* fix: detect overrides and other lockfile-affecting setting changes in optimisticRepeatInstall
When optimisticRepeatInstall was enabled, changing overrides,
packageExtensions, ignoredOptionalDependencies, patchedDependencies,
or peersSuffixMaxLength would not trigger a reinstall because these
settings were not tracked in the workspace state file.
* refactor: extract WORKSPACE_STATE_SETTING_KEYS to prevent type/runtime drift
The settings key list in createWorkspaceState's pick() call must stay
in sync with the WorkspaceStateSettings type. Extract a shared const
array so both the type and runtime pick are derived from a single
source, preventing the class of bug fixed in the previous commit.
* fix(audit): fallback to quick audit endpoint
Fallback to /audits/quick when /audits fails with non-200, avoiding 5xx hard failures.
Close#10649
* refactor(audit): reuse request options for fallback
Share request options between primary and quick audit endpoints. Use POST for consistency.
* fix(audit): use quick audit endpoint as primary, full as fallback
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
When 3+ threads/processes concurrently import the same package to the
global virtual store, a third party can rimraf the target between another
thread's failed rename and its existence check. Retry the check up to 4
times with 50ms delays to let the competing operation complete.
Allow consumers (e.g. Bit CLI) to provide a nameFormatter callback that
reads the package manifest and returns a custom display name. The resolved
displayName is carried through the DependentsTree/DependentNode data model
and used by all render functions (tree, JSON, parseable).
- **`pnpm why` now shows a reverse dependency tree.** The searched package appears at the root with its dependants as branches, walking back to workspace roots. This replaces the previous forward-tree output which was noisy and hard to read for deeply nested dependencies.
- **Replaced `archy` with a new `@pnpm/text.tree-renderer` package** that renders trees using box-drawing characters (├──, └──, │) and supports grouped sections, dim connectors, and deduplication markers.
- **Show peer dependency hash suffixes** in `pnpm list` and `pnpm why` output to distinguish between different peer-dep variants of the same package.
- **Improved `pnpm list` visual output:** bold importer nodes, dimmed workspace paths, dependency grouping, package count summary, and deterministic sort order.
- **Added `--long` support to `pnpm why`** and the ability to read package manifests from the CAS store.
- **Deduplicated shared code** between `list` and `why` commands into a common module, and reused `getPkgInfo` in the why tree builder.
* build: bundle `dist/node_modules` using pnpm deploy
* chore: remove copied `pnpm.overrides` for publish-packed
* chore: remove `catalog:` protocol ban in `pnpm/package.json`
* chore: remove `publish-packed` dependency
* build: move `node-gyp` from `optionalDependencies` to `dependencies`
The `node-gyp` dependency is bundled into the `pnpm` package before it's
published. The dependency declaration itself is then removed from the
published package manifest.
This means there's not a point to declaring `node-gyp` as an optional
dependency. It'll always be bundled and the published manifest doesn't
contain the dependency declaration.
https://github.com/pnpm/pnpm/pull/10508#discussion_r2782257620
* build: throw if peerDependencies or optionalDependencies are declared
* build: use meta-updater instead of Jest test for dep kind check
Instead of manually iterating over top-level dependencies, calling
getPkgInfo/getTreeNodeChildId/getTree per dependency, and handling
dedup/search logic in parallel with materializeChildren, delegate
entirely to a single getTree call with the importer as root.
The returned PackageNode[] are then post-categorized into their
dependency fields (dependencies, devDependencies, optionalDependencies)
using a fieldMap built from the lockfile importer snapshot.
This eliminates the duplicated dedup/search handling between
dependenciesHierarchyForPackage and materializeChildren, and removes
the GetTreeResult wrapper type from getTree (now returns PackageNode[]
directly). The materializeChildren cache is now the sole mechanism for
cross-importer deduplication.
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
* fix(core): decouple shouldForceResolve from canResolve in custom resolvers
shouldForceResolve is now called for every package in the lockfile
without gating on canResolve, since it runs before resolution where
the original specifier is not available. Resolvers should handle their
own filtering within shouldForceResolve (e.g. by inspecting depPath
or pkgSnapshot.resolution).
* refactor: shouldForceResolve=>shouldRefreshResolution
* docs: remove changeset
We don't need a new changeset, we just updated the existing changeset
* refactor(core): use Promise.any for early exit in checkCustomResolverForceResolve
Replace Promise.all + .some(Boolean) with Promise.any so that the check
short-circuits as soon as any shouldRefreshResolution hook returns true,
instead of waiting for every hook to complete. Real errors thrown by hooks
are re-thrown instead of being silently swallowed.
* refactor(core): replace Promise.any with custom anyTrue helper
Handle sync boolean returns from shouldRefreshResolution without
creating unnecessary promises. Only async results go through the
anyTrue helper, which short-circuits on the first true value.
---------
Co-authored-by: Zoltan Kochan <z@kochan.io>
* feat: add --yes command line option
* feat: skip confirm modules purge prompt if --yes is passed
* refactor: factor out `ExecPnpmSyncOpts`
* test: add end-to-end test for --yes flag
