Jake Bailey
ccec8e7d87
fix(config): respect lockfile: false setting from pnpm-workspace.yaml ( #10672 )
...
* fix(config): respect lockfile: false setting from pnpm-workspace.yaml
* fix(config): derive lockfile settings after all config sources are applied
* fix(config): use lockfile instead of useLockfile in integration tests
2026-02-23 16:22:29 +01:00
Zoltan Kochan
6ea94ea5eb
refactor: remove last mentions of use-node-version ( #10674 )
2026-02-23 08:24:16 +01:00
Zoltan Kochan
e18a879d72
feat!: drop Node.js 22.12 support
2026-02-18 14:54:09 +01:00
Khải
cc7c0d22df
refactor!: replace npm publish with libnpmpublish ( #10591 )
...
* chore(deps): add `libnpmpublish` to catalog
* chore(deps): install `libnpmpublish`
* feat: publishableManifest (wip)
* feat: publishableManifest (wip)
* chore(cspell): libnpmpublish
* test: fix
* feat: validate field and version
* chore: @npm/types
* chore: todo
* refactor: reorganize
* feat: transformRequiredFields
* chore(deps): patch `libnpmpublish`
* fix: `BaseManifest.config`
* fix: eslint
* chore(git): revert a patch that doesn't work
This reverts commit 45f2c6a6c2#10458 )
Some tests are added as a bonus
* feat: `publishPackedPkg` (wip)
* feat: replace `\t` with 4 spaces
* fix: newline
* fix: newline
* refactor: extract `FailedToPublishError`
* test: FailedToPublishError
* feat: registryConfigKeys
* feat: `publishPackedPkg` (wip)
* feat(config/getNetworkConfigs): load auth info
* feat(config/getNetworkConfigs): load auth info (#10491 )
* feat: `publishPackedPkg` (wip)
* refactor: extract a `static` function
* fix: inheritance, override, and merge
* feat: `executeTokenHelper`
* fix: use the visible `globalWarn`
* feat: add options
* feat: add more options
* docs: more links
* fix: private packages
* fix: --dry-run
* feat: log more things
* fix: name
* fix: tag
* refactor: remove extraneous `assertPublicPackage`
* feat: use `publishPackedPkg` for directories
* refactor: require only necessary fields
* refactor: extractManifestFromPacked
* fix: extractManifestFromPacked
* test: extractManifestFromPacked
* feat: isTarballPath
* feat: use `publishPackedPkg` for tarballs
* style: add an empty line for clarity
* refactor: remove unnecessary works
* feat: --otp
* feat: PNPM_CONFIG_OTP
* feat: oidc
* test: fix name collision
* fix: eslint
* test: disable a false test
* feat: set `provenance`
* docs(todo): auto provenance
* refactor: run oidc in `createPublishOptions`
* fix: correct auth keys for `libnpmpublish`
* docs: changeset
* fix: incorrect `password` field
* fix: typo, grammar
* chore(git): resolve merge conflict ahead of time
In preparation for https://github.com/pnpm/pnpm/pull/10385
* fix: field name
* fix(config): decoding `_password`
* fix: edge case of partial `cert`/`key`
* fix: ensure `registry` always match its config key
* fix: `_password`
* test: correct a name
* test: more specific assertions
* fix: grammar
* docs(changeset): fix grammar
* docs: fix grammar
* fix: clean up after failure
* test: fix windows
* feat(provenance): auto detect
* refactor: consistent name
* fix: correct error names
* refactor: extract the `provenance` code
* feat: show code and body of an error
* refactor: use `encodeURIComponent`
* refactor: rename a type
* refactor: use the try-catch model
* refactor: move `normalizeBinObject`
* refactor: split `oidc` into `idToken` and `authToken`
* refactor: run `next` on `stream`'s `'end'`
* fix: use the correct encoding
* feat: guard against weird names
* test: `transform/engines`
Closes https://github.com/pnpm/pnpm/pull/10599
* test: `transformPeerDependenciesMeta`
Closes https://github.com/pnpm/pnpm/pull/10600
* refactor: dependency inject the `Date` too
* refactor: export an interface
* test: oidc
Closes https://github.com/pnpm/pnpm/pull/10598
* refactor: re-arrange imports
* refactor: remove unnecessary type casts
* refactor: improve test
2026-02-12 21:10:54 +01:00
Brandon Cheng
5bf7768ca4
feat: skip confirm modules purge prompt if --yes is passed ( #10383 )
...
* feat: add --yes command line option
* feat: skip confirm modules purge prompt if --yes is passed
* refactor: factor out `ExecPnpmSyncOpts`
* test: add end-to-end test for --yes flag
2026-02-11 02:39:23 +01:00
Zoltan Kochan
1b4df57a01
feat!: drop Node.js 20 and 21 support ( #10569 )
2026-02-08 19:16:24 +01:00
btea
4158906724
feat: support auditLevel ( #10554 )
...
* feat: support `auditLevel`
* refactor: auditLevel
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2026-02-06 19:54:59 +01:00
Dennis Chen
559f903a90
fix: warn when directory contains PATH delimiter character ( #10487 )
...
* fix: warn when directory contains PATH delimiter character
Add a warning when the current directory contains the PATH delimiter
character (colon on macOS/Linux, semicolon on Windows). On macOS,
folder names containing forward slashes (/) appear as colons (:) at
the Unix layer. Since colons are PATH separators in POSIX systems,
this breaks PATH injection for node_modules/.bin.
close #10457
* test: add tests for PATH delimiter warning
- Test warning is emitted when directory contains delimiter
- Test no warning for normal directories
2026-02-06 16:04:19 +01:00
Alessio Attilio
121f64ae99
fix: preserve reference overrides in pnpm audit --fix ( #10478 )
...
close #10325
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2026-02-06 14:03:08 +01:00
Ryo Matsukawa
3ed41f4811
fix: shamefullyHoist set via updateConfig in .pnpmfile.cjs ( #10519 )
...
* fix: `shamefullyHoist` set via `updateConfig` in `.pnpmfile.cjs`
* refactor: consolidate derived config processing to cli-utils
Move shamefullyHoist → publicHoistPattern conversion from
config/config to cli-utils/getConfig.ts as suggested in review.
* test(config): update tests for derived config processing move
* refactor: move applyDerivedConfig to cli-utils
* refactor: move applyDerivedConfig to cli-utils
* test: use unit test for hoist: false in cli-utils
* revert: not needed changes
close #10271
2026-02-05 22:45:20 +01:00
Johan Quan Vo
7b1c189f2e
feat!: remove deprecated patch options ( #10505 )
...
* refactor: remove allowNonAppliedPatches
* refactor: remove ignorePatchFailures
* refactor: remove `strict` field in groupPatchedDependencies
* test: update test failure in package patching
* test: fix
* docs: update changesets
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2026-01-27 17:08:45 +01:00
Khải
d019a7c7e7
feat(config/getNetworkConfigs): load auth info ( #10491 )
...
* feat(config/getNetworkConfigs): load auth info
In order to resolve merge conflicts ahead of time
for https://github.com/pnpm/pnpm/pull/10385
* fix: seperator of `_auth`
* fix: pedantic
* fix: spelling
2026-01-22 14:40:30 +01:00
Zoltan Kochan
e3b35b6f37
style: update eslint to v9 ( #10474 )
2026-01-17 12:01:23 +01:00
Johan Quan Vo
cc1b8e310a
fix: use tarball URL returned in package metadata ( #10431 )
...
close #10254
2026-01-16 17:31:04 +01:00
Zoltan Kochan
a8fe2d5298
feat!: remove the server command ( #10463 )
2026-01-15 11:32:07 +01:00
Khải
459a336c76
refactor: getNetworkConfigs ( #10458 )
...
Some tests are added as a bonus
2026-01-14 12:31:04 +01:00
Zoltan Kochan
a00f9e515c
chore: use typescript-go ( #10452 )
2026-01-14 01:18:13 +01:00
Zoltan Kochan
0bcbaf9994
refactor: move out skip resolution logic from package requester ( #10439 )
2026-01-12 13:08:50 +01:00
Zoltan Kochan
095f659720
fix: setting requiredScripts in pnpm-workspace.yaml ( #10404 )
...
close #10261
2026-01-04 16:43:08 +01:00
Zoltan Kochan
8b4bdf9a83
refactor: replace onlyBuiltDependencies and ignoredBuiltDependencies with allowBuilds ( #10401 )
2026-01-02 23:21:17 +01:00
Zoltan Kochan
cb367b9515
feat!: deprecate old settings that were replaced by allowBuilds ( #10382 )
2026-01-02 12:22:42 +01:00
Brandon Cheng
11352aabbf
chore: migrate remaining package.json scripts using ts-node ( #10380 )
...
* chore: remove unused test scripts
* chore: migrate remaining `package.json` scripts using `ts-node`
2025-12-30 06:27:28 +01:00
btea
facdd717bf
feat: add trustPolicyIgnoreAfter ( #10359 )
...
* feat: add `trustPolicyIgnoreAfter`
* Update .changeset/big-lies-pump.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
* refactor: npm-resolver
---------
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-28 02:01:09 +01:00
Zoltan Kochan
71de2b3f2b
feat!: remove use-node-version CLI option and pnpm.executionEnv.nodeVersion manifest field ( #10373 )
2025-12-27 22:41:53 +01:00
Brandon Cheng
db72923b5c
fix: forward $NODE_OPTIONS when running jest for debug terminals ( #10364 )
...
* fix: forward existing `$NODE_OPTIONS` when running jest
* chore: update `package.json` files for meta-updater changes
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-27 22:10:52 +01:00
Brandon Cheng
6f806be0ae
chore: enable TypeScript's erasableSyntaxOnly config ( #10365 )
...
* chore: configure `erasableSyntaxOnly`
* refactor: remove class property access modifiers in constructor
```
../dedupe/check/src/DedupeCheckIssuesError.ts:5:16 - error TS1294: This syntax is not allowed when 'erasableSyntaxOnly' is enabled.
5 constructor (public dedupeCheckIssues: DedupeCheckIssues) {
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../reviewing/dependencies-hierarchy/src/getTree.ts:243:24 - error TS1294: This syntax is not allowed when 'erasableSyntaxOnly' is enabled.
243 private constructor (private readonly keypath: readonly string[]) {}
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
* chore: migrate from enum types
```
../pkg-manager/plugin-commands-installation/src/import/index.ts:66:6 - error TS1294: This syntax is not allowed when 'erasableSyntaxOnly' is enabled.
66 enum YarnLockType {
~~~~~~~~~~~~
../lockfile/detect-dep-types/src/index.ts:5:13 - error TS1294: This syntax is not allowed when 'erasableSyntaxOnly' is enabled.
5 export enum DepType {
~~~~~~~
```
* chore: add changelog
* chore: remove `ts-node` dev dependency (#10371 )
* chore: remove `ts-node` dev dependency
* chore: remove `ts-node` usages from `package.json` scripts
2025-12-27 11:23:49 +01:00
Zoltan Kochan
1cc61e87bc
feat!: change the default values of blockExoticSubdeps and strictDepBuilds ( #10332 )
2025-12-22 14:36:46 +01:00
Khải
97cf97609e
fix(cli/config): phantom keys ( #10323 )
...
* fix(cli/config): phantom keys
Fixes https://github.com/pnpm/pnpm/issues/10296
This patch also include other refactors.
* test: does not traverse the prototype chain
* test: more properties
* test: fix other tests
* feat: revert unrelated changes
2025-12-22 12:26:14 +01:00
btea
79791d879f
chore: replace mem with memoize ( #10344 )
2025-12-21 18:09:02 +01:00
Khải
90bd3c31f8
feat(config)!: project-specific packageConfigs ( #10304 )
...
* feat(config)!: project level `config.yaml`
* test: fix
* refactor: shorten some names
* docs(changeset): change wording
* feat: move project settings to pnpm-workspace.yaml
* test: remove unneeded fixture
* docs(changeset): correct
* refactor: replace validation with creation
* docs: consistent terminology
* perf: validate once
* test: projectConfig
* refactor: explicitly use `undefined`
* refactor: reuse `ProjectConfigRecord`
* chore(deps): remove unused dependency
* style: remove extra pipe character
* refactor: rename to `projectConfigs`
* feat: flatten `projectConfig` with `match`
* refactor: correct error class names
* docs(changeset): update
* test: fix
* feat: rename to `packageConfigs`
Rename `projectConfigs` to `packageConfigs` in the workspace manifest.
The term "project config" is still used internally, because, internally,
"project" refers to workspace packages whilst "package" refers to 3rd party
packages and dependencies.
* docs(changeset): clarify `project-N`
2025-12-21 12:01:18 +01:00
Zoltan Kochan
76718b32ad
feat: create a new field for allowing/disallowing builds ( #10311 )
...
ref #10235
2025-12-13 22:14:27 +01:00
Oren
ae8b816121
feat: support blockExoticSubdeps option to disallow non-trusted dep sources in subdeps ( #10265 )
...
* feat(core): add onlyRegistryDependencies option to disallow non-registry subdependencies
* fix: onlyRegistryDependencies=>registrySubdepsOnly
* fix: allow resolution from custom resolver
* fix: add registry-subdeps-only to types
* docs: update changesets
* refactor: registry-only
* refactor: registrySubdepsOnly=>blockExoticSubdeps
* fix: trust runtime deps
* refactor: remove comment
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-10 12:14:16 +01:00
Bart Riepe
7730a7f25c
feat: allow loading certificates from scoped cert, ca and key ( #10230 )
...
* feat: allow loading certificates from `cert`, `ca` and `key`
These properties are supported in .npmrc, but get ignored by pnpm, this will make pnpm read
and use them as well.
* refactor: getNetworkConfigs.ts
* docs: update changesets
* fix: issues
* docs: update changesets
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-29 11:37:57 +01:00
Zoltan Kochan
7e2910e70f
chore(release): 11.0.0-alpha.0
2025-11-13 15:44:27 +01:00
Zoltan Kochan
3ad031d787
fix: compile
2025-11-11 13:05:57 +01:00
Ryo Matsukawa
9d3f00b09a
feat: add support for trustPolicyExclude ( #10168 )
...
close #10164
2025-11-11 13:00:20 +01:00
Khải
075aa993bb
feat(config): global yaml ( #10145 )
...
* feat(config): global `rc.yaml`
* fix: undefined `rawConfig`
* test: add a test
* feat: re-export `isSupportedNpmConfig`
* feat: return `'compat'` to distinguish compatibility reason
* docs: `isSupportedNpmConfig`
* fix: eslint
* docs: clarify the case of the config key
* feat(cli/config/set): target yaml for pnpm-specific settings
* fix: read the correct file
* fix: write to the correct directory
* refactor: remove disabled code
* refactor: get `configDir` directly
* docs: remove outdated documentation
* test: fix a test
* test: rename
* fix: explicitly tell npm the config file path
* test: add a test
* test: add a test
* test: fix a test
* fix: local config dir
* fix: `managingAuthSettings`
* test: rename
* test: fix
* test: add a test
* test: demonstrate choosing config files
* test: fix
* docs: yet another consideration
* test: demonstrate choosing config files
* fix: correct local config file names in test helper
* test: demonstrate choosing config files
* test: use the helper
* test: add a test
* test: correct a test
* test: fix
* test: fix
* fix: eslint
* test: remove duplicate
* feat: validate `rc.yaml`
* docs: changeset
* test: fix `configDelete.test.ts`
* feat: other `npm` call-sites
* fix: make optional again
* feat: remove the change from `publish`
* fix: eslint
* refactor: just one is sufficient
* refactor: replace type union with 3 functions
* refactor(test): extract helper functions
* fix: add `rc.yaml` to `rawConfig`
* test: keep workspace settings out of `rc.yaml`
* test: fix `spawn ENOENT`
* chore(git): revert invalid change
This reverts commit 1ff6fe2323
2025-11-11 11:24:06 +01:00
Ryo Matsukawa
10bc39152e
feat: add support for npm package trust evidence check via a new trustPolicy setting ( #10103 )
...
close #8889
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-09 23:23:58 +01:00
btea
cbdc1067cc
refactor: replace deprecated method ( #10075 )
2025-11-09 11:23:24 +01:00
Ryo Matsukawa
d5d4eedeeb
feat: add support for pnpm config get globalconfig ( #10090 )
...
close #9977
2025-11-08 14:14:36 +01:00
Mike DiDomizio
357490525a
fix: gitBranchLockfile/mergeGitBranchLockfilesBranchPattern set in workspace file ( #10139 )
...
close #9651
2025-11-06 15:42:21 +01:00
Khải
d392c3d059
fix: explicitly tell npm the config file path ( #10154 )
...
* fix: explicitly tell npm the config file path
* fix: `managingAuthSettings`
* feat: other `npm` call-sites
* docs: changeset
* fix: make optional again
* feat: remove the change from `publish`
* fix: eslint
* refactor: just one is sufficient
2025-11-05 23:46:20 +01:00
Khải
d4bf2d0e60
feat(cli/config)!: config command outputs changed from INI to JSON with camelCase keys ( #10142 )
2025-10-30 11:34:48 +01:00
Zoltan Kochan
3ce5f82bd7
Merge remote-tracking branch 'origin/main' into v11
2025-10-28 18:40:05 +01:00
Zoltan Kochan
49f03d14ee
chore(release): 10.20.0
2025-10-28 17:35:21 +01:00
Khải
ae43ac79fa
feat(cli/config)!: breaking changes ( #9854 )
...
* feat(cli/config)!: breaking changes
* refactor(test): remove `deepNullProto` and reuse `getOutputString`
* feat(cli/config/list): censor protected settings
* test: censorship of protected settings
* docs(changeset): censorship of protected settings
* fix: eslint
* feat(config)!: exclude non-option from `rawConfig`
* fix: eslint
* refactor: move default registries to builtin (#9886 )
* feat(config)!: filter rc settings
* feat(config): don't exclude non-options
This reverts commit a79f72dbfb529f9bdd47d8191e0ed8#10127 )
* fix: `filter` on `pnpm-workspace.yaml`
* docs: changeset
* fix: actual fix
* fix: don't set default on config
* docs(readme): correct a package description
* fix: typo
* test: fix
* test: use a field that wouldn't be ignored
* test: replace some `.npmrc` with `pnpm-workspace.yaml`
* docs(changeset): less awkward wordings
* docs(changeset): correction
2025-10-28 17:09:15 +01:00
Khải
ed1a7fe7cd
fix: filter on pnpm-workspace.yaml ( #10127 )
...
* fix: `filter` on `pnpm-workspace.yaml`
* docs: changeset
* fix: actual fix
* fix: don't set default on config
2025-10-27 13:36:35 +01:00
Zoltan Kochan
dab9abef5c
Merge remote-tracking branch 'origin/main' into v11
2025-10-24 14:19:07 +02:00
Zoltan Kochan
0cde1287c8
chore: update repository fields
2025-10-23 11:57:12 +02:00
Zoltan Kochan
43d7b18c2f
chore(release): 10.19.0
2025-10-21 15:30:20 +02:00
