normalize temp paths in getBinNodePaths tests for Windows
On Windows, temporaryDirectory() may return 8.3 short paths (e.g.,
RUNNER~1) but getBinNodePaths resolves via fs.realpath, returning long
paths (e.g., runneradmin). Use realpathSync to normalize expected paths.
2026-02-23 22:21:33 +01:00
Zoltan Kochan
dac1177ed4 fix(link-bins): stop prepending redundant paths to NODE_PATH in command shims (#10673)
Fixed "input line too long" error on Windows when running lifecycle scripts with the
global virtual store enabled. The `NODE_PATH` in command shims no longer includes all
paths from `Module._nodeModulePaths()`. Instead, it includes only the package's
bundled dependencies directory (e.g., `.pnpm/pkg@version/node_modules/pkg/node_modules`),
the package's sibling dependencies directory (e.g., `.pnpm/pkg@version/node_modules`),
and the hoisted `node_modules` directory. These paths are needed so that tools like
`import-local` (used by jest, eslint, etc.) which resolve from CWD can find the correct
dependency versions.
2026-02-23 16:38:46 +01:00
Zoltan Kochan
2624472617 fix: respect peer dep range in hoistPeers when preferred versions exist (#10655)
* fix: respect peer dep range in hoistPeers when preferred versions exist

Previously, hoistPeers used semver.maxSatisfying(versions, '*') which
picked the highest preferred version from the lockfile regardless of the
peer dep range. This caused overrides that narrow a peer dep range to be
ignored when a stale version existed in the lockfile.

Now hoistPeers first tries semver.maxSatisfying(versions, range) to find
a preferred version that satisfies the actual peer dep range. If none
satisfies it and autoInstallPeers is enabled, it falls back to the range
itself so pnpm resolves a matching version from the registry.

* fix: only fall back to exact-version range for overrides, handle workspace: protocol

- When no preferred version satisfies the peer dep range, only use the
  range directly if it is an exact version (e.g. "4.3.0" from an override).
  For semver ranges (e.g. "1", "^2.0.0"), fall back to the old behavior
  of picking the highest preferred version for deduplication.
- Guard against workspace: protocol ranges that would cause
  semver.maxSatisfying to throw.
- Add unit tests for hoisting deduplication and workspace: ranges.

* fix: only apply range-constrained peer selection for exact versions

The previous approach used semver.maxSatisfying(versions, range) for all
peer dep ranges, which broke aliased-dependency deduplication — e.g. when
three aliases of @pnpm.e2e/peer-c existed at 1.0.0, 1.0.1, and 2.0.0,
range ^1.0.0 would pick 1.0.1 instead of 2.0.0.

Now the range-aware logic only activates when the range is an exact
version (semver.valid), which is the override case (e.g. "4.3.0").
Regular semver ranges fall back to picking the highest preferred version.
2026-02-22 22:03:53 +01:00
Zoltan Kochan
958ab703d1 chore(release): libs 2026-02-17 16:44:04 +01:00
Zoltan Kochan
d12c9028ec chore(release): 10.30.0 2026-02-17 15:49:12 +01:00
Zoltan Kochan
f001ab770f chore(release): 10.29.3 2026-02-11 13:07:10 +01:00
Brandon Cheng
4794c61dd1 fix: disable global virtual store during pnpm deploy (#10577) 2026-02-11 02:20:56 +01:00
Zoltan Kochan
ea870c786f chore(release): 10.29.2 2026-02-09 02:22:45 +01:00
Zoltan Kochan
11202fc1ed chore(release): 10.29.0 2026-02-07 17:51:43 +01:00
Alessio Attilio
7adf26b017 fix: skip local file: protocol dependencies during pnpm fetch (#10514)
This fixes an issue where pnpm fetch would fail in Docker builds when
local directory dependencies (file: protocol) were not available.

The fix adds an ignoreLocalPackages option that is passed from the fetch
command to skip local dependencies during graph building, since pnpm
fetch only downloads packages from the registry and doesn't need local
packages that won't be available in Docker builds.

close #10460
2026-02-06 20:21:04 +01:00
Zoltan Kochan
9821d2d0c8 perf: save node_modules/.modules.yaml in JSON format (#10406) 2026-02-06 20:12:18 +01:00
Alessio Attilio
43d44c8d03 fix: prevent catalog: from leaking into pnpm-workspace.yaml (#10476)
close #10176
2026-02-06 20:02:20 +01:00
Brandon Cheng
0366516a76 fix: check updateSpec correctly when updating catalog snapshots (#10513) 2026-02-06 20:02:03 +01:00
Zoltan Kochan
89a2c4ec38 chore(release): 10.28.2 2026-01-26 15:17:27 +01:00
Zoltan Kochan
2220fe95c0 test: fix 2026-01-26 13:47:24 +01:00
3w36zj6
a484cea3f2 fix(npm-resolver): request full metadata for optional dependencies (#10455)
close #9950

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
2026-01-26 01:28:47 +01:00
Zoltan Kochan
98a4a31ac2 test: fix 2026-01-22 21:51:14 +01:00
Zoltan Kochan
17432ad5bb fix: prevent path traversal in directories.bin (#10495)
by validating the bin directory is a subdirectory of the package root and adding relevant tests.
2026-01-21 15:54:44 +01:00
Zoltan Kochan
0b5a56aaec chore(release): 10.28.1 2026-01-19 12:12:58 +01:00
Zoltan Kochan
0209728ae0 fix: compile 2026-01-19 11:33:24 +01:00
Lindsay Glenn
d58bdaf73f fix(manifest-utils): normalize peer specs for protocol deps (#10442)
close #10417
2026-01-17 14:48:07 +01:00
Zoltan Kochan
8afbb15984 fix: prevent path traversal by validating bin names 2026-01-16 01:53:24 +01:00
btea
6e4b09415f fix: make catalog protocol matching error messages clearer (#10052)
* fix: verify in advance whether the specifier that the catalog pkg is valid

* fix: update error message

* test: update

* Update resolving/default-resolver/src/index.ts

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>

---------

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>
2026-01-16 01:53:08 +01:00
Zoltan Kochan
91a241e692 chore(release): 10.28.0 2026-01-09 23:47:40 +01:00
Brandon Cheng
ff4747f6c2 feat: improve filtered install performance
with an optimistic lookup of package metadata from store (#10408)
2026-01-09 19:56:51 +01:00
Zoltan Kochan
6bdba72ad3 chore(release): 10.27.0 2025-12-30 21:49:41 +01:00
Brandon Cheng
6eb43b356c fix: pnpm add incorrectly modifies a catalog entry in pnpm-workspace.yaml to its exact version (#10370)
* refactor: factor out a `getRealNameAndSpec` function

* test: `pnpm add` does not modify existing catalog entries

* fix: resolve preferred version without mutating bare specifier

close #9759
2025-12-29 02:07:59 +01:00
Brandon Cheng
5d983ba175 fix: handle npm aliases without a bare specifier in unwrapPackageName (#10374)
* refactor: factor out a `getRealNameAndSpec` function

* fix: handle npm aliases without a bare specifier in `unwrapPackageName`

* Fix formatting in unwrapPackageName.ts
2025-12-29 02:07:53 +01:00
Brandon Cheng
25d7e790f8 refactor: factor out a getRealNameAndSpec function (#10369) 2025-12-29 02:07:46 +01:00