- Wire minimumReleaseAgeLoose to strictPublishedByCheck in dlx resolver
- Strengthen loose fallback test assertion to verify specific version
- Update add command test name to reflect loose mode dependency
When true (the default), pnpm falls back to versions that don't meet the
minimumReleaseAge constraint if no mature versions satisfy the range
being resolved.
* test: update registry-mock to 6.0.0 stable and use pnpm view in tests
Update @pnpm/registry-mock from 6.0.0-6 to 6.0.0 stable release.
Replace npm view with pnpm view in test helpers now that pnpm has
native view/dist-tag commands. Unskip the nodeRuntime test that was
blocked on the registry-mock republish.
* chore: update pnpm to beta 8
* feat: support versions, dist-tags, and time field selectors in pnpm view
The view command now exposes versions (as an array of version strings),
dist-tags, and time from registry metadata. Single-field --json output
returns the raw value instead of wrapping it in an object, matching npm
behavior. This allows tests to use pnpm view instead of npm view.
- Update `@pnpm/registry-mock` from 5.2.4 to 6.0.0-6
- Fix auth tests to use bearer token from `globalSetup` instead of hardcoding credentials
- Replace hardcoded integrity checksums with `getIntegrity()` from registry-mock in `customResolvers` tests
- Add `prepareFixtureWithIntegrity()` helper in deps-restorer tests to dynamically patch `@pnpm.e2e` integrity values in fixture lockfiles at runtime, so they don't go stale when registry-mock is updated
- Fix `workspace-external-depends-deep` fixture's current lockfile (was missing `packages/f` and `packages/g` importers)
- Remove unnecessary credentials from `gitChecks` tests (they reject before any registry interaction)
* test: ensure prerelease weighting is correct
* fix: use higher weight for package versions already in lockfile
* test: remove fundamentally incompatible test
* fix(test): use undici MockAgent instead of nock for HTTP mocking
nock only patches Node's built-in http/https modules, but pnpm uses
undici for HTTP requests. Replace nock with @pnpm/testing.mock-agent
(which wraps undici's MockAgent) so the regression test actually
intercepts registry metadata requests.
* fix(benchmarks): show errors from store populate step
The populate step redirected both stdout and stderr to /dev/null,
hiding the actual error when pnpm install fails during benchmarks.
* fix(benchmarks): replace deprecated packages in benchmark fixture
The old fixture used deprecated babel 6, gulp, and other legacy
packages whose transitive dependencies (e.g. es-abstract) are missing
the "time" field in registry metadata, causing ERR_PNPM_MISSING_TIME
with time-based resolution mode.
Replace with modern equivalents (babel 7, webpack 5, MUI, Redux
Toolkit, etc.) that maintain a similar dependency tree size (~1300
packages) while using well-maintained packages with proper registry
metadata.
* fix(benchmarks): drop eslint plugins that pull in es-abstract
eslint-plugin-react, eslint-plugin-import, and eslint-plugin-jsx-a11y
transitively depend on es-abstract, whose registry metadata lacks the
"time" field. Replace them with eslint-plugin-prettier to avoid
ERR_PNPM_MISSING_TIME with time-based resolution.
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
When `pnpm audit --fix` adds overrides to fix vulnerabilities, it now
also adds the minimum patched version for each advisory to
`minimumReleaseAgeExclude` in pnpm-workspace.yaml. This allows
`pnpm install` to install the security fix without waiting for it to
satisfy the minimumReleaseAge constraint.
Closes#10263
* refactor: remove ignoreDepScripts and neverBuiltDependencies settings
These settings are redundant in v11:
- `ignore-dep-scripts` is superseded by the default behavior of `allowBuilds`
- `neverBuiltDependencies` was already dead code, replaced by `allowBuilds`
* chore: add changeset for removed ignore-dep-scripts setting
* feat(auth): implement `pnpm logout` command
Adds a new `pnpm logout` command that logs users out of npm registries.
The command revokes the authentication token on the registry via
DELETE /-/user/token/{token}, then removes it from the local auth.ini
config file. Token revocation is best-effort: local cleanup always
proceeds even if the registry is unreachable or doesn't support
revocation.
Uses the same dependency injection pattern as `pnpm login` for
comprehensive testability.
https://claude.ai/code/session_016fw5sdGFtBiB9QapMKEuXa
* fix(auth): address review feedback on pnpm logout
- Rename revokeToken to tryRevokeToken for self-documenting code
- Extract token removal into removeTokenFromAuthIni function
- Remove redundant comments that restate function names
- Fix toHaveProperty to use array syntax for keys containing dots
(avoids Jest property path parsing pitfall)
- Add globalWarn when token is found in authConfig but not in auth.ini,
informing the user it must be removed manually from .npmrc
- Add tests for the .npmrc-only warning case
https://claude.ai/code/session_016fw5sdGFtBiB9QapMKEuXa
* fix(auth): fix Windows CI failure in logout test
Use path.join in test expectations for the warning message path,
since path.join produces backslashes on Windows.
https://claude.ai/code/session_016fw5sdGFtBiB9QapMKEuXa
* refactor(auth): use jest.fn() for fetch assertions in logout tests
Replace manual fetchedUrls arrays with jest.fn() mocks and use
toHaveBeenCalledWith for cleaner, more idiomatic assertions.
https://claude.ai/code/session_016fw5sdGFtBiB9QapMKEuXa
* refactor: destructure `context`
* refactor: literal types for `method`
* refactor(auth): test cleanup per review feedback
- Rename mockFetch to fetch for shorthand property syntax
- Use platform-aware configDir in warning tests instead of
path.join on Unix-style paths
https://claude.ai/code/session_016fw5sdGFtBiB9QapMKEuXa
* style(auth): remove redundant return in createMockResponse arrow
Single-statement return-with-braces arrow function converted to
expression-body form.
https://claude.ai/code/session_016fw5sdGFtBiB9QapMKEuXa
* fix(auth): address Copilot review on pnpm logout
- Send Authorization: Bearer header in the DELETE token revocation
request, otherwise the registry returns 401 and the token is not
actually revoked
- Make tryRevokeToken return a boolean indicating whether the token
was actually revoked, and use it to choose the right warning when
the token is not in auth.ini
- Drop the misleading "(token removed locally)" suffix from the
registry-failure log messages, since the local removal may not
happen
- Extract getRegistryConfigKey and safeReadIniFile from login.ts and
logout.ts into a shared module to prevent the two commands from
drifting apart over time
- Add tests asserting the Authorization header is sent and that the
warning correctly distinguishes between revoked and not-revoked
cases
https://claude.ai/code/session_016fw5sdGFtBiB9QapMKEuXa
* fix(auth): throw on logout when nothing actually happened
When the registry rejects the token revocation AND the token is not
in auth.ini, neither side effect of logout actually happened — the
user is still authenticated locally and on the registry. Throwing
an ERR_PNPM_LOGOUT_FAILED error in this case avoids the misleading
"Logged out of ..." success message and gives a non-zero exit code.
https://claude.ai/code/session_016fw5sdGFtBiB9QapMKEuXa
---------
Co-authored-by: Claude <noreply@anthropic.com>
Implement dist-tag ls, add, and rm subcommands natively instead of
delegating to npm. Follows the same pattern as the recently added
deprecate and unpublish commands.
- Implements the `pnpm unpublish` command natively instead of passing through to npm
- Supports unpublishing specific versions or version ranges using semver
- Supports unpublishing entire packages with `--force` flag (with protection against accidental unpublish)
- Supports OTP authentication via `--otp` flag
- Supports custom registry via `--registry` flag
- Reuses existing data structures from the deprecate command
## Usage
```bash
# Unpublish a specific version
pnpm unpublish my-package@1.0.0
# Unpublish multiple versions matching a range
pnpm unpublish my-package@">1.0.0 <2.0.0"
# Unpublish entire package (requires --force)
pnpm unpublish my-package --force
# With custom registry
pnpm unpublish my-package --registry https://my-registry.com
```
## Changes
- Added `unpublish.ts` command in `releasing/plugin-commands-publishing/`
- Removed unpublish from npm pass-through list in `pnpm.ts`
- Added required dependencies: `@pnpm/fetch`, `semver`, `@types/semver`
Follows npm unpublish behavior and is aligned with the existing `pnpm deprecate` implementation.
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
Proxy settings (httpProxy, httpsProxy, noProxy), local-address,
strict-ssl, and git-shallow-hosts are now written to config.yaml
(global) or pnpm-workspace.yaml (local) instead of auth.ini/.npmrc.
They are still readable from .npmrc for easier migration from npm CLI.
The canonical YAML key names (httpProxy, httpsProxy, noProxy) match
Yarn Berry's naming convention.
- Add httpProxy, httpsProxy, noProxy to PnpmSettings type
- Add http-proxy to pnpmTypes and pnpmConfigFileKeys
- Separate network keys from auth keys in config routing
- Add isNpmrcReadableKey for backward-compatible .npmrc reading
The refactor in 45a6cb6b dropped `shell: true` from token helper
execution. On Windows, .bat/.cmd files require a shell to run,
causing all tokenHelper tests to fail.
The errorHandler test runs pnpm from this fixture directory. Without its
own workspace manifest, pnpm walked up and discovered the monorepo root,
triggering verifyDepsBeforeRun which modified unrelated files.
12 command test suites had near-identical ~50-field DEFAULT_OPTS objects
copy-pasted between them. Extract the common fields into a single shared
package so each suite only declares its overrides.
* refactor(config): split Config interface into settings + runtime context
Create ConfigContext for runtime state (hooks, finders, workspace graph,
CLI metadata) and keep Config for user-facing settings only. Functions
use Pick<Config, ...> & Pick<ConfigContext, ...> to express which fields
they need from each interface.
getConfig() now returns { config, context, warnings }. The CLI wrapper
returns { config, context } and spreads both when calling command
handlers (to be refactored to separate params in follow-up PRs).
Closes#11195
* fix: address review feedback
- Initialize cliOptions on pnpmConfig so context.cliOptions is never undefined
- Move rootProjectManifestDir assignment before ignoreLocalSettings guard
- Add allProjectsGraph to INTERNAL_CONFIG_KEYS
* refactor: remove INTERNAL_CONFIG_KEYS from configToRecord
configToRecord now accepts Config and ConfigContext separately, so
context fields are never in scope. Only auth-related Config fields
(authConfig, authInfos, sslConfigs) need filtering.
* refactor: eliminate INTERNAL_CONFIG_KEYS from configToRecord
configToRecord now receives the clean Config object and explicitlySetKeys
separately (via opts.config and opts.context), so context fields are
never in scope. main.ts passes the original split objects alongside
the spread for command handlers that need them.
* fix: spelling
* fix: import sorting
* fix: --config.xxx nconf overrides conflicting with --config CLI flag
When `pnpm add` registers `config: Boolean`, nopt captures
--config.xxx=yyy as the --config flag value instead of treating it
as a nconf-style config override. Fix by extracting --config.xxx args
before nopt parsing and re-parsing them separately.
Also rename the split config/context properties on the command opts
object to _config/_context to avoid clashing with the --config CLI option.
Major cleanup of the config system after migrating settings from `.npmrc` to `pnpm-workspace.yaml`.
### Config reader simplification
- Remove `checkUnknownSetting` (dead code, always `false`)
- Trim `npmConfigTypes` from ~127 to ~67 keys (remove unused npm config keys)
- Replace `rcOptions` iteration over all type keys with direct construction from defaults + auth overlay
- Remove `rcOptionsTypes` parameter from `getConfig()` and its assembly chain
### Rename `rawConfig` to `authConfig`
- `rawConfig` was a confusing mix of auth data and general settings
- Non-auth settings are already on the typed `Config` object — stop duplicating them in `rawConfig`
- Rename `rawConfig` → `authConfig` across the codebase to clarify it only contains auth/registry data from `.npmrc`
### Remove `rawConfig` from non-auth consumers
- **Lifecycle hooks**: replace `rawConfig: object` with `userAgent?: string` — only user-agent was read
- **Fetchers**: remove unused `rawConfig` from git fetcher, binary fetcher, tarball fetcher, prepare-package
- **Update command**: use `opts.production/dev/optional` instead of `rawConfig.*`
- **`pnpm init`**: accept typed init properties instead of parsing `rawConfig`
### Add `nodeDownloadMirrors` setting
- New `nodeDownloadMirrors?: Record<string, string>` on `PnpmSettings` and `Config`
- Replaces the `node-mirror:<channel>` pattern that was stored in `rawConfig`
- Configured in `pnpm-workspace.yaml`:
```yaml
nodeDownloadMirrors:
release: https://my-mirror.example.com/download/release/
```
- Remove unused `rawConfig` from deno-resolver and bun-resolver
### Refactor `pnpm config get/list`
- New `configToRecord()` builds display data from typed Config properties on the fly
- Excludes sensitive internals (`authInfos`, `sslConfigs`, etc.)
- Non-types keys (e.g., `package-extensions`) resolve through `configToRecord` instead of direct property access
- Delete `processConfig.ts` (replaced by `configToRecord.ts`)
### Pre-push hook improvement
- Add `compile-only` (`tsgo --build`) to pre-push hook to catch type errors before push
Replace the unmaintained @pnpm/npm-conf package with a purpose-built
module that reads only auth/registry-related settings from .npmrc files
using read-ini-file + @pnpm/config.env-replace (both already deps).
All non-registry settings (hoist-pattern, node-linker, etc.) are now
only read from pnpm-workspace.yaml, CLI options, or environment
variables. Registry-related settings (auth tokens, registry URLs,
SSL certs, proxy settings) continue to be read from .npmrc for
migration compatibility, and can also be set in pnpm-workspace.yaml.
New modules:
- loadNpmrcFiles.ts: reads .npmrc from standard locations, filters to
auth/registry keys, returns structured layers
- npmConfigTypes.ts: inlined npm config type definitions
- npmDefaults.ts: inlined npm defaults (registry, unsafe-perm, etc.)
The metadata cache files now use a two-line NDJSON format:
- Line 1: cache headers (etag, modified, cachedAt) ~100 bytes
- Line 2: raw registry metadata JSON (unchanged)
This allows loadMetaHeaders to read only the first 1 KB of the file
to extract conditional-request headers (etag, modified), avoiding
the cost of reading and parsing multi-MB metadata files when the
registry returns 200 and the old metadata would be discarded.
Also moves cache directories to v11/ namespace (v11/metadata,
v11/metadata-full, v11/metadata-full-filtered) since the format
is not backwards compatible.
The worker's initStore eagerly opened the SQLite index database, racing
with the main thread's StoreIndex constructor. On Windows with mandatory
file locking this caused SQLITE_CANTOPEN. The worker now initializes its
StoreIndex lazily on first use. Also fixed bare .catch() creating an
unhandled promise rejection.
The subfolder resolution tests were hitting real GitHub APIs and git
ls-remote, causing flaky failures when HTTP HEAD checks returned non-ok
responses (rate limiting, network issues), which made the resolver take
the private repo path instead of the tarball path.
* feat(auth): add "Press ENTER to open in browser" during web authentication
During web-based authentication (login, publish), users can now press
ENTER to open the authentication URL in their default browser. The
background token polling continues uninterrupted, so users who prefer
to authenticate on their phone can still do so without pressing anything.
The implementation uses Node's readline module (not raw mode), so Ctrl+C
and Ctrl+Z continue to work normally. It is fully error-tolerant: if the
keyboard listener or browser opening fails, a warning is printed and the
polling continues.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix(auth): inject readline and execFile directly, not wrapper functions
Address review feedback:
- Remove defaultListenForEnter and defaultOpenBrowser wrapper functions
- Inject readline module and execFile function directly via context
- DEFAULT_CONTEXT now references modules directly (no closures)
- Use switch for platform detection, default = no browser prompt
- Rename pollWithBrowserOpen → offerToOpenBrowser (clearer name)
- Add platform-specific tests (darwin, win32, linux, freebsd)
- Use PassThrough streams for stdin mocks in tests
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix(auth): fix CI type errors in test mocks
- Type jest.fn() mocks for readline.createInterface properly
- Use PassThrough streams for stdin mocks in releasing/commands tests
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* refactor(auth): use generic Stdin parameter to eliminate PassThrough in tests
Per review feedback, add a generic Stdin type parameter to context
interfaces. This ties process.stdin and readline.createInterface together
through the same type, so tests can use simple { isTTY: true } mocks
instead of requiring PassThrough streams.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix(auth): propagate Stdin generic to releasing/commands OtpContext
The OtpContext in releasing/commands extends BaseOtpContext from
web-auth. Now that BaseOtpContext is generic, the local OtpContext
and publishWithOtpHandling must also be generic so tests can use
simple stdin mocks without PassThrough.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix: sort imports in releasing/commands otp.ts
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* refactor(auth): use .bind() for readline injection instead of generics
Per review feedback, revert the generic Stdin approach and instead use
readline.createInterface.bind(null, { input: process.stdin }) as the
injectable dependency. This avoids generics proliferation while keeping
the context clean — no arrow functions or closures in DEFAULT_CONTEXT.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* feat(publish): add "Press ENTER to open in browser" during publish OTP
Wire up createReadlineInterface and execFile in the publish
SHARED_CONTEXT so that pnpm publish also offers to open the browser
during web-based OTP authentication.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix(auth): improve browser-open prompt message
Change "Press ENTER to open in browser..." to
"Press ENTER to open the URL in your browser."
The old message implied the user should press Enter. The new wording
presents it as an available action, not an instruction — users can
also scan the QR code or copy-paste the URL.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* style: remove unnecessary arrow wrapper around createMockReadlineInterface
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* docs: explain why Enter keypress is fire-and-forget, not awaited
Add a comment explaining that only pollPromise is awaited — the Enter
listener is intentionally not part of a Promise.all. This prevents a
future refactor from reintroducing the npm bug where authentication
blocks until Enter is pressed, even when the user authenticates on
another device.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* docs: add permalink to npm's Promise.all bug in comment
Link to the specific npm-profile commit (d1a48be4259) so the comment
remains accurate even if npm fixes the bug in the future.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix: correct line numbers in npm-profile permalink (L85-L98)
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* style: apply review suggestion for npm-profile permalink format
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* style: remove duplicate line in npm-profile comment
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix: shadow global process instead of renaming to proc
Destructure as `process` (not `proc`) so the global `process` is
shadowed, preventing accidental direct access to it.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix: merge process fields in test mock contexts
Restructure createMockContext to merge process fields instead of
replacing the entire object. Tests that only need to override
platform or stdin no longer need to redundantly provide the other.
Also adds a test for undefined platform (default: case).
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix: use Omit+Partial for process overrides in test mock contexts
The process field spread `...overrides?.process` merges at runtime but
TypeScript still requires all fields in the override type. Fix by typing
the process override as Partial via Omit<..., 'process'> & { process?: Partial<...> }.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* refactor: extract a type alias
* refactor: extract MockContextOverrides type alias in remaining tests
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* refactor(auth): extract process types, use NodeJS.Platform, clean up tests
- Extract OfferToOpenBrowserProcess interface from inline process type
- Extract LoginProcess interface from inline process type in LoginContext
- Use NodeJS.Platform instead of string for platform fields (prevents typos)
- Rename simulateEnter → simulateEnterKeypress (clarify it's the key)
- Convert single-return functions to arrow expressions in tests
- Update test descriptions to say "Enter key" / "Enter keypress"
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* refactor(auth): rename offerToOpenBrowser → promptBrowserOpen
Per review feedback, "offer to open browser" was mouthful. Renamed
function, file, and all associated types (OfferToOpenBrowser* →
PromptBrowserOpen*).
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* docs: drop "IMPORTANT"
* refactor(auth): extract OtpProcess interface from inline process type
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix(auth): validate authUrl before passing to execFile
On Windows, cmd.exe re-parses execFile arguments with full shell
grammar, so metacharacters (&, |, ^, etc.) in the URL would be
interpreted as operators. Validate that authUrl is a well-formed
http(s) URL before passing it to the platform browser command.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* test(auth): add regression test for URLs with query parameters on win32
Verifies that URLs containing & and other query string characters are
passed through to execFile as-is on the win32 platform.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix(auth): escape cmd.exe metacharacters in Windows browser open URL
On Windows, cmd.exe re-parses execFile arguments and treats & | < > ^ %
as operators. Escape these with ^ so query strings in auth URLs
(e.g. ?token=abc&redirect=...) are not split by cmd.exe.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix(auth): use canonicalized URL and expand cmd.exe escape set
- Use parsedUrl.href (canonicalized by new URL()) instead of the raw
authUrl string, ensuring percent-encoding of spaces and special chars.
- Expand cmd.exe metacharacter escaping to include () and ! in addition
to & | < > ^ %, covering grouping operators and delayed expansion.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* docs(auth): document Windows browser-opening edge cases
Explain why cmd /c start is used instead of ShellExecuteW (not
callable from Node.js without a native addon), why alternatives
like explorer.exe, rundll32, and PowerShell are unreliable, and
note that a Rust/N-API addon could replace this in the future.
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
* fix: fix cspell errors in Windows browser-open comment
Reword to avoid unknown words "rundll" and "metacharacter".
https://claude.ai/code/session_01UtDnjrNQ2Cc3GLAPR8BrrW
---------
Co-authored-by: Claude <noreply@anthropic.com>
* fix: remove rimrafSync in importIndexedDir fast-path error handler
When parallel processes import the same package into the global virtual
store, a transient error in one process's fast path would trigger
rimrafSync on the shared directory, deleting files that other processes
already completed or are actively reading. The staging path that follows
already handles replacing the directory correctly via renameOverwriteSync.
* test: add test for fast-path failure not deleting populated GVS directory
Simulates a transient I/O error during the fast-path import while another
process has already populated the target directory. Verifies that the
directory is preserved and the staging path recovers correctly.
* perf: use abbreviated metadata for minimumReleaseAge when possible
Instead of always fetching full package metadata when minimumReleaseAge
is set, fetch the smaller abbreviated document first and check the
top-level `modified` field. If the package was last modified before the
release age cutoff, all versions are mature and no per-version time
filtering is needed. Only re-fetch full metadata for the rare case of
recently-modified packages.
Also uses fs.stat() to check cache file mtime instead of reading and
parsing the JSON to check cachedAt, avoiding unnecessary I/O.
* fix: validate modified date and handle abbreviated metadata edge cases
- Validate meta.modified date to prevent invalid dates from bypassing
minimumReleaseAge filtering
- Skip full metadata refetch for packages excluded by publishedByExclude
- Allow ERR_PNPM_MISSING_TIME from cached abbreviated metadata to fall
through to the network fetch path instead of throwing
* fix: cache abbreviated metadata before re-fetching full metadata
Save the abbreviated metadata to disk before re-fetching full metadata
so subsequent runs benefit from the mtime cache fast-path.
* fix: resolve type narrowing for conditional metadata fetch result
Before fetching package metadata from the registry, stat the local cache
file and send its mtime as an If-Modified-Since header. If the registry
returns 304 Not Modified, read the local cache instead of downloading
the full response body. This saves bandwidth and latency for packages
whose metadata hasn't changed since the last fetch.
Registries that don't support If-Modified-Since simply return 200 as
before, so there is no behavior change for unsupported registries.
- Enable Happy Eyeballs (`autoSelectFamily`) for faster dual-stack (IPv4/IPv6) connection establishment
- Increase keep-alive timeouts (30s idle, 10min max) to reduce connection churn during install
- Set optimized global dispatcher so requests without custom options still benefit
- Pre-allocate `SharedArrayBuffer` for tarball downloads when `Content-Length` is known, avoiding intermediate chunk array and double-copy
The ENOTSUP fallback in createClonePkg() silently converted clone
failures to file copies, preventing the auto-importer from detecting
that cloning is not supported and falling through to hardlinks.
On filesystems without reflink support (e.g. ext4 on Linux CI),
this caused every file to be copied instead of hardlinked — a 2-9x
regression for install operations on large projects.
The fix uses a raw clone (without ENOTSUP fallback) for the auto-mode
probe. If the filesystem doesn't support cloning, the error propagates
and the auto-importer falls through to hardlinks. Once cloning is
confirmed to work, subsequent packages use the full clone importer
with ENOTSUP fallback for transient failures under heavy parallel I/O.
When parallel dlx processes install the same package, the shared global
virtual store can cause spurious failures (e.g. ENOENT from concurrent
directory swaps). Instead of crashing, check if another parallel process
has completed and populated the dlx cache in the meantime, and use that.
- Added `pnpm pm <command>` syntax that always runs the built-in pnpm command, bypassing any same-named script in `package.json`
- When a project defines a script like `"clean": "rm -rf dist"`, `pnpm clean` runs that script, but `pnpm pm clean` runs the built-in clean command
- This applies to all overridable commands: `clean`, `purge`, `rebuild`, `deploy`, `setup`
