* test: update registry-mock to 6.0.0 stable and use pnpm view in tests
Update @pnpm/registry-mock from 6.0.0-6 to 6.0.0 stable release.
Replace npm view with pnpm view in test helpers now that pnpm has
native view/dist-tag commands. Unskip the nodeRuntime test that was
blocked on the registry-mock republish.
* chore: update pnpm to beta 8
* feat: support versions, dist-tags, and time field selectors in pnpm view
The view command now exposes versions (as an array of version strings),
dist-tags, and time from registry metadata. Single-field --json output
returns the raw value instead of wrapping it in an object, matching npm
behavior. This allows tests to use pnpm view instead of npm view.
- Update `@pnpm/registry-mock` from 5.2.4 to 6.0.0-6
- Fix auth tests to use bearer token from `globalSetup` instead of hardcoding credentials
- Replace hardcoded integrity checksums with `getIntegrity()` from registry-mock in `customResolvers` tests
- Add `prepareFixtureWithIntegrity()` helper in deps-restorer tests to dynamically patch `@pnpm.e2e` integrity values in fixture lockfiles at runtime, so they don't go stale when registry-mock is updated
- Fix `workspace-external-depends-deep` fixture's current lockfile (was missing `packages/f` and `packages/g` importers)
- Remove unnecessary credentials from `gitChecks` tests (they reject before any registry interaction)
Replace the unmaintained @pnpm/npm-conf package with a purpose-built
module that reads only auth/registry-related settings from .npmrc files
using read-ini-file + @pnpm/config.env-replace (both already deps).
All non-registry settings (hoist-pattern, node-linker, etc.) are now
only read from pnpm-workspace.yaml, CLI options, or environment
variables. Registry-related settings (auth tokens, registry URLs,
SSL certs, proxy settings) continue to be read from .npmrc for
migration compatibility, and can also be set in pnpm-workspace.yaml.
New modules:
- loadNpmrcFiles.ts: reads .npmrc from standard locations, filters to
auth/registry keys, returns structured layers
- npmConfigTypes.ts: inlined npm config type definitions
- npmDefaults.ts: inlined npm defaults (registry, unsafe-perm, etc.)
Replace node-fetch with native undici for HTTP requests throughout pnpm.
Key changes:
- Replace node-fetch with undici's fetch() and dispatcher system
- Replace @pnpm/network.agent with a new dispatcher module in @pnpm/network.fetch
- Cache dispatchers via LRU cache keyed by connection parameters
- Handle proxies via undici ProxyAgent instead of http/https-proxy-agent
- Convert test mocking from nock to undici MockAgent where applicable
- Add minimatch@9 override to fix ESM incompatibility with brace-expansion
Instead of rendering the full peer dependency issues tree during installation,
suggest users run "pnpm peers check" to view the issues. Remove the now-unused
@pnpm/installing.render-peer-issues package.
* feat: use yarn-like output for script execution
Print `$ command` instead of `> pkg@version stage path\n> command`.
Show project name and path only when running in a different directory.
* fix: sort chalk dependency after @pnpm packages
* refactor: remove project info line from run output
* chore: add changeset
* refactor: print script command line to stderr
The `$ command` line is metadata, not program output. Printing it to
stderr keeps stdout clean for piping, matching bun's behavior.
* chore: update changeset to major
* fix: stop setting npm_config_ env vars from pnpm config during lifecycle scripts
Update @pnpm/npm-lifecycle to 1100.0.0-0 which no longer dumps the
entire pnpm config as npm_config_* environment variables. This fixes
npm warnings about unknown config when lifecycle scripts invoke npm.
Only well-known npm_* env vars are now set, matching Yarn's behavior.
* fix: fix spellcheck in changeset
* chore: remove obsolete @pnpm/npm-lifecycle patch file
* fix: pass npm_config_user_agent via extraEnv in lifecycle scripts
The npm-lifecycle makeEnv() strips all npm_* vars from process.env,
so npm_config_user_agent must be explicitly passed via extraEnv.
* chore: mark changeset as major (breaking change)
* refactor: extract web auth QR code and polling into @pnpm/network.web-auth
Extract generateQrCode() and pollForWebAuthToken() from releasing/commands
into a new shared package so that both `pnpm publish` and the upcoming
`pnpm login` can reuse the web-based authentication flow with QR code
display and doneUrl polling.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* feat: implement `pnpm login` command
Add `pnpm login` (and `pnpm adduser` alias) for authenticating with npm
registries. The command:
- Tries web-based login first (POST /-/v1/login), displaying a QR code
and polling for the token using @pnpm/network.web-auth
- Falls back to classic username/password/email login (PUT /-/user/
org.couchdb.user:<username>) when web login is not supported (404/405)
- Saves the received auth token to the user's global rc file
Also fixes a tsgo build issue in releasing/commands where
OtpWebAuthFetchOptions was used as a local type alias but was only
available as a re-exported name.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix: resolve spellcheck issues in login test
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix: correct alphabetical ordering for meta-updater
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* chore: add meta-updater generated tsconfig files
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix: add explicit return type to prompt mock for tsgo compatibility
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix: use @pnpm/network.fetch instead of globalThis.fetch
Switch from globalThis.fetch to fetchWithAgent from @pnpm/network.fetch
so that pnpm login respects proxy settings (httpProxy/httpsProxy/noProxy),
custom SSL certificates (ca/cert/key), strictSsl, and retry configuration.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: improve login fetch types and use URL constructor
- Type LoginContext.fetch using WebAuthFetchOptions/WebAuthFetchResponse
from @pnpm/network.web-auth, extended with text() and wider method
- Replace regex-based URL construction with new URL() constructor
- Remove redundant LoginFetchInit type
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: match publish pattern for dependency injection
- Static DEFAULT_CONTEXT constant instead of createDefaultContext factory
- context = DEFAULT_CONTEXT default parameter instead of context?: Partial
- Destructure context in function signatures for natural calling
- Use plain fetch from @pnpm/network.fetch (like SHARED_CONTEXT in publish)
- Context contains only side-effect functions and modules, not config
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: use typeof fetch instead of custom fetch types
Remove LoginFetchOptions and LoginFetchResponse. Type LoginContext.fetch
as typeof fetch from @pnpm/network.fetch directly, eliminating all casts.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix: remove placeholder username from login success message
Web login doesn't return a username, so just report the registry.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: use tempDir from @pnpm/prepare instead of manual tmp dirs
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* chore: update tsconfig references for @pnpm/prepare
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: inject readSettings/writeSettings for fully pure tests
Add readSettings and writeSettings to LoginContext so tests need no
filesystem side effects. Remove @pnpm/prepare devDependency.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: remove DEFAULT_CONTEXT from tests, use pure test context
Tests now construct their own TEST_CONTEXT with all no-op mocks,
eliminating any reliance on real side-effectful functions.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* test: use distinct opts per test, assert URLs and config paths
Each test now uses a different registry and configDir to verify URL
construction, config key generation, and save path are correct for
non-default options.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* test: throw on unexpected mock calls instead of silent fallbacks
All mock functions in TEST_CONTEXT now throw on unexpected calls,
ensuring tests fail loudly if the code makes unanticipated side effects.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* test: use IANA-reserved example.com domains in test URLs
Replace custom.registry.io and private.reg.co with example.com and
example.org (RFC 2606 reserved) to prevent domain squatting risks.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* test: use deterministic Date mock instead of native Date
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* test: assert globalInfo calls, throw on unexpected ones
Default globalInfo in TEST_CONTEXT now throws. Each test overrides it
to capture messages and asserts the expected output.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix: use inferred type for fetch url parameter in tests
Drop explicit `string` annotation so the parameter matches the
`RequestInfo` type expected by the fetch signature.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix: resolve type errors in login test mock fetch
Use mockResponse helper with `as any` cast to satisfy the Response
type, and String(url) for RequestInfo-to-string conversion.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* chore: add tsconfig.lint.tsbuildinfo to .gitignore
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: replace typeof fetch with explicit LoginFetchResponse/LoginFetchOptions types
Derive the fetch signature from actual call-site usage instead of
coupling to the concrete @pnpm/network.fetch type. This lets test
mocks return plain objects without casts.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* chore: gitignore generated pn/pnpx/pnx artifacts
These files are created by setup.js during preinstall and should not
be tracked.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: remove unnecessary backwards-compat aliases from otp.ts
Remove Otp-prefixed re-exports (OtpWebAuthFetchOptions,
OtpWebAuthFetchResponse, OtpWebAuthTimeoutError) that only existed as
backwards-compatibility shims. Update the test to import directly from
@pnpm/network.web-auth. Restore the named OtpDate interface that was
unnecessarily inlined.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* test(web-auth): add comprehensive unit tests for @pnpm/network.web-auth
Add dependency-injected unit tests covering:
- WebAuthTimeoutError: properties, code, hint, message
- generateQrCode: basic output and input differentiation
- pollForWebAuthToken: happy path, fetch argument passing,
Retry-After handling (valid, non-finite, null, sub-interval,
capped to remaining timeout, timeout during retry wait),
error recovery (fetch throws, non-ok response, json parse error,
missing token, empty token, multiple consecutive errors),
custom timeout, poll interval timing
All tests use fake Date.now() and setTimeout — no real timers or
side effects.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix(web-auth): fix TS2339 compile errors in test assertions
Replace `.catch((e: WebAuthTimeoutError) => e)` pattern with
`rejects.toMatchObject()` to avoid `string | WebAuthTimeoutError`
union type issue when accessing `.timeout` property.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* feat(web-auth,login): extract shared OTP handling and add OTP support to login
- Create `withOtpHandling<T>()` in `@pnpm/network.web-auth` that wraps
any operation with EOTP challenge detection, web auth flow, and
classic OTP prompting.
- Refactor `publishWithOtpHandling` to delegate to the shared function.
- Add OTP handling to `pnpm login`'s classic (CouchDB) login flow:
detects 401 + `www-authenticate: otp` header and retries with the
OTP code (or web auth token) in the `npm-otp` header.
- Remove overly strict `this: this` constraints from WebAuthFetchResponse
interfaces to improve cross-package type compatibility.
- Add 13 unit tests for `withOtpHandling` (classic + webauth flows).
- Add 4 login OTP tests (classic OTP, webauth OTP, non-401, non-otp 401).
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* fix(login): use word-boundary regex for URL assertion in test
Replace `m.includes(url)` with a regex that checks the URL is
bounded by whitespace or string boundaries, addressing the CodeQL
"incomplete URL substring sanitization" finding.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor(login): use toContainEqual + stringMatching for URL assertion
Replace manual `.some()` with Jest's `toContainEqual(expect.stringMatching(...))`
for better error messages on failure.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor(web-auth): use expect.any(String) instead of typeof check
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor(web-auth): consolidate multi-property assertions
Use toMatchObject and toEqual instead of separate per-property expects.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* docs: explain why npm-auth-type header is sent unconditionally
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: remove unused re-exports and add missing test coverage
Remove dead re-exports of OtpHandlingPromptOptions and
OtpHandlingPromptResponse from releasing/commands/src/publish/otp.ts.
Add tests for:
- LOGIN_MISSING_CREDENTIALS (empty username in classic login)
- LOGIN_NO_TOKEN (registry returns success without token)
- LOGIN_INVALID_RESPONSE (web login returns incomplete response)
- isWebLoginNotSupported with 405 status code
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor(login): rename readSettings/writeSettings to safeReadIniFile/writeIniFile
Use the actual function names in the LoginContext interface instead of
abstract names, matching the implementations they wrap.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor(otp): remove unnecessary re-exports from otp.ts
OtpNonInteractiveError, OtpSecondChallengeError, and OtpHandlingEnquirer
were re-exported only for the test file, which can import them directly
from @pnpm/network.web-auth.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor(otp): remove unused SHARED_CONTEXT re-export
All consumers already import SHARED_CONTEXT directly from
./utils/shared-context.js, making this re-export dead code.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor(login): extract LoginDate and LoginEnquirer interfaces
Extract named interfaces for the Date and enquirer members of
LoginContext instead of inlining their types.
https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S
* refactor: stop renaming
Claude Code Web didn't rename them thoroughly, so I had to do it myself
* docs: correct the lines
Why did Claude Code Web misaligned?
* refactor: strictly type `LoginFetchOptions.headers`
* docs: remove redundant comments
* refactor: inline `npm-otp`
* refactor: inline `headers`
* feat: add `WebLoginError.responseText`
* refactor: rename `statusCode` into `httpStatus`
* refactor(login): extract ClassicLoginError subclass from PnpmError
Extract the LOGIN_FAILED error into a dedicated ClassicLoginError class
with httpStatus and responseText properties, matching the WebLoginError
pattern.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: remove unnecessary import
* docs(changeset): correct a changeset
* docs(changeset): re-add `releasing.commands`
* refactor(web-auth): split monolithic test file into per-module files
Split index.test.ts into four files matching the source structure:
- WebAuthTimeoutError.test.ts
- generateQrCode.test.ts
- pollForWebAuthToken.test.ts
- withOtpHandling.test.ts
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: remove unnecessary `as const`
* refactor: remove unnecessary `as const`
* chore: undo Claude's BS
* refactor: extract `LoginEnquirerOptions`
* refactor: move types closer to their usesites
* refactor: remove simple type alias
* fix: type errors
* refactor(login): inject readIniFile instead of safeReadIniFile in context
The context object should only contain external dependencies. safeReadIniFile
is a local wrapper, not an external dependency, so inject readIniFile (from
read-ini-file) instead and pass it to safeReadIniFile as a parameter.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* test(login): add coverage for safeReadIniFile ENOENT handling
Test that login succeeds with empty settings when the config file does
not exist (ENOENT), and that non-ENOENT errors (e.g. EACCES) are
properly propagated.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: fix ugliness
* refactor: just pass context object
* refactor: destructure `context`
* refactor: pass the `context` object
* refactor: destructure `context`
* refactor: pass `context` object directly
* refactor: remove unnecessary parenthesis
* fix: remove unused import
* refactor: remove unnecessary parentheses from single-param arrows in tests
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: extract `LoginFetchResponseHeaders`
* fix(login): remove inline default from --registry option description
No other pnpm command includes "(default: ...)" in option descriptions.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor(tests): enforce realistic mock response behavior
- Add createMockResponse helpers that enforce single body consumption
(calling text() or json() twice, or both, throws an error)
- Default headers.get to throwing on unexpected calls, forcing tests
to explicitly provide headers when the code under test reads them
- Replace all inline response objects with createMockResponse calls
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix: formatting
* refactor: reuse
* docs: clarify what the error is actually about
* docs: consistent error message
* refactor: use consistent error message convention in test mocks
Capitalize and use "Unexpected call to <thing>" pattern instead of
AI-generated "unexpected X call" messages.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: expand inline process mock objects to multi-line
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor(login): extract PnpmError subclasses and use stricter test assertions
Extract LoginNonInteractiveError, LoginInvalidResponseError,
LoginMissingCredentialsError, and LoginNoTokenError subclasses instead
of throwing PnpmError directly.
Update test assertions to use the const promise pattern with
toHaveProperty checks on both code and message, matching the
convention used elsewhere in the codebase.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: undo ai's nonsensical deletion
* refactor: simplify
* refactor: rename OtpHandling* types to Otp* for brevity
OtpHandlingContext → OtpContext
OtpHandlingEnquirer → OtpEnquirer
OtpHandlingPromptOptions → OtpPromptOptions
OtpHandlingPromptResponse → OtpPromptResponse
The OtpHandling prefix was named after the function (withOtpHandling)
rather than the domain concept.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: extract `OtpDate`
* refactor: reuse
* fix: eslint
* refactor: add OtpRequiredError with body validation and globalWarn
- Add OtpRequiredError class with static fromUnknown() that validates
the EOTP error body shape and returns either a validated error or an
OtpBodyWarning when fields have unexpected types
- Add globalWarn to OtpContext so withOtpHandling can warn on bad body
shapes instead of silently dropping them
- Update throwIfOtpRequired in login.ts to pass raw body through so
validation happens in withOtpHandling via fromUnknown
- Add tests for bad body shapes (wrong types for authUrl/doneUrl)
- Add tests for OtpRequiredError.fromUnknown
- Propagate globalWarn through LoginContext, DEFAULT_CONTEXT,
SHARED_CONTEXT, and all test mocks
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* docs: remove misleading comment from throwIfOtpRequired
The comment referenced downstream machinery (OtpRequiredError.fromUnknown)
that the reader shouldn't need to know about at this call site.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: replace Object.assign hack with OtpRequiredError in throwIfOtpRequired
throwIfOtpRequired now validates the raw response body via
OtpRequiredError.fromUnknown and throws a proper OtpRequiredError
instead of monkey-patching properties onto a plain Error.
withOtpHandling skips re-validation when the caught error is already
an OtpRequiredError instance.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* chore(git): revert an imperfect fix
This reverts commit f91efc1d9e.
* chore(git): revert would-be irrelevant change
This reverts commit 646c09cc66.
* chore(git): revert an imperfect fix
This reverts commit 45ff1ca601.
* refactor: replace Object.assign hack with ArtificialOtpError
Add ArtificialOtpError class that implements OtpError and validates
unknown body shapes via fromUnknownBody static method, warning on
unexpected types instead of silently dropping them.
Add globalWarn to OtpContext and propagate through LoginContext,
DEFAULT_CONTEXT, SHARED_CONTEXT, and all test mocks.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: rename ArtificialOtpError to SyntheticOtpError
"Synthetic" better conveys that the error is programmatically
constructed from raw data, not that it's fake.
Also fix grammatical error in JSDoc ("meant to thrown" → "meant to be thrown").
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix: eslint
Claude Code Web got it wrong this time
(or maybe because it inherited from my sketch diff? I'm not sure)
* fix: eslint
Ah! I got it. Claude Code Web was at fault here: It renamed "artificial"
to "synthetic" without re-ordering
Dumb AI!
* fix: formatting
Once again caused by Claude Code.
Anyway,
The exact equivalent refactor should have been `void warnings.push(msg)`,
if you really want to be pedantic, that is.
TypeScript, however, allows a `void` function to return any type. Reason
being that they shall all be discarded anyway.
* refactor: remove unnecessary re-assignment
* test: remove unnecessary assertion
* refactor: make default globalInfo and globalWarn mocks throw on unexpected calls
Replace no-op defaults with throwing mocks in createOtpMockContext
and createMockContext. Tests that expect these to be called now
explicitly override them.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: use toEqual with stringContaining for array assertions
Replace toHaveLength + indexed toContain pairs with single
toEqual([expect.stringContaining(...)]) assertions.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: replace globalInfo no-ops with jest.fn() and add assertions
For error tests: remove globalInfo override entirely, letting the
default throwing mock catch unexpected calls.
For success tests: use jest.fn() and assert globalInfo was called
with the expected arguments.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: replace manual array collectors with jest.fn()
Replace infoMessages/warnings arrays and push callbacks with
jest.fn() and assertions on .mock.calls. This is more idiomatic
and eliminates the boilerplate array + push pattern.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: replace remaining globalInfo no-ops with jest.fn() in otp.test.ts
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix(test): throw on unexpected second call instead of returning 'never'
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix(test): add missing globalInfo assertion in classic OTP test
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix(test): add missing globalInfo assertion in otp webauth polling test
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix(test): add @jest/globals import for jest.fn()
jest is not a global in ESM mode (--experimental-vm-modules).
Add import { jest } from '@jest/globals' to all test files using
jest.fn(), and add @jest/globals devDependency to network/web-auth.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* chore(deps): update lockfile
* fix: eslint
* fix(test): add globalInfo mock to EACCES readIniFile test
The test triggers web login (which calls globalInfo with the QR code)
before reaching readIniFile. Without a globalInfo override, the
default throwing mock causes the test to fail at the wrong point.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix(test): add missing globalInfo assertion in EACCES readIniFile test
Extract inline jest.fn() to const and assert it was called with
the web login QR code URL.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: convert functions with 3+ args to params objects
Per the style guide: "Functions should have no more than two or three
arguments. If a function needs more parameters, use a single options
object instead."
- withOtpHandling(operation, context, fetchOptions) → withOtpHandling({ operation, context, fetchOptions })
- pollForWebAuthToken(doneUrl, context, fetchOptions, timeoutMs) → pollForWebAuthToken({ doneUrl, context, fetchOptions, timeoutMs })
- webLogin(registry, fetchOptions, context) → webLogin({ registry, fetchOptions, context })
- classicLogin(registry, context, fetchOptions) → classicLogin({ registry, context, fetchOptions })
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: sort params object properties alphabetically
Sort interface properties, function signature destructuring, and
call site arguments in alphabetical order to match the convention
used by publishWithOtpHandling.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* refactor: adopt otp.test.ts patterns in login and web-auth tests
- Build context and opts as separate variables, then call login/
withOtpHandling/pollForWebAuthToken on a clean line
- Add createMockContext to login.test.ts
- Convert createMockContext to arrow functions (single return
expression), keep createMockResponse as function declaration
(has local state)
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix: eslint
* refactor: inline the one-off function
* fix(login): avoid sending 'npm-otp: undefined' header on initial request
When otp is undefined (first attempt before OTP challenge), the header
'npm-otp': undefined could be coerced to the string "undefined" by
some HTTP implementations. Use conditional spread instead.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* docs(login): explain why npm-otp header is conditionally spread
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* docs(otp): explain why otp: undefined is safe in publishOptions spread
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix(test): use path.join in assertions for Windows compatibility
path.join produces backslashes on Windows, so hardcoded forward-slash
paths in assertions fail on Windows CI.
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
* fix: import order — standard library before external deps
https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ
---------
Co-authored-by: Claude <noreply@anthropic.com>
## Summary
`linkBin()` unconditionally calls `cmdShim()` / `symlinkDir()` even when the target bin already points at the correct path. This causes redundant I/O on repeated installs and `EACCES` failures when the bin directory lives on a read-only filesystem (Docker layer caching, CI prewarm, NFS mounts).
This PR adds a check at the top of `linkBin()` that verifies the existing bin before skipping:
- **Symlinks**: `readlink` target is compared against `cmd.path`
- **Cmd-shim files**: checked via `isShimPointingAt()` from `@zkochan/cmd-shim` v9, which embeds a `# cmd-shim-target=<path>` marker in every generated sh shim
- Files larger than 4KB (binaries) are never skipped — they are not cmd-shims
Stale or incorrect bins (wrong target, missing marker, different provider) are always rewritten.
Follows up on feedback from #11020.
## Changes
- `bins/linker/src/index.ts` — add target verification check in `linkBin()`
- `bins/linker/test/index.ts` — tests for skip and rewrite behavior
- `pnpm-workspace.yaml` — upgrade `@zkochan/cmd-shim` to v9
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
* feat: load default trusted deps list from @pnpm/plugin-trusted-deps
Add a new `use-default-trusted-deps` setting (default: true) that
automatically loads a curated list of known-good packages into
`allowBuilds` from @pnpm/plugin-trusted-deps. User-configured
allowBuilds entries take precedence over the defaults. Set
`use-default-trusted-deps=false` to disable.
* fix: use catalog reference for @pnpm/plugin-trusted-deps
* fix: use default import for @pnpm/plugin-trusted-deps CJS compat
The package uses Object.defineProperty for DEFAULT_ALLOW_BUILDS,
which Node.js/Jest ESM interop can't detect as a named export.
Switch to a default import to fix test failures.
* fix: use named ESM import from @pnpm/plugin-trusted-deps@0.3.0-1
The package now ships an ESM entry point with proper named exports,
so we can use a clean named import instead of the default import
workaround.
* fix: update @pnpm/plugin-trusted-deps to 0.3.0-2
Uses static JSON import attributes in ESM entry, fixing the bundle
issue where createRequire resolved paths relative to the bundle
output instead of the original package.
* refactor: rename setting to allow-builds-for-trusted-deps
* test: disable default trusted deps in approveBuilds tests
The tests assert exact allowBuilds contents, so the default trusted
list must be disabled to avoid polluting the expected values.
* fix: don't persist default trusted deps list to pnpm-workspace.yaml
Track the user's original allowBuilds separately as userAllowBuilds
before merging the default trusted list. Use userAllowBuilds when
writing back to pnpm-workspace.yaml to avoid persisting the ~370
default entries from @pnpm/plugin-trusted-deps.
* refactor: rename setting to allow-builds-of-trusted-deps
* docs: use camelCase for setting name in changeset
* fix: include userAllowBuilds in install command opts types
Without this, userAllowBuilds wasn't passed through to
handleIgnoredBuilds, causing the default trusted list to be
written to pnpm-workspace.yaml during e2e tests.
* fix: set userAllowBuilds to empty object when user has no config
When the user has no allowBuilds configured, userAllowBuilds was
undefined, causing handleIgnoredBuilds to fall back to the merged
allowBuilds (with defaults). Use empty object instead so the
fallback doesn't trigger.
* fix: read allowBuilds from workspace manifest when writing back
Instead of tracking userAllowBuilds separately (which gets stale
when other code writes to pnpm-workspace.yaml mid-install), read
the current allowBuilds directly from pnpm-workspace.yaml before
writing. This avoids persisting the default trusted list and
preserves entries written by --allow-build earlier in the flow.
Also update e2e test expectation: esbuild is now in the default
trusted list, so it builds instead of being ignored.
* chore: update tsconfig references for new dependencies
* test: disable default trusted deps in approveBuilds e2e install
The execPnpmInstall helper runs the bundled CLI which picks up
the default allowBuildsOfTrustedDeps=true. This causes extra
placeholder entries in pnpm-workspace.yaml that break assertions.
* fix: revert approveBuilds to use config-based allowBuilds
approveBuilds.handler should use opts.allowBuilds from getConfig()
(which excludes trusted deps defaults when disabled) rather than
reading the workspace manifest. The handler's job is to write
approve/deny decisions, not merge with auto-populated placeholders.
* test: add config reader tests for allowBuildsOfTrustedDeps
Cover: (1) default enabled with trusted defaults merged,
(2) user allowBuilds overrides defaults, (3) setting
allow-builds-of-trusted-deps=false disables the merge.
Previously, globally installed binaries were placed directly in
PNPM_HOME, which also contains internal directories (global/, store/).
This polluted shell autocompletion with non-executable entries.
Now binaries are stored in PNPM_HOME/bin, keeping the PATH clean.
Closes#10986
* chore: update all dependencies to latest versions
Update all outdated dependencies across the monorepo catalog and fix
breaking changes from major version bumps.
Notable updates:
- ESLint 9 → 10 (fix custom rule API, disable new no-useless-assignment)
- @stylistic/eslint-plugin 4 → 5 (auto-fixed indent changes)
- @cyclonedx/cyclonedx-library 9 → 10 (adapt to removed SPDX API)
- esbuild 0.25 → 0.27
- TypeScript 5.9.2 → 5.9.3
- Various @types packages, test utilities, and build tools
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: update unified/remark/mdast imports for v11/v4 API changes
Update imports in get-release-text for the new ESM named exports:
- mdast-util-to-string: default → { toString }
- unified: default → { unified }
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: resolve typecheck errors from dependency updates
- isexe v4: use named import { sync } instead of default export
- remark-parse/remark-stringify v11: add vfile as packageExtension
dependency so TypeScript can resolve type declarations
- get-release-text: remove unused @ts-expect-error directives
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: revert runtime dependency major version bumps
Revert major version bumps for runtime dependencies that are bundled
into pnpm to fix test failures where pnpm add silently fails:
- bin-links: keep ^5.0.0 (was ^6.0.0)
- cli-truncate: keep ^4.0.0 (was ^5.2.0)
- delay: keep ^6.0.0 (was ^7.0.0)
- filenamify: keep ^6.0.0 (was ^7.0.1)
- find-up: keep ^7.0.0 (was ^8.0.0)
- isexe: keep 2.0.0 (was 4.0.0)
- normalize-newline: keep 4.1.0 (was 5.0.0)
- p-queue: keep ^8.1.0 (was ^9.1.0)
- ps-list: keep ^8.1.1 (was ^9.0.0)
- string-length: keep ^6.0.0 (was ^7.0.1)
- symlink-dir: keep ^7.0.0 (was ^9.0.0)
- terminal-link: keep ^4.0.0 (was ^5.0.0)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: restore runtime dependency major version bumps
Re-apply all runtime dependency major version bumps that were
previously reverted. All packages maintain their default exports
except isexe v4 which needs named imports.
Updated runtime deps:
- bin-links: ^5.0.0 → ^6.0.0
- cli-truncate: ^4.0.0 → ^5.2.0
- delay: ^6.0.0 → ^7.0.0
- filenamify: ^6.0.0 → ^7.0.1
- find-up: ^7.0.0 → ^8.0.0
- isexe: 2.0.0 → 4.0.0 (fix: use named import { sync })
- normalize-newline: 4.1.0 → 5.0.0
- p-queue: ^8.1.0 → ^9.1.0
- ps-list: ^8.1.1 → ^9.0.0
- string-length: ^6.0.0 → ^7.0.1
- symlink-dir: ^7.0.0 → ^9.0.0
- terminal-link: ^4.0.0 → ^5.0.0
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: revert tempy to 3.0.0 to fix bundle hang
tempy 3.2.0 pulls in temp-dir 3.0.0 which uses async fs.realpath()
inside its module init. When bundled by esbuild into the __esm lazy
init pattern, this causes a deadlock during module initialization,
making the pnpm binary hang silently on startup.
Keeping tempy at 3.0.0 which uses temp-dir 2.x (sync fs.realpathSync).
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add comment explaining why tempy cannot be upgraded
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: revert nock to 13.3.4 for node-fetch compatibility
nock 14 changed its HTTP interception mechanism in a way that doesn't
properly intercept node-fetch requests, causing audit tests to hang
waiting for responses that are never intercepted.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* docs: add comment explaining why nock cannot be upgraded
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: update symlink-dir imports for v10 ESM named exports
symlink-dir v10 removed the default export and switched to named
exports: { symlinkDir, symlinkDirSync }.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: revert @typescript/native-preview to working version
Newer tsgo dev builds (>= 20260318) have a regression where
@types/node cannot be resolved, breaking all node built-in types.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: vulnerabilities
* fix: align comment indentation in runLifecycleHook
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: pin msgpackr to 1.11.8 for TypeScript 5.9 compatibility
msgpackr 1.11.9 has broken type definitions that use Iterable/Iterator
without required type arguments, causing compile errors with TS 5.9.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: reduce noisy warnings in test output
- Suppress ExperimentalWarning and DEP0169 via --disable-warning in NODE_OPTIONS
- Fix MaxListenersExceededWarning by raising limit in StoreIndex when adding exit listeners
- Update meta-updater to generate the new _test scripts
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: stop streaming pnpm subprocess output during CLI tests
Buffer stdout/stderr from execPnpm instead of writing to the parent
process in real time. Output is still included in the error message on
failure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: pipe all subprocess output in CLI tests
Use stdio: 'pipe' for all pnpm/pnpx spawn helpers so subprocess output
is buffered instead of printed. Output is still included in error
messages on failure.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: remove duplicate @pnpm/installing.env-installer in pnpm/package.json
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* chore: use pipe stdio in dlx and errorHandler tests
Replace stdio: 'inherit' and [null, 'pipe', 'inherit'] with 'pipe' to
prevent subprocess output from leaking into test output.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* fix: skip maxListeners adjustment when set to unlimited (0)
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* feat(publish): handle OTP and web-based authentication flows (#10834)
Add OTP handling to `pnpm publish` with support for:
- Classic OTP prompt (manual code entry)
- Web-based authentication flow with QR code display and doneUrl polling
- `npm-auth-type: web` header to signal web auth support to the registry
Extract OTP logic into a dedicated `otp.ts` module with dependency
injection for testability. Consolidate shared context for OIDC and OTP.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* Potential fix for pull request finding
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---------
Co-authored-by: KSXGitHub <11488886+KSXGitHub@users.noreply.github.com>
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
* refactor: rename workspace.sort-packages and workspace.pkgs-graph
- workspace.sort-packages -> workspace.projects-sorter
- workspace.pkgs-graph -> workspace.projects-graph
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: rename packages/ to core/ and pkg-manifest.read-package-json to reader
- Rename packages/ directory to core/ for clarity
- Rename pkg-manifest/read-package-json to pkg-manifest/reader (@pnpm/pkg-manifest.reader)
- Update all tsconfig, package.json, and lockfile references
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: consolidate runtime resolvers under engine/runtime domain
- Remove unused @pnpm/engine.runtime.node.fetcher package
- Rename engine/runtime/node.resolver to node-resolver (dash convention)
- Move resolving/bun-resolver to engine/runtime/bun-resolver
- Move resolving/deno-resolver to engine/runtime/deno-resolver
- Update all package names, tsconfig paths, and lockfile references
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* chore: update lockfile after removing node.fetcher
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: sort tsconfig references and package.json deps alphabetically
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: auto-fix import sorting
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: update __typings__ paths in tsconfig.lint.json for moved resolvers
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* fix: remove deno-resolver from deps of bun-resolver
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Add eslint-plugin-simple-import-sort to enforce consistent import ordering:
- Node.js builtins first
- External packages second
- Relative imports last
- Named imports sorted alphabetically within each statement
Update all packages from zkochan/packages to their latest major versions
and exclude them from minimumReleaseAge requirement. This includes
updating catalog entries, adapting to breaking API changes (default
exports replaced with named exports, sync functions renamed with Sync
suffix), and updating type declarations.
* refactor: extract rebuild implementation into @pnpm/building.after-install
Move the rebuild implementation (rebuildProjects, rebuildSelectedPkgs)
from @pnpm/plugin-commands-rebuild into a new @pnpm/building.after-install
package. This breaks the circular dependency chain:
config/deps-installer → core → plugin-commands-rebuild → cli-utils → config/deps-installer
The CLI command layer stays in plugin-commands-rebuild, while the core
rebuild logic now lives in building/after-install with no dependency
on cli-utils.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs: add README for @pnpm/building.after-install
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: rename @pnpm/builder.policy to @pnpm/building.policy
Move builder/policy to building/policy, consolidating all build-related
packages under the building/ domain. Update all consumers.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* docs: add changeset
* refactor: remove old implementation files from plugin-commands-rebuild
These files were copied to @pnpm/building.after-install but not removed
from the original location.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
* refactor: remove unused deps from plugin-commands-rebuild
Dependencies that were only needed by the implementation (now in
@pnpm/building.after-install) are removed. Deps used only in tests
are moved to devDependencies.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---------
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Replace all sinon.spy/match/withArgs usage with jest.fn, toHaveBeenCalledWith,
mockClear, and mock.calls filtering. Remove sinon and @types/sinon from all
package.json files and the workspace catalog.
* feat: add `pnpm runtime set` command and deprecate `pnpm env use`
Add a new `pnpm runtime set <name> <version> [-g]` command (alias: `rt`)
in a new `@pnpm/runtime.commands` package. It delegates to
`pnpm add <name>@runtime:<version>` supporting node, deno, and bun.
`pnpm env use` now prints a deprecation warning pointing users to the
new command.
* fix: address PR review feedback for runtime command
- Use opts.dir as cwd when --global is not passed (instead of always
using pnpmHomeDir)
- Only pass --global-bin-dir when in global mode
- Keep deprecated env command in help output for discoverability
- Add Jest tests for the runtime command (7 tests)
**TLDR:** Global packages in pnpm v10 are annoying and slow because they all are installed to a single global package. Instead, we will now use a system that is similar to the one used by "pnpm dlx" (aka "pnpx").
Each globally installed package (or group of packages installed together) now gets its own isolated installation directory with its own `package.json`, `node_modules`, and lockfile. This prevents global packages from interfering with each other through peer dependency conflicts or version resolution shifts.
## Changes
- Add `@pnpm/global-packages` shared utilities package for scanning, hashing, and managing isolated global installs
- `pnpm add -g` creates isolated installs in `{pnpmHomeDir}/global/v11/{hash}/`
- `pnpm remove -g` removes the entire installation group containing the package
- `pnpm update -g` re-installs into new isolated directories and swaps symlinks
- `pnpm list -g` scans isolated directories to show installed global packages
- `pnpm outdated -g` checks each isolated installation for outdated dependencies
- `pnpm store prune` cleans up orphaned global installation directories
## Breaking changes
- `pnpm install -g` (no args) is no longer supported — use `pnpm add -g <pkg>`
- `pnpm link <pkg-name>` no longer resolves packages from the global store — only relative or absolute paths are accepted
- `pnpm link --global` is removed — use `pnpm add -g .` to register a local package's bins globally
* feat(sbom): add `pnpm sbom` command (#9088)
new command that generates SBOMs from the lockfile + store metadata.
supports CycloneDX 1.6 JSON and SPDX 2.3 JSON via `--sbom-format`.
two new packages following the existing `pnpm licenses` architecture:
- `@pnpm/sbom` — core library (lockfile walking, store reading, serializers)
- `@pnpm/plugin-commands-sbom` — CLI plugin wiring
uses the lockfile walker for dependency traversal and reads package.json
from the CAFS store for license/author/description metadata. `--lockfile-only`
skips the store entirely for faster CI runs where metadata isn't needed.
validated against official CycloneDX 1.6 and SPDX 2.3 JSON schemas.
* chore: add sbom-related words to cspell dictionary
* fix(sbom): address CycloneDX review feedback and bump to 1.7
Implements all 5 items from the CycloneDX maintainer review:
split scoped names into group/name, move hashes to
externalReferences distribution, use license.id for known SPDX
identifiers, switch to modern tools.components structure with
pnpm version, and bump specVersion to 1.7.
Also adds spdx-license-ids for proper license classification and
improves SPDX serializer test coverage.
* fix(sbom): fix CI bundle failure for spdx-license-ids
createRequire doesn't work in the esbuild bundle since it's a runtime
resolve, switched back to regular import which esbuild can inline.
* fix(sbom): use tarball URL for distribution externalReferences
Use actual tarball download URL instead of PURL for CycloneDX
distribution externalReferences, per review feedback.
* feat(sbom): add CycloneDX metadata and improve SBOM quality scores
adds $schema, timestamp, lifecycles (build/pre-build) to CycloneDX output
to match what npm does. also enriches both CycloneDX and SPDX with
metadata.authors, metadata.supplier, component supplier from author,
vcs externalReferences from repository, and root component details
(purl, license, description, author, vcs). SPDX now uses tarball URL
for downloadLocation instead of NOASSERTION.
renames CycloneDxToolInfo to CycloneDxOptions, passes lockfileOnly
through to the serializer for lifecycle phase selection. adds store-dir
to accepted CLI options.
* fix(sbom): address CycloneDX review feedback round 2
switches license classification from spdx-license-ids to
@cyclonedx/cyclonedx-library (SPDX.isSupportedSpdxId) for accurate
CycloneDX license ID validation per jkowalleck's feedback.
removes hardcoded metadata.authors and metadata.supplier — these are
not appropriate for a tool to set. adds --sbom-authors and
--sbom-supplier CLI flags so the SBOM consumer (e.g. ACME Corp) can
declare who they are.
removes supplier from components — supplier is the registry/distributor,
not the package author. also fixes distribution externalReference to
only emit when a real tarball URL exists, no PURL fallback.
* fix(sbom): use sub-path import for CycloneDX library to fix bundle
top-level import from @cyclonedx/cyclonedx-library drags in
validation/serialize layers with optional deps (ajv-formats, libxmljs2,
xmlbuilder2) that esbuild can't resolve during pnpm CLI bundling.
switch to @cyclonedx/cyclonedx-library/SPDX which only pulls in the
SPDX module we actually use — pure JS, no optional deps.
* chore: update manifests
* refactor: extract shared store-reading logic into @pnpm/store.pkg-finder
Both @pnpm/license-scanner and @pnpm/sbom independently implemented
nearly identical logic to read a package's file index from the
content-addressable store. This extracts that into a new shared package
that returns a uniform Map<string, string> (filename → absolute path),
simplifying both consumers.
Close#9088
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
Third-party cmd shims (e.g., npm's rimraf.cmd) call node.exe from
within IF/ELSE blocks in batch files. When node resolves to node.cmd
instead of node.exe, Windows batch file chaining breaks with
"The system cannot find the path specified."
On Windows, hardlink node.exe directly into the bin directory.
On non-Windows, symlink the node binary directly.
* feat: switch from pkg to Node.js SEA for creating standalone executables
Replace @yao-pkg/pkg with Node.js native Single Executable Applications
(--build-sea, Node.js 25.5+). The SEA binary embeds only pnpm.cjs (CJS
bootstrap), while pnpm.mjs and all assets live in a dist/ directory
shipped alongside the binary in platform-specific tarballs.
* refactor: move dist/ from platform packages to @pnpm/exe
The dist/ directory (pnpm.mjs, worker.js, templates, etc.) is identical
across all platforms, so ship it once in @pnpm/exe instead of duplicating
it in each platform package. Platform packages now only contain the
binary. The self-updater installs @pnpm/exe (not the platform package)
so it gets both dist/ and the binary via optionalDependencies.
* refactor: externalize @reflink/reflink in esbuild bundle
Make @reflink/reflink external in both the main and worker esbuild
bundles so the require() calls resolve at runtime from dist/node_modules
instead of being inlined. Add @reflink/reflink as a production dependency
of both pnpm (bundled into dist/node_modules by bundle-deps.ts) and
@pnpm/exe (installed by npm alongside the binary).
For GitHub release tarballs, only the target platform's reflink package
is kept. For @pnpm/exe npm publishing, all reflink platform packages
are stripped from dist/ since npm installs the right one automatically.
* chore: update cspell list
* test: update system-node-version tests for SEA detection
Mock @pnpm/cli-meta's detectIfCurrentPkgIsExecutable instead of
setting process.pkg, which is no longer used for SEA detection.
* test: improve cli-meta test coverage for SEA migration
Add tests for detectIfCurrentPkgIsExecutable() (non-SEA path) and
isExecutedByCorepack() which were previously untested. The SEA=true
path of detectIfCurrentPkgIsExecutable() cannot be unit tested since
node:sea is unavailable in an ESM test environment.
* refactor: move GitHub tarball assembly to copy-artifacts.ts
build-artifacts.ts (prepublishOnly of @pnpm/exe) now only builds the
SEA executables and prepares the exe npm dist/. The per-target dist/
assembly for GitHub release tarballs moves to copy-artifacts.ts, which
is the natural owner of that concern.
Other changes:
- Extract getReflinkKeepPackages/stripReflinkPackages to reflink-utils.ts
with tests using node:test
- Move --force from top-level pnpm install in release.yml to the pnpm
deploy in bundle-deps.ts, where it is actually needed to install all
@reflink/reflink-* platform packages into dist/node_modules
- Change @pnpm/exe prepublishOnly to run pnpm's full prepublishOnly
(compile + bundle-deps) so dist/node_modules is populated before
build-artifacts.ts and copy-artifacts.ts read from pnpm/dist
* fix: copy dist/ alongside binary when running pnpm setup for SEA
When the pnpm CLI is a Node.js SEA binary, it requires a dist/ directory
adjacent to the executable at runtime (containing pnpm.mjs and bundled
node_modules). The copyCli function in plugin-commands-setup now copies
dist/ from alongside the current binary into the tools directory so that
the installed pnpm works correctly after `pnpm setup`.
* fix: avoid argument list too long when creating Windows zip archives
* fix: propagate errors in copy-artifacts script
Previously errors in createArtifactTarball were swallowed, causing the
script to exit 0 even when artifact creation failed. Now errors are
re-thrown with a descriptive message, and the top-level IIFE has a
.catch() handler that sets a non-zero exit code.
* refactor: remove reflink-utils.ts from @pnpm/exe
The stripReflinkPackages call in build-artifacts.ts stripped all platform
packages while keeping @reflink/reflink. Instead, just remove the entire
@reflink directory from dist/ — @pnpm/exe already declares @reflink/reflink
as a runtime dependency, so npm installs it (along with the right platform
package via optionalDependencies) automatically.
This eliminates reflink-utils.ts, its tests, and the code duplication with
copy-artifacts.ts.
This PR overhauls `pnpm env` use to route through pnpm's own install machinery instead of maintaining a parallel code path with manual symlink/shim/hardlink logic.
```
pnpm env use -g <version>
```
now runs:
```
pnpm add --global node@runtime:<version>
```
via `@pnpm/exec.pnpm-cli-runner`. All manual symlink, hardlink, and cmd-shim code in `envUse.ts` is gone (~1000 lines removed across the package).
### Changes
**npm and npx shims on all platforms**
Added `getNodeBinsForCurrentOS(platform)` to `@pnpm/constants`, returning a `Record<string, string>` with the correct relative paths for `node`, `npm`, and `npx` inside a Node.js distribution. `BinaryResolution.bin` is widened from `string` to `string | Record<string, string>` in `@pnpm/resolver-base` and `@pnpm/lockfile.types`, so the node resolver can set all three entries and pnpm's bin-linker creates shims for each automatically.
**Windows npm/npx fix**
`addFilesFromDir` was skipping root-level `node_modules/` (to avoid storing a package's own dependencies), which stripped the bundled `npm` from Node.js Windows zip archives. Added an `includeNodeModules` option and enabled it from the binary fetcher so Windows distributions keep their full contents.
**Removed subcommands**
`pnpm env add` and `pnpm env remove` are removed. `pnpm env use` handles both installing and activating a version. `pnpm env list` now always lists remote versions (the `--remote` flag is no longer required, though it is kept for backwards compatibility).
**musl support**
On Alpine Linux and other musl-based systems, the musl variant of Node.js is automatically downloaded from [unofficial-builds.nodejs.org](https://unofficial-builds.nodejs.org).
* build: bundle `dist/node_modules` using pnpm deploy
* chore: remove copied `pnpm.overrides` for publish-packed
* chore: remove `catalog:` protocol ban in `pnpm/package.json`
* chore: remove `publish-packed` dependency
* build: move `node-gyp` from `optionalDependencies` to `dependencies`
The `node-gyp` dependency is bundled into the `pnpm` package before it's
published. The dependency declaration itself is then removed from the
published package manifest.
This means there's not a point to declaring `node-gyp` as an optional
dependency. It'll always be bundled and the published manifest doesn't
contain the dependency declaration.
https://github.com/pnpm/pnpm/pull/10508#discussion_r2782257620
* build: throw if peerDependencies or optionalDependencies are declared
* build: use meta-updater instead of Jest test for dep kind check
