mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-04-13 11:39:44 -04:00
Code Issues Packages Projects Releases Wiki Activity
10,667 Commits 380 Branches 1,872 Tags
bfd38cdc15e89b36eab4fa106a94de066c4638ef
Commit Graph

10667 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Maikel van Dort
8eee41691c feat: add support for catalogs with dlx (#10434) 
* feat: add support for catalogs with dlx

* fix: feedback

* Update .changeset/curly-dryers-jam.md

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>

* Update .changeset/curly-dryers-jam.md

Close #10249

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>

---------

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>
 2026-01-26 07:06:36 +01:00
Shunta Takemoto
0625e20442 feat: treat bare workspace: protocol as workspace:* (#10436) 
* feat: treat bare `workspace:` protocol as `workspace:*`

* chore: add chageset

* test(exportable-manifest): add test for `workspace` with explicit versions

* test: add tests and update changesets

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-26 07:06:01 +01:00
Brandon Cheng
af7a7efe00 chore: upgrade node-gyp to 11.5.0 (#10509) 2026-01-26 02:18:38 +01:00
Trevor Burnham
0ecff5b85c fix(completion): correct documentation URL in help output (#10511) 
The completion command's help text was showing a URL that redirects to a 404 page
(https://pnpm.io/10.x/cli/completion\). This changes it to the correct URL
(https://pnpm.io/completion\) where the documentation actually exists.

close #10281
 2026-01-26 01:30:08 +01:00
3w36zj6
bb8baa7cff fix(npm-resolver): request full metadata for optional dependencies (#10455) 
close #9950

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-26 01:13:06 +01:00
Zoltan Kochan
3c40892b90 feat!: remove old way of declaring node.js in dependencies (#10507) 2026-01-25 16:07:30 +01:00
Zoltan Kochan
e2e0a321b3 perf: optimize how the integrities of files in the CAFS are stored (#10504) 2026-01-24 21:41:11 +01:00
Zoltan Kochan
c55c6146d9 feat!: bump store version to v11 (#10506) 2026-01-24 21:36:39 +01:00
Zoltan Kochan
40b107efa7 perf: migrate internal cache and index files to MessagePack serialization (#10500) 2026-01-23 01:31:09 +01:00
Brandon Cheng
d85ea8d817 fix: pass storeDir to createClient to fix resolution skipping (#10502) 2026-01-22 23:51:38 +01:00
btea
71f178632f fix: audit lodash (#10501) 
* fix: audit lodash

* fix: update override

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-22 17:24:55 +01:00
Khải
d019a7c7e7 feat(config/getNetworkConfigs): load auth info (#10491) 
* feat(config/getNetworkConfigs): load auth info

In order to resolve merge conflicts ahead of time
for https://github.com/pnpm/pnpm/pull/10385

* fix: seperator of `_auth`

* fix: pedantic

* fix: spelling
 2026-01-22 14:40:30 +01:00
btea
c494de3a18 fix: audit (#10499) 2026-01-21 15:47:39 +01:00
Zoltan Kochan
13855aca86 fix: prevent path traversal in directories.bin (#10495) 
by validating the bin directory is a subdirectory of the package root and adding relevant tests.
 2026-01-21 15:46:41 +01:00
Zoltan Kochan
2ea64631eb fix: skip symlinks pointing outside package root in git and file deps (#10493) 2026-01-21 15:45:56 +01:00
Trevor Burnham
88263a8be7 refactor: force re-fetch when resolution integrity changes (#10454) 
* fix: force re-fetch when resolution integrity changes

When a resolver returns a resolution with a different integrity than
the current package's resolution, automatically force re-fetching the
package. This allows custom resolvers to trigger re-fetches by simply
returning the updated integrity, without needing to explicitly set
a forceFetch flag.

Closes #10451

* refactor: remove forceFetch

* test: fix

---------

Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-20 01:57:16 +01:00
Zoltan Kochan
ffb7cd198f fix: update dependencies 2026-01-18 21:15:45 +01:00
Zoltan Kochan
66d93e81d9 fix: update tar-stream to v3 2026-01-18 20:18:55 +01:00
Zoltan Kochan
1b1d984eec test: improve publish test isolation 2026-01-18 19:33:34 +01:00
Zoltan Kochan
daac2b6006 chore: remove .eslintcache 2026-01-17 16:39:19 +01:00
Lindsay Glenn
cee1f58d3a fix(manifest-utils): normalize peer specs for protocol deps (#10442) 
close #10417
 2026-01-17 14:44:51 +01:00
Zoltan Kochan
e3b94c06da fix: reference @pnpm/fs.packlist from the workspace (#10477) 2026-01-17 14:35:41 +01:00
btea
623634537d fix: audit (#10475) 
* fix: audit

* fix: update

* fix: update
 2026-01-17 12:14:02 +01:00
Zoltan Kochan
e3b35b6f37 style: update eslint to v9 (#10474) 2026-01-17 12:01:23 +01:00
dependabot[bot]
7ddc81b3f9 chore(deps): bump cbrgm/mastodon-github-action (#10410) 
Bumps the github-actions group with 1 update: [cbrgm/mastodon-github-action](https://github.com/cbrgm/mastodon-github-action).


Updates `cbrgm/mastodon-github-action` from 2.1.22 to 2.1.23
- [Release notes](https://github.com/cbrgm/mastodon-github-action/releases)
- [Commits](771a360594...3ebdc72dcd)

---
updated-dependencies:
- dependency-name: cbrgm/mastodon-github-action
  dependency-version: 2.1.23
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: github-actions
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
 2026-01-17 02:01:00 +01:00
Zoltan Kochan
260899d4a8 fix: prevent path traversal vulnerabilities during ZIP extraction 2026-01-16 20:36:40 +01:00
Zoltan Kochan
43e9b5f22d docs: update AGENTS.md 2026-01-16 20:06:12 +01:00
Zoltan Kochan
ec7c5d7d1a feat: improve git URL detection to recognize plain HTTP/HTTPS URLs 
Improve git URL detection to recognize plain HTTP/HTTPS URLs
ending in `.git` and prioritize git resolver over tarball resolver.

close #10468
 2026-01-16 19:38:02 +01:00
Vedant Madane
29a3151b60 feat: show available workspace versions on mismatch (#10466) 2026-01-16 17:47:30 +01:00
Johan Quan Vo
cc1b8e310a fix: use tarball URL returned in package metadata (#10431) 
close #10254
 2026-01-16 17:31:04 +01:00
Zoltan Kochan
a6dbcc72af fix: remove redundant ports from registry URL during normalization (#10470) 2026-01-16 17:28:18 +01:00
Zoltan Kochan
02c8ec50cb docs: add AI agent guides (#10469) 2026-01-16 16:31:31 +01:00
Tensorworker
29cb667d2b fix: prevent implicit root exclusion when user filters are provided (#10465) 
* fix: prevent implicit root exclusion when user filters are provided

* docs: add changeset

* test: remove redundant init

---------

Co-authored-by: tensorworker <tensorworker@proton.me>
Co-authored-by: Zoltan Kochan <z@kochan.io>
 2026-01-16 16:12:33 +01:00
Oleg Pustovit
46de860489 fix(run): fail when no packages have script in filtered recursive run (#10437) 
* fix(run): fail when no packages have script in filtered recursive run

Previously, `pnpm run -r <script>` and `pnpm run --filter <filter> <script>`
would silently succeed with exit code 0 when no packages had the specified
script, as long as a filter was used. This was inconsistent with the
documentation which states "If none of the packages have the command, the
command fails."

This change makes the command fail with ERR_PNPM_RECURSIVE_RUN_NO_SCRIPT in
all cases where no packages have the script, regardless of whether a filter
is used. The `--if-present` flag can be used to suppress this error.

close #6844
 2026-01-16 01:49:24 +01:00
Zoltan Kochan
caabba44ff fix: normalize Windows backslash path traversal attempts in tarball entry filenames 
to prevent security vulnerabilities.
 2026-01-15 17:10:17 +01:00
Zoltan Kochan
d7b8be49b1 fix: prevent path traversal by validating bin names 2026-01-15 17:07:09 +01:00
Zoltan Kochan
9f2b622d10 refactor: rename customFetcherHooks to customFetchers 2026-01-15 12:02:06 +01:00
Zoltan Kochan
5beece9615 feat!: remove old API for custom fetchers (#10464) 2026-01-15 11:57:48 +01:00
Zoltan Kochan
a8fe2d5298 feat!: remove the server command (#10463) 2026-01-15 11:32:07 +01:00
Zoltan Kochan
08903c5afd chore: fix vulnerability 2026-01-15 01:34:27 +01:00
Trevor Burnham
e0aa058cf3 feat: pass pkgSnapshot to shouldForceResolve (#10449) 
* feat: pass pkgSnapshot to shouldForceResolve

The shouldForceResolve hook now receives:
- depPath: The dependency path (e.g., 'lodash@4.17.21')
- pkgSnapshot: The lockfile entry with resolution, dependencies, etc.

This replaces the previous wantedDependency argument, which was inconsistent
with how wantedDependency is constructed for the resolve() method (where it
contains the user's alias and full specifier from package.json).
 2026-01-14 21:57:39 +01:00
btea
825b98a39d fix: make catalog protocol matching error messages clearer (#10052) 
* fix: verify in advance whether the specifier that the catalog pkg is valid

* fix: update error message

* test: update

* Update resolving/default-resolver/src/index.ts

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>

---------

Co-authored-by: Brandon Cheng <gluxon@users.noreply.github.com>
 2026-01-14 13:25:27 +01:00
Khải
459a336c76 refactor: getNetworkConfigs (#10458) 
Some tests are added as a bonus
 2026-01-14 12:31:04 +01:00
Zoltan Kochan
e4d3fac479 chore: run tsgo without verbose logs 
Removed verbose flag from tsgo command in typecheck-only script.
 2026-01-14 01:53:01 +01:00
Zoltan Kochan
a00f9e515c chore: use typescript-go (#10452) 2026-01-14 01:18:13 +01:00
Zoltan Kochan
aef6c318a9 ci: compile pnpm only once then download it for testing (#10453) 2026-01-13 23:34:37 +01:00
Zoltan Kochan
268742acce chore: fix compile 2026-01-13 18:28:13 +01:00
Zoltan Kochan
27e7aeb3e8 fix: update @pnpm/registry-mock 2026-01-13 18:19:50 +01:00
Zoltan Kochan
5c4d1793f8 chore: update pnpm to v11 alpha 3 2026-01-13 16:24:38 +01:00
Zoltan Kochan
ee78096e4a chore(release): 11.0.0-alpha.3 v11.0.0-alpha.3 2026-01-13 15:48:50 +01:00