dependabot[bot]
226e22392b
chore(deps): bump github/codeql-action in the github-actions group ( #10320 )
...
Bumps the github-actions group with 1 update: [github/codeql-action](https://github.com/github/codeql-action ).
Updates `github/codeql-action` from 4.31.7 to 4.31.8
- [Release notes](https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](cf1bb45a27...1b168cd394support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-22 12:24:37 +01:00
Sam Chung
1bc6b5ac2c
fix: try not to make network requests with prefer offline ( #10334 )
2025-12-21 19:04:11 +01:00
btea
79791d879f
chore: replace mem with memoize ( #10344 )
2025-12-21 18:09:02 +01:00
Zoltan Kochan
59bee48e1a
test: making tests in plugin-commands-audit stable ( #10346 )
2025-12-21 17:59:47 +01:00
Dasa Paddock
29764fb140
feat(hooks): add beforePacking hook ( #10303 )
...
* feat(hooks): add `readPackageForPublishing` hook
* feat: pass project `dir` parameter to `readPackageForPublishing` hook
* chore: cleanup
* fix: add support for multiple pnpmfiles
* test: readPackageForPublishing hook
* test: add more tests
* test: small update
* refactor: pass in `hooks` as an option
* test: pass in `hooks` as an option
* test: small update
* chore: rename `readPackageForPublishing` to `beforePacking`
2025-12-21 15:49:47 +01:00
Khải
90bd3c31f8
feat(config)!: project-specific packageConfigs ( #10304 )
...
* feat(config)!: project level `config.yaml`
* test: fix
* refactor: shorten some names
* docs(changeset): change wording
* feat: move project settings to pnpm-workspace.yaml
* test: remove unneeded fixture
* docs(changeset): correct
* refactor: replace validation with creation
* docs: consistent terminology
* perf: validate once
* test: projectConfig
* refactor: explicitly use `undefined`
* refactor: reuse `ProjectConfigRecord`
* chore(deps): remove unused dependency
* style: remove extra pipe character
* refactor: rename to `projectConfigs`
* feat: flatten `projectConfig` with `match`
* refactor: correct error class names
* docs(changeset): update
* test: fix
* feat: rename to `packageConfigs`
Rename `projectConfigs` to `packageConfigs` in the workspace manifest.
The term "project config" is still used internally, because, internally,
"project" refers to workspace packages whilst "package" refers to 3rd party
packages and dependencies.
* docs(changeset): clarify `project-N`
2025-12-21 12:01:18 +01:00
Trevor Burnham
8b5dcaac4d
feat: provide wantedLockfile to shouldForceResolve ( #10330 )
2025-12-19 01:41:10 +01:00
Zoltan Kochan
e46a652939
fix: the add command should not fail, when blockExoticSubdeps is true ( #10327 )
...
close #10324
2025-12-17 11:24:32 +01:00
klassiker
c5fbddee05
fix(git-fetcher): ensure the specified commit is used after checkout ( #10310 )
...
* fix(git-fetcher): ensure the specified commit is used after checkout
* fix(git-resolver): always resolve to a full commit
* chore: add changeset heavy-dragons-start
* test: fix related test case
* test: fix some other test that gets stuck
* Update heavy-dragons-start.md with PR reference
Add reference to pull request #10310 for clarity.
2025-12-17 03:26:18 +01:00
Zoltan Kochan
a8b8579bbe
chore: update pnpm to v11 alpha 2
2025-12-15 15:23:29 +01:00
Zoltan Kochan
3cc28721bd
chore(release): 11.0.0-alpha.2
2025-12-15 15:08:24 +01:00
Zoltan Kochan
0048667db4
refactor: use Maps instead of Records ( #10312 )
2025-12-15 11:48:19 +01:00
Zoltan Kochan
84e99fbf5a
test: use pnpm from the repo during tests ( #10317 )
2025-12-15 00:00:59 +01:00
Zoltan Kochan
2f4d0111ec
revert: "chore: use the current version of node.js for bundling compiling"
...
This reverts commit 460fb6943b
2025-12-14 17:51:26 +01:00
Zoltan Kochan
460fb6943b
chore: use the current version of node.js for bundling compiling
2025-12-14 17:32:46 +01:00
Zoltan Kochan
9fa3b6bc6b
fix: validate that Object methods are not used on Maps ( #10314 )
2025-12-14 13:14:39 +01:00
Zoltan Kochan
76718b32ad
feat: create a new field for allowing/disallowing builds ( #10311 )
...
ref #10235
2025-12-13 22:14:27 +01:00
btea
0bc4b3c587
test: pkg.pr.new redirect to relative path ( #10309 )
2025-12-13 12:05:42 +01:00
btea
0dfa8b862b
fix: installation failed due to installation link redirection (v11) ( #10286 )
...
* fix: installation failed due to installation link redirection
* fix: handle all different cases of redirect locations
* docs: update changesets
* refactor: implement CR suggestion
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-12 20:19:36 +01:00
Ryo Matsukawa
8b864ccc98
fix: show deprecation in outdated table/list formats ( #10207 )
...
close #8658
2025-12-12 17:08:06 +01:00
Randall Leeds
8385a8cff6
fix(deploy): omit inject workspace packages setting in deploy lockfiles ( #10294 )
...
* fix(deploy): omit inject workspace packages setting in deploy lockfiles
When the deploy command creates a new lockfile, create the deployment
lockfile without the setting to inject workspace packages, because it
has already been applied when creating the lockfile and the deployment
is not, itself, a workspace.
* docs: add changesets
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-12 14:33:37 +01:00
Dasa Paddock
144d76f15f
feat(pack): add support for --dry-run ( #10306 )
...
close #10301
2025-12-12 14:00:54 +01:00
VR
e0f0a7d85f
fix: npm compat on installing redirecting tarballs ( #10197 )
...
close #9802
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-11 11:55:02 +01:00
Minijus L
3585d9a372
fix: normalize tarball URLs by removing default HTTP/HTTPS ports ( #10273 )
...
* fix: normalize tarball URLs by removing default HTTP/HTTPS ports
closes #6725
* feat: refactor, add test and changeset
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-11 08:04:39 +01:00
Zoltan Kochan
7e12e5bf71
fix: update run-groups to v4
2025-12-10 17:17:40 +01:00
Oren
ae8b816121
feat: support blockExoticSubdeps option to disallow non-trusted dep sources in subdeps ( #10265 )
...
* feat(core): add onlyRegistryDependencies option to disallow non-registry subdependencies
* fix: onlyRegistryDependencies=>registrySubdepsOnly
* fix: allow resolution from custom resolver
* fix: add registry-subdeps-only to types
* docs: update changesets
* refactor: registry-only
* refactor: registrySubdepsOnly=>blockExoticSubdeps
* fix: trust runtime deps
* refactor: remove comment
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-10 12:14:16 +01:00
Oren
ba065f6a8b
fix(git-fetcher): block git dependencies from running prepare scripts unless allowed ( #10288 )
...
* fix(git-fetcher): block git dependencies from running prepare scripts unless allowed
* Update exec/prepare-package/src/index.ts
Co-authored-by: Zoltan Kochan <z@kochan.io >
* Also implement in gitHostedTarballFetcher
* refactor: move allowBuild function creation to the store manager
* refactor: pass allowBuild function to fetch function directly
* refactor: revert not needed changes and update changesets
* test: fix
* fix: implemented CR suggestions
* test: fix
* test: fix
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-09 18:25:07 +01:00
Oren
98a0410aa1
fix(tarball-resolver): add integrity hash to HTTP tarball dependencies ( #10287 )
...
* fix(tarball-resolver): add integrity hash to HTTP tarball dependencies
* Refactor to download tarball just once
* Fix tests
* fix: only calc hash when it is not passed in to the fetcher
* docs: update changesets
2025-12-08 23:38:27 +01:00
dependabot[bot]
b6dc9439ae
chore(deps): bump the github-actions group across 1 directory with 5 updates ( #10291 )
...
Bumps the github-actions group with 5 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout ) | `6.0.0` | `6.0.1` |
| [github/codeql-action](https://github.com/github/codeql-action ) | `4.31.5` | `4.31.7` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) | `2.4.2` | `2.5.0` |
| [actions/setup-node](https://github.com/actions/setup-node ) | `6.0.0` | `6.1.0` |
| [cbrgm/mastodon-github-action](https://github.com/cbrgm/mastodon-github-action ) | `2.1.21` | `2.1.22` |
Updates `actions/checkout` from 6.0.0 to 6.0.1
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](1af3b93b68...8e8c483db8https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](fdbfb4d275...cf1bb45a27https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](5be0e66d93...a06a81a03ehttps://github.com/actions/setup-node/releases )
- [Commits](2028fbc5c2...395ad32622https://github.com/cbrgm/mastodon-github-action/releases )
- [Commits](96ff691bc4...771a360594support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-08 15:25:20 +01:00
Zoltan Kochan
2cb0657599
fix: don't fail with ERR_PNPM_MISSING_TIME on packages that are excluded from trust checks ( #10292 )
...
* fix: don't fail with ERR_PNPM_MISSING_TIME on packages that are excluded from trust checks
close #10259
* test: add coverage for excluded packages missing time field (#10293 )
* Initial plan
* test: add coverage for excluded packages missing time field
Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com >
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com >
Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com >
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com >
Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com >
2025-12-08 15:21:25 +01:00
Zoltan Kochan
19fb36dc6a
docs: update sponsors
2025-12-08 11:35:27 +01:00
Aaron
fea46dc8c4
fix(publish): respect --force flag in recursive publish ( #10277 )
...
When using 'pnpm -r publish --force', the --force flag was being
ignored. The flag was checked to determine which packages to publish,
but wasn't passed to individual publish commands.
This adds --force to the appendedArgs array so it gets passed through
to each publish call, following the same pattern as other CLI flags
like --access, --dry-run, and --otp.
close #10272
2025-12-08 11:33:30 +01:00
Zoltan Kochan
19f36cfc39
fix: don't silently skip an optional dependency if it cannot be resolved from a mature version ( #10289 )
...
close #10270
2025-12-08 11:18:24 +01:00
Zoltan Kochan
05fb1aee5f
fix: reporting ignored dependency builds ( #10276 )
2025-12-06 16:32:19 +01:00
Zoltan Kochan
6b18b795b7
fix: audit error
2025-12-05 00:40:17 +01:00
btea
445e064b4c
fix: audit error ( #10262 )
2025-12-03 10:49:17 +01:00
Zoltan Kochan
57291bcdd8
fix: audit error
2025-12-02 15:33:34 +01:00
Zoltan Kochan
4362c06005
fix: dependencies that were added to onlyBuiltDependencies should be built on install ( #10256 )
2025-12-02 15:31:52 +01:00
Zoltan Kochan
5f73b0f2b6
perf: always link runtimes from the global virtual store directory ( #10233 )
2025-12-01 14:27:18 +01:00
Trevor Burnham
38b8e357b5
feat: add custom resolvers and fetchers ( #10246 )
2025-11-30 14:19:04 +01:00
Khải
3aa50c8365
feat(init): --bare ( #10228 )
...
* feat(init): fields preset
* feat: replace `init-preset` with `init-bare`
* feat: remove init-bare
close #10226
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-29 14:55:02 +01:00
Bart Riepe
7730a7f25c
feat: allow loading certificates from scoped cert, ca and key ( #10230 )
...
* feat: allow loading certificates from `cert`, `ca` and `key`
These properties are supported in .npmrc, but get ignored by pnpm, this will make pnpm read
and use them as well.
* refactor: getNetworkConfigs.ts
* docs: update changesets
* fix: issues
* docs: update changesets
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-29 11:37:57 +01:00
Zoltan Kochan
49c1b9c10e
feat(default-reporter): using custom instruction for builds approval
2025-11-28 13:12:14 +01:00
Trevor Burnham
9620df2789
fix: add CommonJS shims for compatibility with older Corepack versions ( #10245 )
...
close #10242
2025-11-27 18:18:55 +01:00
Zoltan Kochan
d2a7b0206f
revert: "fix(self-update): respect custom registry when installing pnpm version ( #10205 )"
...
This reverts commit d3cf00e308
2025-11-27 14:39:37 +01:00
btea
7cec347701
fix: WMIC is being removed ( #10223 )
...
* fix: `WMI` is being removed
* fix: update
* fix: update
* fix: validate drive before usage
* fix: remove not needed dep
* refactor: regex
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-27 14:08:12 +01:00
Zoltan Kochan
60b5fd17ed
fix: don't reimport node.js on every install ( #10239 )
2025-11-26 01:10:36 +01:00
Brandon Cheng
69ebe38764
fix: throw a frozen lockfile error when catalogs change ( #10231 )
...
* fix: throw a frozen lockfile error when catalogs change
* fix: work around lockfile mismatch when installing `__fixtures__`
```
> @ step1 /home/runner/work/pnpm/pnpm/__fixtures__
> node ../pnpm/dist/pnpm.mjs install -rf --frozen-lockfile --no-shared-workspace-lockfile --no-link-workspace-packages
. | WARN using --force I sure hope you know what you are doing
Scope: all 26 workspace projects
circular | Progress: resolved 1, reused 0, downloaded 0, added 0
circular | +4 +
fixture | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture | +12 +
fixture-with-no-pkg-name-and-no-version | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture-with-no-pkg-name-and-no-version | +12 +
fixture-with-no-pkg-version | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture-with-no-pkg-version | +12 +
circular | Progress: resolved 4, reused 0, downloaded 4, added 4, done
fixture | Progress: resolved 12, reused 6, downloaded 6, added 12, done
fixture-with-no-pkg-name-and-no-version | Progress: resolved 12, reused 0, downloaded 0, added 12, done
fixture-with-no-pkg-version | Progress: resolved 12, reused 0, downloaded 0, added 12, done
general | Progress: resolved 1, reused 0, downloaded 0, added 0
general | +13 +
has-2-outdated-deps | Progress: resolved 1, reused 0, downloaded 0, added 0
has-2-outdated-deps | +2 +
undefined
/home/runner/work/pnpm/pnpm/__fixtures__/has-outdated-deps-using-catalog-protocol:
ERR_PNPM_LOCKFILE_CONFIG_MISMATCH Cannot proceed with the frozen installation. The current "catalogs" configuration doesn't match the value found in the lockfile
Update your lockfile using "pnpm install --no-frozen-lockfile"
```
close #9369
2025-11-26 01:09:37 +01:00
Zoltan Kochan
1e6de2539b
fix: dependency graph hash calculation ( #10236 )
2025-11-25 20:36:52 +01:00
Zoltan Kochan
306d161ccb
chore: fix audit error
2025-11-25 17:03:54 +01:00
