mirror of
https://github.com/pnpm/pnpm.git
synced 2026-04-27 10:30:58 -04:00
fcdd50aaa773bc30f90bba767ca6c374646bf87e
17 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
Zoltan Kochan
|
fcdd50aaa7 | chore(release): 11.0.0-rc.3 | ||
|
Zoltan Kochan
|
72c1e050e9 |
feat: add pnpm pack-app command for packing CJS entries into standalone executables (#11312)
* fix: give each runtime variant its own global virtual store entry
When a runtime package (e.g. node@runtime:X.Y.Z) uses a variations
resolution, createFullPkgId() in @pnpm/deps.graph-hasher was hashing
the whole VariationsResolution — the same hash on every host — so the
global virtual store path collided between variants. Whichever variant
installed first won, and a later `pnpm add --libc=musl node@runtime:<v>`
silently reused the cached glibc (or macOS/Windows) binary.
The fix threads supportedArchitectures down to createFullPkgId so the
selected variant's integrity is used as the package fingerprint. Two
related cleanups land with it:
- Extract the platform-variant selection logic to @pnpm/resolving.resolver-base
as selectPlatformVariant/resolvePlatformSelector. The helper's libc
match also required a fix: a variant with no libc is the "default"
build, and a request for a non-default libc (e.g. musl) must require
an exact match so the default variant doesn't silently win.
- @pnpm/installing.package-requester's findResolution now delegates to
the shared helper, and the new supportedArchitectures param is plumbed
through calcDepState / calcGraphNodeHash / iterateHashedGraphNodes /
lockfileToDepGraph and their callers in deps-resolver, deps-restorer,
deps-installer, graph-builder, and building.after-install.
* feat: add pnpm build-sea command for building Node.js SEA executables
Adds `pnpm build-sea` under @pnpm/releasing.commands. Takes a CommonJS
entry file and a set of target triplets (linux-x64, linux-x64-musl,
linux-arm64, linux-arm64-musl, macos-x64, macos-arm64, win-x64,
win-arm64) and produces a standalone executable per target under
dist-sea/<target>/.
Each target's Node.js runtime is fetched via `pnpm add node@runtime:<v>
--os=<os> --cpu=<arch> --libc=<libc>` into $PNPM_HOME/build-sea/<target>-<v>/
so binaries are hardlinked from the global content-addressable store and
`pnpm store prune` can reclaim them.
Requires Node.js v25.5+ to perform the --build-sea injection. If the
running Node is older, a v25 binary is downloaded and used as the builder
automatically. macOS outputs are ad-hoc signed with codesign (on macOS)
or ldid (when cross-compiling from Linux), which is required because SEA
injection invalidates the binary's existing signature.
* fix(build-sea): reject malformed --target, --output-name and use mkdtemp for config
Addresses Copilot review feedback on the build-sea command:
- parseTarget() previously destructured the target string, silently
accepting extra `-` segments. Inputs like `linux-x64-musl-../../outside`
would pass validation and flow into path.join. Validation is now done
with a strict anchored regex.
- --output-name was passed into path.join() without sanitization, so a
caller could escape the output directory with path separators or `..`.
validateOutputName() now rejects anything that isn't a plain basename.
- The per-target SEA config file was written to a predictable path under
os.tmpdir() (derived from the target name and Date.now()), which is
unsafe on multi-user systems. It now lives inside a fresh mkdtemp()
directory and is opened with the exclusive "wx" flag.
- New test cases cover extra-segment targets, uppercase/whitespace
variants, and the full matrix of invalid --output-name inputs.
* rename: build-sea → pack-app
`build-sea` required knowing what a SEA is. `pack-app` is self-describing,
doesn't collide with pnpm's existing `bin` concept, and parallels the
existing `pack` command.
- Command name: build-sea → pack-app
- Default output dir: dist-sea → dist-app
- Error codes: PACK_APP_* (was BUILD_SEA_*)
- Export/type: packApp / PackAppOptions (was buildSea / BuildSeaOptions)
- Install cache dir: $PNPM_HOME/pack-app (was $PNPM_HOME/build-sea)
The Node.js `--build-sea` flag name itself is unchanged — that's a
Node.js feature and outside this project's naming.
* fix(pack-app): reject directory entries, pin builder to >=25.5, refuse macOS target on Windows
Addresses Copilot review feedback on the pack-app command:
- entry validation now rejects non-file paths (directories, symlinks to
non-files) with a dedicated PACK_APP_ENTRY_NOT_FILE instead of
surfacing a less actionable error later in the SEA build.
- DEFAULT_BUILDER_SPEC was the bare major ("25"), which would satisfy
with 25.0.x if that version is still present — those point releases
predate --build-sea support. Tightened to ">=25.5.0 <26.0.0" so the
download is guaranteed to support the flag without ever crossing a
major.
- adHocSignMacBinary() silently skipped re-signing on Windows hosts.
Now throws PACK_APP_MACOS_SIGN_UNSUPPORTED_HOST with a hint to build
the target on macOS/Linux or re-sign manually.
- resolvePlatformSelector() JSDoc now matches what the code actually
does (picks the first entry when it is not "current"; later entries
are ignored).
- New test case covers the directory-as-entry rejection.
* refactor(pack-app): switch target OS names to process.platform constants
Previously `pack-app` accepted `macos-*` / `win-*` as the OS portion of a
target triplet and translated them to `darwin` / `win32` internally. The
translation layer made the CLI surface inconsistent with the values that
`pnpm add --os=…` and `supportedArchitectures.os` already use, and added
a small footgun (e.g. users setting `supportedArchitectures: { os: [darwin] }`
but typing `macos-arm64` for pack-app).
The supported target OS set is now `linux | darwin | win32`, matching
`process.platform`. Old inputs like `macos-arm64` or `win-x64` now fail
validation with a clear error pointing to the new naming. The internal
parseTarget helper drops its TARGET_OS_MAP lookup entirely.
This is a change to an unreleased command so there is no back-compat
concern. pnpm's own artifact directory names (`pnpm/artifacts/macos-*/`,
`pnpm/artifacts/win-*/`) are an internal implementation detail and are
not affected by this change.
* feat(pack-app): read defaults from pnpm.app in package.json
Every pack-app flag (--entry, --target, --node-version, --output-dir,
--output-name) can now be preconfigured in the project's package.json
under a new "pnpm.app" object:
{
"name": "my-cli",
"pnpm": {
"app": {
"entry": "dist/index.cjs",
"targets": ["linux-x64", "darwin-arm64", "win32-x64"],
"nodeVersion": "25",
"outputDir": "release",
"outputName": "my-cli"
}
}
}
CLI flags always win. --target replaces the configured list rather than
appending, so a user can narrow the default set at the command line.
The config loader is strict: unknown keys under pnpm.app and any
type-mismatched values throw PACK_APP_INVALID_CONFIG so mistakes surface
at invocation time instead of silently being ignored.
Chose pnpm.app over pnpm.packApp because it's the shorter, cleaner
namespace for anything related to the app bundle (future sibling
commands like run-app / deploy-app could share the same object without
a naming clash). Chose package.json over pnpm-workspace.yaml because
the config is inherently per-project, whereas pnpm-workspace.yaml is
workspace-root-only.
* fix(pack-app): deterministic libc selection and stricter output-name validation
Addresses Copilot review feedback:
- ensureNodeRuntime() now always passes an explicit --libc for linux
targets. Without a suffix, linux-x64 and linux-arm64 default to
--libc=glibc instead of letting the user's supportedArchitectures.libc
config or the host's detected libc decide the variant. The install
cache directory mirrors this, so glibc and musl variants are always
distinct (linux-x64-glibc vs linux-x64-musl).
- resolveBuilderBinary() now pins the host libc when downloading a
builder Node on Linux. A user whose config sets supportedArchitectures.libc
to musl no longer ends up with a musl Node that the glibc host cannot
execute.
- validateOutputName() rejects Windows-invalid filename characters
(<>:"|?* and NUL), Windows reserved device names (CON, NUL, COM1, etc.),
and names ending in a dot or space — problems surface at invocation
time rather than during writeFile(outputFile, ...) on Windows.
- lockfileToDepGraph variants tests no longer derive the "host"
variant from process.platform/process.arch; they always pass an
explicit supportedArchitectures selector so the expectations hold on
any CI host (including Alpine/musl).
* chore: add "toctou" to cspell wordlist
`TOCTOU` (time-of-check-to-time-of-use) is the standard term for the
race-condition class the pack-app SEA-config comment describes. Adding
it to the wordlist unblocks the Lint CI step.
* fix: lint
|
||
|
Zoltan Kochan
|
96ece9d736 | chore(release): 11.0.0-rc.2 | ||
|
Zoltan Kochan
|
f7c23231a9 | chore(release): 11.0.0-rc.1 | ||
|
Zoltan Kochan
|
06d6c2d405 | chore(release): 11.0.0-rc.0 | ||
|
Zoltan Kochan
|
853be661d8 |
feat: add native pnpm dist-tag command (#11218)
Implement dist-tag ls, add, and rm subcommands natively instead of delegating to npm. Follows the same pattern as the recently added deprecate and unpublish commands. |
||
|
Zoltan Kochan
|
b103439d9a |
refactor(test): extract shared DEFAULT_OPTS into @pnpm/testing.command-defaults (#11208)
12 command test suites had near-identical ~50-field DEFAULT_OPTS objects copy-pasted between them. Extract the common fields into a single shared package so each suite only declares its overrides. |
||
|
Zoltan Kochan
|
d6b8e281b6 | chore: use pn instead of pnpm (#11124) | ||
|
Khải
|
d4a1d734b6 |
feat: pnpm login (#11094)
* refactor: extract web auth QR code and polling into @pnpm/network.web-auth Extract generateQrCode() and pollForWebAuthToken() from releasing/commands into a new shared package so that both `pnpm publish` and the upcoming `pnpm login` can reuse the web-based authentication flow with QR code display and doneUrl polling. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * feat: implement `pnpm login` command Add `pnpm login` (and `pnpm adduser` alias) for authenticating with npm registries. The command: - Tries web-based login first (POST /-/v1/login), displaying a QR code and polling for the token using @pnpm/network.web-auth - Falls back to classic username/password/email login (PUT /-/user/ org.couchdb.user:<username>) when web login is not supported (404/405) - Saves the received auth token to the user's global rc file Also fixes a tsgo build issue in releasing/commands where OtpWebAuthFetchOptions was used as a local type alias but was only available as a re-exported name. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix: resolve spellcheck issues in login test https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix: correct alphabetical ordering for meta-updater https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * chore: add meta-updater generated tsconfig files https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix: add explicit return type to prompt mock for tsgo compatibility https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix: use @pnpm/network.fetch instead of globalThis.fetch Switch from globalThis.fetch to fetchWithAgent from @pnpm/network.fetch so that pnpm login respects proxy settings (httpProxy/httpsProxy/noProxy), custom SSL certificates (ca/cert/key), strictSsl, and retry configuration. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: improve login fetch types and use URL constructor - Type LoginContext.fetch using WebAuthFetchOptions/WebAuthFetchResponse from @pnpm/network.web-auth, extended with text() and wider method - Replace regex-based URL construction with new URL() constructor - Remove redundant LoginFetchInit type https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: match publish pattern for dependency injection - Static DEFAULT_CONTEXT constant instead of createDefaultContext factory - context = DEFAULT_CONTEXT default parameter instead of context?: Partial - Destructure context in function signatures for natural calling - Use plain fetch from @pnpm/network.fetch (like SHARED_CONTEXT in publish) - Context contains only side-effect functions and modules, not config https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: use typeof fetch instead of custom fetch types Remove LoginFetchOptions and LoginFetchResponse. Type LoginContext.fetch as typeof fetch from @pnpm/network.fetch directly, eliminating all casts. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix: remove placeholder username from login success message Web login doesn't return a username, so just report the registry. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: use tempDir from @pnpm/prepare instead of manual tmp dirs https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * chore: update tsconfig references for @pnpm/prepare https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: inject readSettings/writeSettings for fully pure tests Add readSettings and writeSettings to LoginContext so tests need no filesystem side effects. Remove @pnpm/prepare devDependency. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: remove DEFAULT_CONTEXT from tests, use pure test context Tests now construct their own TEST_CONTEXT with all no-op mocks, eliminating any reliance on real side-effectful functions. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * test: use distinct opts per test, assert URLs and config paths Each test now uses a different registry and configDir to verify URL construction, config key generation, and save path are correct for non-default options. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * test: throw on unexpected mock calls instead of silent fallbacks All mock functions in TEST_CONTEXT now throw on unexpected calls, ensuring tests fail loudly if the code makes unanticipated side effects. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * test: use IANA-reserved example.com domains in test URLs Replace custom.registry.io and private.reg.co with example.com and example.org (RFC 2606 reserved) to prevent domain squatting risks. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * test: use deterministic Date mock instead of native Date https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * test: assert globalInfo calls, throw on unexpected ones Default globalInfo in TEST_CONTEXT now throws. Each test overrides it to capture messages and asserts the expected output. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix: use inferred type for fetch url parameter in tests Drop explicit `string` annotation so the parameter matches the `RequestInfo` type expected by the fetch signature. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix: resolve type errors in login test mock fetch Use mockResponse helper with `as any` cast to satisfy the Response type, and String(url) for RequestInfo-to-string conversion. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * chore: add tsconfig.lint.tsbuildinfo to .gitignore https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: replace typeof fetch with explicit LoginFetchResponse/LoginFetchOptions types Derive the fetch signature from actual call-site usage instead of coupling to the concrete @pnpm/network.fetch type. This lets test mocks return plain objects without casts. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * chore: gitignore generated pn/pnpx/pnx artifacts These files are created by setup.js during preinstall and should not be tracked. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: remove unnecessary backwards-compat aliases from otp.ts Remove Otp-prefixed re-exports (OtpWebAuthFetchOptions, OtpWebAuthFetchResponse, OtpWebAuthTimeoutError) that only existed as backwards-compatibility shims. Update the test to import directly from @pnpm/network.web-auth. Restore the named OtpDate interface that was unnecessarily inlined. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * test(web-auth): add comprehensive unit tests for @pnpm/network.web-auth Add dependency-injected unit tests covering: - WebAuthTimeoutError: properties, code, hint, message - generateQrCode: basic output and input differentiation - pollForWebAuthToken: happy path, fetch argument passing, Retry-After handling (valid, non-finite, null, sub-interval, capped to remaining timeout, timeout during retry wait), error recovery (fetch throws, non-ok response, json parse error, missing token, empty token, multiple consecutive errors), custom timeout, poll interval timing All tests use fake Date.now() and setTimeout — no real timers or side effects. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix(web-auth): fix TS2339 compile errors in test assertions Replace `.catch((e: WebAuthTimeoutError) => e)` pattern with `rejects.toMatchObject()` to avoid `string | WebAuthTimeoutError` union type issue when accessing `.timeout` property. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * feat(web-auth,login): extract shared OTP handling and add OTP support to login - Create `withOtpHandling<T>()` in `@pnpm/network.web-auth` that wraps any operation with EOTP challenge detection, web auth flow, and classic OTP prompting. - Refactor `publishWithOtpHandling` to delegate to the shared function. - Add OTP handling to `pnpm login`'s classic (CouchDB) login flow: detects 401 + `www-authenticate: otp` header and retries with the OTP code (or web auth token) in the `npm-otp` header. - Remove overly strict `this: this` constraints from WebAuthFetchResponse interfaces to improve cross-package type compatibility. - Add 13 unit tests for `withOtpHandling` (classic + webauth flows). - Add 4 login OTP tests (classic OTP, webauth OTP, non-401, non-otp 401). https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * fix(login): use word-boundary regex for URL assertion in test Replace `m.includes(url)` with a regex that checks the URL is bounded by whitespace or string boundaries, addressing the CodeQL "incomplete URL substring sanitization" finding. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor(login): use toContainEqual + stringMatching for URL assertion Replace manual `.some()` with Jest's `toContainEqual(expect.stringMatching(...))` for better error messages on failure. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor(web-auth): use expect.any(String) instead of typeof check https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor(web-auth): consolidate multi-property assertions Use toMatchObject and toEqual instead of separate per-property expects. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * docs: explain why npm-auth-type header is sent unconditionally https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: remove unused re-exports and add missing test coverage Remove dead re-exports of OtpHandlingPromptOptions and OtpHandlingPromptResponse from releasing/commands/src/publish/otp.ts. Add tests for: - LOGIN_MISSING_CREDENTIALS (empty username in classic login) - LOGIN_NO_TOKEN (registry returns success without token) - LOGIN_INVALID_RESPONSE (web login returns incomplete response) - isWebLoginNotSupported with 405 status code https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor(login): rename readSettings/writeSettings to safeReadIniFile/writeIniFile Use the actual function names in the LoginContext interface instead of abstract names, matching the implementations they wrap. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor(otp): remove unnecessary re-exports from otp.ts OtpNonInteractiveError, OtpSecondChallengeError, and OtpHandlingEnquirer were re-exported only for the test file, which can import them directly from @pnpm/network.web-auth. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor(otp): remove unused SHARED_CONTEXT re-export All consumers already import SHARED_CONTEXT directly from ./utils/shared-context.js, making this re-export dead code. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor(login): extract LoginDate and LoginEnquirer interfaces Extract named interfaces for the Date and enquirer members of LoginContext instead of inlining their types. https://claude.ai/code/session_01YHYqGAAmZ1a9XMWoV7nG4S * refactor: stop renaming Claude Code Web didn't rename them thoroughly, so I had to do it myself * docs: correct the lines Why did Claude Code Web misaligned? * refactor: strictly type `LoginFetchOptions.headers` * docs: remove redundant comments * refactor: inline `npm-otp` * refactor: inline `headers` * feat: add `WebLoginError.responseText` * refactor: rename `statusCode` into `httpStatus` * refactor(login): extract ClassicLoginError subclass from PnpmError Extract the LOGIN_FAILED error into a dedicated ClassicLoginError class with httpStatus and responseText properties, matching the WebLoginError pattern. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor: remove unnecessary import * docs(changeset): correct a changeset * docs(changeset): re-add `releasing.commands` * refactor(web-auth): split monolithic test file into per-module files Split index.test.ts into four files matching the source structure: - WebAuthTimeoutError.test.ts - generateQrCode.test.ts - pollForWebAuthToken.test.ts - withOtpHandling.test.ts https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor: remove unnecessary `as const` * refactor: remove unnecessary `as const` * chore: undo Claude's BS * refactor: extract `LoginEnquirerOptions` * refactor: move types closer to their usesites * refactor: remove simple type alias * fix: type errors * refactor(login): inject readIniFile instead of safeReadIniFile in context The context object should only contain external dependencies. safeReadIniFile is a local wrapper, not an external dependency, so inject readIniFile (from read-ini-file) instead and pass it to safeReadIniFile as a parameter. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * test(login): add coverage for safeReadIniFile ENOENT handling Test that login succeeds with empty settings when the config file does not exist (ENOENT), and that non-ENOENT errors (e.g. EACCES) are properly propagated. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor: fix ugliness * refactor: just pass context object * refactor: destructure `context` * refactor: pass the `context` object * refactor: destructure `context` * refactor: pass `context` object directly * refactor: remove unnecessary parenthesis * fix: remove unused import * refactor: remove unnecessary parentheses from single-param arrows in tests https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor: extract `LoginFetchResponseHeaders` * fix(login): remove inline default from --registry option description No other pnpm command includes "(default: ...)" in option descriptions. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor(tests): enforce realistic mock response behavior - Add createMockResponse helpers that enforce single body consumption (calling text() or json() twice, or both, throws an error) - Default headers.get to throwing on unexpected calls, forcing tests to explicitly provide headers when the code under test reads them - Replace all inline response objects with createMockResponse calls https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * fix: formatting * refactor: reuse * docs: clarify what the error is actually about * docs: consistent error message * refactor: use consistent error message convention in test mocks Capitalize and use "Unexpected call to <thing>" pattern instead of AI-generated "unexpected X call" messages. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor: expand inline process mock objects to multi-line https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor(login): extract PnpmError subclasses and use stricter test assertions Extract LoginNonInteractiveError, LoginInvalidResponseError, LoginMissingCredentialsError, and LoginNoTokenError subclasses instead of throwing PnpmError directly. Update test assertions to use the const promise pattern with toHaveProperty checks on both code and message, matching the convention used elsewhere in the codebase. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor: undo ai's nonsensical deletion * refactor: simplify * refactor: rename OtpHandling* types to Otp* for brevity OtpHandlingContext → OtpContext OtpHandlingEnquirer → OtpEnquirer OtpHandlingPromptOptions → OtpPromptOptions OtpHandlingPromptResponse → OtpPromptResponse The OtpHandling prefix was named after the function (withOtpHandling) rather than the domain concept. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor: extract `OtpDate` * refactor: reuse * fix: eslint * refactor: add OtpRequiredError with body validation and globalWarn - Add OtpRequiredError class with static fromUnknown() that validates the EOTP error body shape and returns either a validated error or an OtpBodyWarning when fields have unexpected types - Add globalWarn to OtpContext so withOtpHandling can warn on bad body shapes instead of silently dropping them - Update throwIfOtpRequired in login.ts to pass raw body through so validation happens in withOtpHandling via fromUnknown - Add tests for bad body shapes (wrong types for authUrl/doneUrl) - Add tests for OtpRequiredError.fromUnknown - Propagate globalWarn through LoginContext, DEFAULT_CONTEXT, SHARED_CONTEXT, and all test mocks https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * docs: remove misleading comment from throwIfOtpRequired The comment referenced downstream machinery (OtpRequiredError.fromUnknown) that the reader shouldn't need to know about at this call site. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * refactor: replace Object.assign hack with OtpRequiredError in throwIfOtpRequired throwIfOtpRequired now validates the raw response body via OtpRequiredError.fromUnknown and throws a proper OtpRequiredError instead of monkey-patching properties onto a plain Error. withOtpHandling skips re-validation when the caught error is already an OtpRequiredError instance. https://claude.ai/code/session_0191GhgPWiD5TroLMoXAmkaZ * chore(git): revert an imperfect fix This reverts commit |
||
|
Alessio Attilio
|
d5be835735 |
feat: implement native recursive version command (#10879)
* feat: implement non-interactive version command * fix: address review issues in version command - Fix changeset package name to @pnpm/releasing.commands - Use writeProjectManifest instead of writeJsonFile to preserve formatting - Remove dead updateWorkspaceDependencies placeholder function - Remove unused imports (path, ProjectManifest, writeJsonFile) - Add expect.assertions(1) to prevent silent test pass on no-throw Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Zoltan Kochan <z@kochan.io> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|
Zoltan Kochan
|
421ceac0b3 |
chore: compile pnpm CLI bundle before tests that use it (#11059)
Packages whose tests spawn the local pnpm CLI (pnpm/bin/pnpm.mjs) need the bundle (pnpm/dist/pnpm.mjs) to exist. Add `pnpm --filter pnpm run compile` to their test scripts so the bundle is built before tests run. |
||
|
Zoltan Kochan
|
cd2dc7d481 |
refactor: prefix internal scripts with . to hide them (#11051)
* fix: ensure PNPM_HOME/bin is in PATH during pnpm setup When upgrading from old pnpm (global bin = PNPM_HOME) to new pnpm (global bin = PNPM_HOME/bin), `pnpm setup` would fail because the spawned `pnpm add -g` checks that the global bin dir is in PATH. Prepend PNPM_HOME/bin to PATH in the spawned process env so the check passes during the transition. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: update pnpm to v11 beta 2 * chore: update pnpm to v11 beta 2 * chore: update pnpm to v11 beta 2 * chore: update pnpm to v11 beta 2 * fix: lint * refactor: rename _-prefixed scripts to .-prefixed scripts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: update root package.json to use .test instead of _test Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * ci: update action-setup --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|
Zoltan Kochan
|
1701a65845 |
chore: reduce noisy warnings in test output (#11022)
* chore: reduce noisy warnings in test output - Suppress ExperimentalWarning and DEP0169 via --disable-warning in NODE_OPTIONS - Fix MaxListenersExceededWarning by raising limit in StoreIndex when adding exit listeners - Update meta-updater to generate the new _test scripts Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: stop streaming pnpm subprocess output during CLI tests Buffer stdout/stderr from execPnpm instead of writing to the parent process in real time. Output is still included in the error message on failure. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: pipe all subprocess output in CLI tests Use stdio: 'pipe' for all pnpm/pnpx spawn helpers so subprocess output is buffered instead of printed. Output is still included in error messages on failure. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: remove duplicate @pnpm/installing.env-installer in pnpm/package.json Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * chore: use pipe stdio in dlx and errorHandler tests Replace stdio: 'inherit' and [null, 'pipe', 'inherit'] with 'pipe' to prevent subprocess output from leaking into test output. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * fix: skip maxListeners adjustment when set to unlimited (0) Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> |
||
|
Zoltan Kochan
|
88ad21dff8 |
feat(publish): handle OTP and web-based authentication flows (#11019)
* feat(publish): handle OTP and web-based authentication flows (#10834) Add OTP handling to `pnpm publish` with support for: - Classic OTP prompt (manual code entry) - Web-based authentication flow with QR code display and doneUrl polling - `npm-auth-type: web` header to signal web auth support to the registry Extract OTP logic into a dedicated `otp.ts` module with dependency injection for testability. Consolidate shared context for OIDC and OTP. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> * Potential fix for pull request finding Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> --------- Co-authored-by: KSXGitHub <11488886+KSXGitHub@users.noreply.github.com> Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com> |
||
|
Zoltan Kochan
|
dba4153767 |
refactor: rename packages and consolidate runtime resolvers (#10999)
* refactor: rename workspace.sort-packages and workspace.pkgs-graph - workspace.sort-packages -> workspace.projects-sorter - workspace.pkgs-graph -> workspace.projects-graph Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: rename packages/ to core/ and pkg-manifest.read-package-json to reader - Rename packages/ directory to core/ for clarity - Rename pkg-manifest/read-package-json to pkg-manifest/reader (@pnpm/pkg-manifest.reader) - Update all tsconfig, package.json, and lockfile references Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * refactor: consolidate runtime resolvers under engine/runtime domain - Remove unused @pnpm/engine.runtime.node.fetcher package - Rename engine/runtime/node.resolver to node-resolver (dash convention) - Move resolving/bun-resolver to engine/runtime/bun-resolver - Move resolving/deno-resolver to engine/runtime/deno-resolver - Update all package names, tsconfig paths, and lockfile references Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * chore: update lockfile after removing node.fetcher Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: sort tsconfig references and package.json deps alphabetically Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: auto-fix import sorting Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: update __typings__ paths in tsconfig.lint.json for moved resolvers Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> * fix: remove deno-resolver from deps of bun-resolver --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> |
||
|
Zoltan Kochan
|
4a36b9a110 |
refactor: rename internal packages to @pnpm/<domain>.<leaf> convention (#10997)
## Summary Rename all internal packages so their npm names follow the `@pnpm/<domain>.<leaf>` convention, matching their directory structure. Also rename directories to remove redundancy and improve clarity. ### Bulk rename (94 packages) All `@pnpm/` packages now derive their name from their directory path using dot-separated segments. Exceptions: `packages/`, `__utils__/`, and `pnpm/artifacts/` keep leaf names only. ### Directory renames (removing redundant prefixes) - `cli/cli-meta` → `cli/meta`, `cli/cli-utils` → `cli/utils` - `config/config` → `config/reader`, `config/config-writer` → `config/writer` - `fetching/fetching-types` → `fetching/types` - `lockfile/lockfile-to-pnp` → `lockfile/to-pnp` - `store/store-connection-manager` → `store/connection-manager` - `store/store-controller-types` → `store/controller-types` - `store/store-path` → `store/path` ### Targeted renames (clarity improvements) - `deps/dependency-path` → `deps/path` (`@pnpm/deps.path`) - `deps/calc-dep-state` → `deps/graph-hasher` (`@pnpm/deps.graph-hasher`) - `deps/inspection/dependencies-hierarchy` → `deps/inspection/tree-builder` (`@pnpm/deps.inspection.tree-builder`) - `bins/link-bins` → `bins/linker`, `bins/remove-bins` → `bins/remover`, `bins/package-bins` → `bins/resolver` - `installing/get-context` → `installing/context` - `store/package-store` → `store/controller` - `pkg-manifest/manifest-utils` → `pkg-manifest/utils` ### Manifest reader/writer renames - `workspace/read-project-manifest` → `workspace/project-manifest-reader` (`@pnpm/workspace.project-manifest-reader`) - `workspace/write-project-manifest` → `workspace/project-manifest-writer` (`@pnpm/workspace.project-manifest-writer`) - `workspace/read-manifest` → `workspace/workspace-manifest-reader` (`@pnpm/workspace.workspace-manifest-reader`) - `workspace/manifest-writer` → `workspace/workspace-manifest-writer` (`@pnpm/workspace.workspace-manifest-writer`) ### Workspace package renames - `workspace/find-packages` → `workspace/projects-reader` - `workspace/find-workspace-dir` → `workspace/root-finder` - `workspace/resolve-workspace-range` → `workspace/range-resolver` - `workspace/filter-packages-from-dir` merged into `workspace/filter-workspace-packages` → `workspace/projects-filter` ### Domain moves - `pkg-manifest/read-project-manifest` → `workspace/project-manifest-reader` - `pkg-manifest/write-project-manifest` → `workspace/project-manifest-writer` - `pkg-manifest/exportable-manifest` → `releasing/exportable-manifest` ### Scope - 1206 files changed - Updated: package.json names/deps, TypeScript imports, tsconfig references, changeset files, renovate.json, test fixtures, import ordering |
||
|
Zoltan Kochan
|
7a304b17c4 |
refactor: rename directories and unify command packages per domain (#10993)
- Rename `installing/core` → `installing/deps-installer` and `installing/headless` → `installing/deps-restorer` for clearer naming
- Rename all `plugin-commands-*` directories to use `-commands` suffix convention
- Merge multiple command packages per domain into a single `commands/` directory (one commands package per domain rule):
- `building/{build-commands,policy-commands}` → `building/commands`
- `deps/compliance/{audit-commands,licenses-commands,sbom-commands}` → `deps/compliance/commands`
- `deps/inspection/{listing-commands,outdated-commands}` → `deps/inspection/commands`
- `store/{store-commands,inspecting-commands}` → `store/commands`
- `releasing/{publish-commands,deploy-commands}` → `releasing/commands`
- `cli/{completion-commands,doctor-commands}` → `cli/commands`
- `engine/pm/{self-updater-commands,setup-commands}` → `engine/pm/commands`
- `engine/runtime/{runtime-commands,env-commands}` → `engine/runtime/commands`
- `cache/cache-commands` → `cache/commands`
- Fix relative paths in merged test files (pnpmBin, __typings__ references)
- Update jest config to ignore `utils/` dirs at any nesting depth under `test/`
- Fix stale package names in changeset files
|