When lockfile-include-tarball-url is explicitly set to false, tarball URLs
are now always excluded from the lockfile. Previously, packages hosted under
non-standard tarball URLs would still have their tarball field written to the
lockfile even when the setting was false, causing flaky and inconsistent
behavior across environments.
The fix makes the option tri-state internally:
- true: always include tarball URLs
- false: never include tarball URLs
- undefined (not set): use the existing heuristic that includes tarball URLs
only for packages with non-standard registry URLs
close#6667
* fix: respect peer dep range in hoistPeers when preferred versions exist
Previously, hoistPeers used semver.maxSatisfying(versions, '*') which
picked the highest preferred version from the lockfile regardless of the
peer dep range. This caused overrides that narrow a peer dep range to be
ignored when a stale version existed in the lockfile.
Now hoistPeers first tries semver.maxSatisfying(versions, range) to find
a preferred version that satisfies the actual peer dep range. If none
satisfies it and autoInstallPeers is enabled, it falls back to the range
itself so pnpm resolves a matching version from the registry.
* fix: only fall back to exact-version range for overrides, handle workspace: protocol
- When no preferred version satisfies the peer dep range, only use the
range directly if it is an exact version (e.g. "4.3.0" from an override).
For semver ranges (e.g. "1", "^2.0.0"), fall back to the old behavior
of picking the highest preferred version for deduplication.
- Guard against workspace: protocol ranges that would cause
semver.maxSatisfying to throw.
- Add unit tests for hoisting deduplication and workspace: ranges.
* fix: only apply range-constrained peer selection for exact versions
The previous approach used semver.maxSatisfying(versions, range) for all
peer dep ranges, which broke aliased-dependency deduplication — e.g. when
three aliases of @pnpm.e2e/peer-c existed at 1.0.0, 1.0.1, and 2.0.0,
range ^1.0.0 would pick 1.0.1 instead of 2.0.0.
Now the range-aware logic only activates when the range is an exact
version (semver.valid), which is the override case (e.g. "4.3.0").
Regular semver ranges fall back to picking the highest preferred version.
This PR overhauls `pnpm env` use to route through pnpm's own install machinery instead of maintaining a parallel code path with manual symlink/shim/hardlink logic.
```
pnpm env use -g <version>
```
now runs:
```
pnpm add --global node@runtime:<version>
```
via `@pnpm/exec.pnpm-cli-runner`. All manual symlink, hardlink, and cmd-shim code in `envUse.ts` is gone (~1000 lines removed across the package).
### Changes
**npm and npx shims on all platforms**
Added `getNodeBinsForCurrentOS(platform)` to `@pnpm/constants`, returning a `Record<string, string>` with the correct relative paths for `node`, `npm`, and `npx` inside a Node.js distribution. `BinaryResolution.bin` is widened from `string` to `string | Record<string, string>` in `@pnpm/resolver-base` and `@pnpm/lockfile.types`, so the node resolver can set all three entries and pnpm's bin-linker creates shims for each automatically.
**Windows npm/npx fix**
`addFilesFromDir` was skipping root-level `node_modules/` (to avoid storing a package's own dependencies), which stripped the bundled `npm` from Node.js Windows zip archives. Added an `includeNodeModules` option and enabled it from the binary fetcher so Windows distributions keep their full contents.
**Removed subcommands**
`pnpm env add` and `pnpm env remove` are removed. `pnpm env use` handles both installing and activating a version. `pnpm env list` now always lists remote versions (the `--remote` flag is no longer required, though it is kept for backwards compatibility).
**musl support**
On Alpine Linux and other musl-based systems, the musl variant of Node.js is automatically downloaded from [unofficial-builds.nodejs.org](https://unofficial-builds.nodejs.org).
The lockfile now includes musl Linux builds (sourced from
unofficial-builds.nodejs.org) alongside the standard glibc variants,
so that `node@runtime:` works out of the box on Alpine Linux and other
musl-based distributions.
`env use` can download node.js artifacts for systems that use musl.
* test: fix flaky tests & add retries for failed tests during CI testing
* fix: import jest in setupFilesAfterEnv & reduce retries to 2
* test: remove global retries
* fix(core): decouple shouldForceResolve from canResolve in custom resolvers
shouldForceResolve is now called for every package in the lockfile
without gating on canResolve, since it runs before resolution where
the original specifier is not available. Resolvers should handle their
own filtering within shouldForceResolve (e.g. by inspecting depPath
or pkgSnapshot.resolution).
* refactor: shouldForceResolve=>shouldRefreshResolution
* docs: remove changeset
We don't need a new changeset, we just updated the existing changeset
* refactor(core): use Promise.any for early exit in checkCustomResolverForceResolve
Replace Promise.all + .some(Boolean) with Promise.any so that the check
short-circuits as soon as any shouldRefreshResolution hook returns true,
instead of waiting for every hook to complete. Real errors thrown by hooks
are re-thrown instead of being silently swallowed.
* refactor(core): replace Promise.any with custom anyTrue helper
Handle sync boolean returns from shouldRefreshResolution without
creating unnecessary promises. Only async results go through the
anyTrue helper, which short-circuits on the first true value.
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
* feat: add --yes command line option
* feat: skip confirm modules purge prompt if --yes is passed
* refactor: factor out `ExecPnpmSyncOpts`
* test: add end-to-end test for --yes flag
* test: use `import type` in more places
Several tests are failing because a module isn't being mocked. This is
due to the mocked module being imported before the mock being set up.
Switching to `import type` should elide the import fully.
* build: replace ts-jest with simple transformer
* chore: remove `ts-jest`
* chore: remove babel dependencies from root project
* ci: use Node.js 22.13.0 (instead of 22.12.0)
Node.js 22.13.0 introduces the `stripTypeScriptTypes` function
* fix: copilot feedback
This fixes an issue where pnpm fetch would fail in Docker builds when
local directory dependencies (file: protocol) were not available.
The fix adds an ignoreLocalPackages option that is passed from the fetch
command to skip local dependencies during graph building, since pnpm
fetch only downloads packages from the registry and doesn't need local
packages that won't be available in Docker builds.
close#10460
* feat: pass pkgSnapshot to shouldForceResolve
The shouldForceResolve hook now receives:
- depPath: The dependency path (e.g., 'lodash@4.17.21')
- pkgSnapshot: The lockfile entry with resolution, dependencies, etc.
This replaces the previous wantedDependency argument, which was inconsistent
with how wantedDependency is constructed for the resolve() method (where it
contains the user's alias and full specifier from package.json).
- Add currentPkg (with name/version) to custom resolver ResolveOptions
- Pass currentPkg through to custom resolvers in default-resolver
- Simplify checkCustomResolverForceResolve to use parseDepPath
* refactor: factor out a `getRealNameAndSpec` function
* test: `pnpm add` does not modify existing catalog entries
* fix: resolve preferred version without mutating bare specifier
close#9759
* feat: enable injected local packages to work with global virtual store
by leveraging `pkgLocationsByDepPath` for `file:` dependencies.
* fix: populate `pkgLocationsByDepPath` directly for directory dependencies in the graph builder
* refactor: store directory dependencies as a Map instead of an object
* refactor: improve file: dependency target directory resolution
by prioritizing `directoryDepsByDepPath` and providing a lockfile fallback.
* refactor: remove `pkgLocationsByDepPath` from hoisted dependency graph generation parameters
* test: fix
* test: fix
* refactor: simplify directory lookup for injected workspace packages
by directly using the dependency graph
* refactor: move extendProjectsWithTargetDirs to headless module and update imports
* refactor: make `directoryDepsByDepPath` required
in `LockfileToDepGraphOptions` and remove its nullish coalescing in headless
* refactor: directory dependency tracking
by renaming `directoryDepsByDepPath` to `injectionTargetsByDepPath`
and extracting related logic, and remove an unused export.
* docs: add changesets
* fix: implemented CR suggestions
* fix(tarball-resolver): add integrity hash to HTTP tarball dependencies
* Refactor to download tarball just once
* Fix tests
* fix: only calc hash when it is not passed in to the fetcher
* docs: update changesets
