Zoltan Kochan
76718b32ad
feat: create a new field for allowing/disallowing builds ( #10311 )
...
ref #10235
2025-12-13 22:14:27 +01:00
btea
0bc4b3c587
test: pkg.pr.new redirect to relative path ( #10309 )
2025-12-13 12:05:42 +01:00
btea
0dfa8b862b
fix: installation failed due to installation link redirection (v11) ( #10286 )
...
* fix: installation failed due to installation link redirection
* fix: handle all different cases of redirect locations
* docs: update changesets
* refactor: implement CR suggestion
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-12 20:19:36 +01:00
Ryo Matsukawa
8b864ccc98
fix: show deprecation in outdated table/list formats ( #10207 )
...
close #8658
2025-12-12 17:08:06 +01:00
Randall Leeds
8385a8cff6
fix(deploy): omit inject workspace packages setting in deploy lockfiles ( #10294 )
...
* fix(deploy): omit inject workspace packages setting in deploy lockfiles
When the deploy command creates a new lockfile, create the deployment
lockfile without the setting to inject workspace packages, because it
has already been applied when creating the lockfile and the deployment
is not, itself, a workspace.
* docs: add changesets
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-12 14:33:37 +01:00
Dasa Paddock
144d76f15f
feat(pack): add support for --dry-run ( #10306 )
...
close #10301
2025-12-12 14:00:54 +01:00
VR
e0f0a7d85f
fix: npm compat on installing redirecting tarballs ( #10197 )
...
close #9802
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-11 11:55:02 +01:00
Minijus L
3585d9a372
fix: normalize tarball URLs by removing default HTTP/HTTPS ports ( #10273 )
...
* fix: normalize tarball URLs by removing default HTTP/HTTPS ports
closes #6725
* feat: refactor, add test and changeset
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-11 08:04:39 +01:00
Zoltan Kochan
7e12e5bf71
fix: update run-groups to v4
2025-12-10 17:17:40 +01:00
Oren
ae8b816121
feat: support blockExoticSubdeps option to disallow non-trusted dep sources in subdeps ( #10265 )
...
* feat(core): add onlyRegistryDependencies option to disallow non-registry subdependencies
* fix: onlyRegistryDependencies=>registrySubdepsOnly
* fix: allow resolution from custom resolver
* fix: add registry-subdeps-only to types
* docs: update changesets
* refactor: registry-only
* refactor: registrySubdepsOnly=>blockExoticSubdeps
* fix: trust runtime deps
* refactor: remove comment
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-10 12:14:16 +01:00
Oren
ba065f6a8b
fix(git-fetcher): block git dependencies from running prepare scripts unless allowed ( #10288 )
...
* fix(git-fetcher): block git dependencies from running prepare scripts unless allowed
* Update exec/prepare-package/src/index.ts
Co-authored-by: Zoltan Kochan <z@kochan.io >
* Also implement in gitHostedTarballFetcher
* refactor: move allowBuild function creation to the store manager
* refactor: pass allowBuild function to fetch function directly
* refactor: revert not needed changes and update changesets
* test: fix
* fix: implemented CR suggestions
* test: fix
* test: fix
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-12-09 18:25:07 +01:00
Oren
98a0410aa1
fix(tarball-resolver): add integrity hash to HTTP tarball dependencies ( #10287 )
...
* fix(tarball-resolver): add integrity hash to HTTP tarball dependencies
* Refactor to download tarball just once
* Fix tests
* fix: only calc hash when it is not passed in to the fetcher
* docs: update changesets
2025-12-08 23:38:27 +01:00
dependabot[bot]
b6dc9439ae
chore(deps): bump the github-actions group across 1 directory with 5 updates ( #10291 )
...
Bumps the github-actions group with 5 updates in the / directory:
| Package | From | To |
| --- | --- | --- |
| [actions/checkout](https://github.com/actions/checkout ) | `6.0.0` | `6.0.1` |
| [github/codeql-action](https://github.com/github/codeql-action ) | `4.31.5` | `4.31.7` |
| [softprops/action-gh-release](https://github.com/softprops/action-gh-release ) | `2.4.2` | `2.5.0` |
| [actions/setup-node](https://github.com/actions/setup-node ) | `6.0.0` | `6.1.0` |
| [cbrgm/mastodon-github-action](https://github.com/cbrgm/mastodon-github-action ) | `2.1.21` | `2.1.22` |
Updates `actions/checkout` from 6.0.0 to 6.0.1
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](1af3b93b68...8e8c483db8https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](fdbfb4d275...cf1bb45a27https://github.com/softprops/action-gh-release/releases )
- [Changelog](https://github.com/softprops/action-gh-release/blob/master/CHANGELOG.md )
- [Commits](5be0e66d93...a06a81a03ehttps://github.com/actions/setup-node/releases )
- [Commits](2028fbc5c2...395ad32622https://github.com/cbrgm/mastodon-github-action/releases )
- [Commits](96ff691bc4...771a360594support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-12-08 15:25:20 +01:00
Zoltan Kochan
2cb0657599
fix: don't fail with ERR_PNPM_MISSING_TIME on packages that are excluded from trust checks ( #10292 )
...
* fix: don't fail with ERR_PNPM_MISSING_TIME on packages that are excluded from trust checks
close #10259
* test: add coverage for excluded packages missing time field (#10293 )
* Initial plan
* test: add coverage for excluded packages missing time field
Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com >
---------
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com >
Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com >
---------
Co-authored-by: Copilot <198982749+Copilot@users.noreply.github.com >
Co-authored-by: zkochan <1927579+zkochan@users.noreply.github.com >
2025-12-08 15:21:25 +01:00
Zoltan Kochan
19fb36dc6a
docs: update sponsors
2025-12-08 11:35:27 +01:00
Aaron
fea46dc8c4
fix(publish): respect --force flag in recursive publish ( #10277 )
...
When using 'pnpm -r publish --force', the --force flag was being
ignored. The flag was checked to determine which packages to publish,
but wasn't passed to individual publish commands.
This adds --force to the appendedArgs array so it gets passed through
to each publish call, following the same pattern as other CLI flags
like --access, --dry-run, and --otp.
close #10272
2025-12-08 11:33:30 +01:00
Zoltan Kochan
19f36cfc39
fix: don't silently skip an optional dependency if it cannot be resolved from a mature version ( #10289 )
...
close #10270
2025-12-08 11:18:24 +01:00
Zoltan Kochan
05fb1aee5f
fix: reporting ignored dependency builds ( #10276 )
2025-12-06 16:32:19 +01:00
Zoltan Kochan
6b18b795b7
fix: audit error
2025-12-05 00:40:17 +01:00
btea
445e064b4c
fix: audit error ( #10262 )
2025-12-03 10:49:17 +01:00
Zoltan Kochan
57291bcdd8
fix: audit error
2025-12-02 15:33:34 +01:00
Zoltan Kochan
4362c06005
fix: dependencies that were added to onlyBuiltDependencies should be built on install ( #10256 )
2025-12-02 15:31:52 +01:00
Zoltan Kochan
5f73b0f2b6
perf: always link runtimes from the global virtual store directory ( #10233 )
2025-12-01 14:27:18 +01:00
Trevor Burnham
38b8e357b5
feat: add custom resolvers and fetchers ( #10246 )
2025-11-30 14:19:04 +01:00
Khải
3aa50c8365
feat(init): --bare ( #10228 )
...
* feat(init): fields preset
* feat: replace `init-preset` with `init-bare`
* feat: remove init-bare
close #10226
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-29 14:55:02 +01:00
Bart Riepe
7730a7f25c
feat: allow loading certificates from scoped cert, ca and key ( #10230 )
...
* feat: allow loading certificates from `cert`, `ca` and `key`
These properties are supported in .npmrc, but get ignored by pnpm, this will make pnpm read
and use them as well.
* refactor: getNetworkConfigs.ts
* docs: update changesets
* fix: issues
* docs: update changesets
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-29 11:37:57 +01:00
Zoltan Kochan
49c1b9c10e
feat(default-reporter): using custom instruction for builds approval
2025-11-28 13:12:14 +01:00
Trevor Burnham
9620df2789
fix: add CommonJS shims for compatibility with older Corepack versions ( #10245 )
...
close #10242
2025-11-27 18:18:55 +01:00
Zoltan Kochan
d2a7b0206f
revert: "fix(self-update): respect custom registry when installing pnpm version ( #10205 )"
...
This reverts commit d3cf00e308
2025-11-27 14:39:37 +01:00
btea
7cec347701
fix: WMIC is being removed ( #10223 )
...
* fix: `WMI` is being removed
* fix: update
* fix: update
* fix: validate drive before usage
* fix: remove not needed dep
* refactor: regex
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-27 14:08:12 +01:00
Zoltan Kochan
60b5fd17ed
fix: don't reimport node.js on every install ( #10239 )
2025-11-26 01:10:36 +01:00
Brandon Cheng
69ebe38764
fix: throw a frozen lockfile error when catalogs change ( #10231 )
...
* fix: throw a frozen lockfile error when catalogs change
* fix: work around lockfile mismatch when installing `__fixtures__`
```
> @ step1 /home/runner/work/pnpm/pnpm/__fixtures__
> node ../pnpm/dist/pnpm.mjs install -rf --frozen-lockfile --no-shared-workspace-lockfile --no-link-workspace-packages
. | WARN using --force I sure hope you know what you are doing
Scope: all 26 workspace projects
circular | Progress: resolved 1, reused 0, downloaded 0, added 0
circular | +4 +
fixture | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture | +12 +
fixture-with-no-pkg-name-and-no-version | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture-with-no-pkg-name-and-no-version | +12 +
fixture-with-no-pkg-version | Progress: resolved 1, reused 0, downloaded 0, added 0
fixture-with-no-pkg-version | +12 +
circular | Progress: resolved 4, reused 0, downloaded 4, added 4, done
fixture | Progress: resolved 12, reused 6, downloaded 6, added 12, done
fixture-with-no-pkg-name-and-no-version | Progress: resolved 12, reused 0, downloaded 0, added 12, done
fixture-with-no-pkg-version | Progress: resolved 12, reused 0, downloaded 0, added 12, done
general | Progress: resolved 1, reused 0, downloaded 0, added 0
general | +13 +
has-2-outdated-deps | Progress: resolved 1, reused 0, downloaded 0, added 0
has-2-outdated-deps | +2 +
undefined
/home/runner/work/pnpm/pnpm/__fixtures__/has-outdated-deps-using-catalog-protocol:
ERR_PNPM_LOCKFILE_CONFIG_MISMATCH Cannot proceed with the frozen installation. The current "catalogs" configuration doesn't match the value found in the lockfile
Update your lockfile using "pnpm install --no-frozen-lockfile"
```
close #9369
2025-11-26 01:09:37 +01:00
Zoltan Kochan
1e6de2539b
fix: dependency graph hash calculation ( #10236 )
2025-11-25 20:36:52 +01:00
Zoltan Kochan
306d161ccb
chore: fix audit error
2025-11-25 17:03:54 +01:00
dependabot[bot]
ad0cfad1b8
chore(deps): bump the github-actions group across 1 directory with 2 updates ( #10229 )
...
Bumps the github-actions group with 2 updates in the / directory: [actions/checkout](https://github.com/actions/checkout ) and [github/codeql-action](https://github.com/github/codeql-action ).
Updates `actions/checkout` from 5.0.0 to 6.0.0
- [Release notes](https://github.com/actions/checkout/releases )
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md )
- [Commits](08c6903cd8...1af3b93b68https://github.com/github/codeql-action/releases )
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md )
- [Commits](0499de31b9...fdbfb4d275support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-11-24 15:02:57 +01:00
Zoltan Kochan
6f361aa3b3
fix: trustPolicy should ignore trust evidences of prerelease versions ( #10227 )
2025-11-24 14:53:47 +01:00
Kairui Liu
2a50b8936e
fix: handle ENOENT errors in containerized environments by falling back to copy ( #10218 )
...
* fix: linkOrCopy failed
* refactor: hard-link-dir
* docs: add changesets
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-22 16:27:15 +01:00
btea
144ce0e98b
fix: improve the error messages related to trustPolicy mismatch ( #10203 )
...
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
2025-11-22 02:35:19 +01:00
Matt Kantor
df1af144aa
docs: fix usage example in @pnpm/read-package-json README ( #10219 )
...
This module has no default export.
2025-11-22 02:29:10 +01:00
Zoltan Kochan
4893853569
perf: increase the default network concurrency on machines with many CPU cores ( #10215 )
...
close #10068
2025-11-21 15:29:56 +01:00
Zoltan Kochan
a5fdbf9bb3
fix: update @pnpm/npm-conf to v3.0.1
...
related PR: https://github.com/pnpm/npm-conf/pull/17
2025-11-21 01:48:20 +01:00
Zoltan Kochan
b5722a2b39
ci: increase timeout limits
2025-11-20 16:26:48 +01:00
Zoltan Kochan
404a0793f5
ci: don't use standalone pnpm exe
2025-11-20 15:31:14 +01:00
Zoltan Kochan
c7dd46580e
chore: update pnpm to v11
2025-11-20 15:25:06 +01:00
Zoltan Kochan
83fe533266
fix: don't silently skip an optional dependency if if fails trust policy check ( #10211 )
...
close #10208
2025-11-20 12:51:31 +01:00
Zoltan Kochan
98a5f1ce33
fix: node runtime is not moved to dependencies on pnpm add ( #10210 )
...
close #10209
2025-11-20 02:35:46 +01:00
Ryo Matsukawa
8ffb1a7f0c
fix: display npm: protocol for aliased packages in list and why ( #10084 )
...
* fix: support alias resolution in pnpm why with npm:
protocol
* refactor: make alias required instead of optional
* refactor: reorder field to put alias first
2025-11-20 01:08:53 +01:00
silentip404
d3cf00e308
fix(self-update): respect custom registry when installing pnpm version ( #10205 )
...
* fix(self-update): respect custom registry when installing pnpm version
When managePackageManagerVersions is enabled and a custom registry is
configured in .npmrc, pnpm was attempting to auto-install the specified
version from registry.npmjs.org instead of respecting the user's custom
registry configuration.
This happens because installPnpmToTools runs in a temporary directory
outside the project, which doesn't automatically pick up the project's
.npmrc configuration. The fix explicitly passes the registry configuration
from opts.registries.default or opts.rawConfig.registry to the pnpm add
command via the --config.registry flag.
* refactor: self-update
* Update .changeset/cold-buckets-crash.md
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
---------
Co-authored-by: Zoltan Kochan <z@kochan.io >
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com >
2025-11-19 22:43:32 +01:00
Tmk
499ef22bd5
fix: remove redundant mirror slash ( #10204 )
2025-11-19 21:46:03 +01:00
Zoltan Kochan
60f3a05064
fix: js-yaml version
2025-11-18 14:59:20 +01:00
