mirror/pnpm
1
0
Fork 0
mirror of https://github.com/pnpm/pnpm.git synced 2026-05-12 18:49:41 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
d98ac7e4bbf8a0d0220dba68befddd8255c19a8b
pnpm/fetching/binary-fetcher/CHANGELOG.md
Zoltan Kochan 6ef34b7a11 chore(release): 11.0.3
2026-04-30 23:03:46 +02:00

4.8 KiB
Raw Blame History

@pnpm/fetching.binary-fetcher

1101.0.2

Patch Changes

  • Updated dependencies [184ce26]
    • @pnpm/fetching.fetcher-base@1100.1.1
    • @pnpm/fetching.types@1100.0.1
    • @pnpm/worker@1100.1.1

1101.0.1

Patch Changes

  • dd23d19: Fix Windows Node.js runtime installs still extracting bundled npm, npx, and corepack when the archive contains explicit directory entries. extractZipToTarget now skips directory entries: AdmZip's extractEntryTo for a directory recurses over every descendant internally, which bypassed the ignoreEntry filter and re-materialized the files the filter was supposed to drop. File extraction creates parent directories implicitly, so skipping directory entries doesn't regress the install layout.

1101.0.0

Minor Changes

  • 421317c: Installing a Node.js runtime via node@runtime:<version> (including pnpm env use and pnpm runtime set node) no longer extracts the bundled npm, npx, and corepack from the Node.js archive. This cuts roughly half of the files pnpm has to hash, write to the CAS, and link during installation, making runtime installs noticeably faster. Users who still need npm can install it as a separate package.

Patch Changes

  • Updated dependencies [421317c]
    • @pnpm/fetching.fetcher-base@1100.1.0
    • @pnpm/worker@1100.1.0

1100.0.2

Patch Changes

  • @pnpm/fetching.fetcher-base@1100.0.2
  • @pnpm/worker@1100.0.2

1100.0.1

Patch Changes

  • @pnpm/fetching.fetcher-base@1100.0.1
  • @pnpm/worker@1100.0.1

1003.0.0

Major Changes

  • 491a84f: This package is now pure ESM.
  • 7d2fd48: Node.js v18, 19, 20, and 21 support discontinued.

Minor Changes

  • 96704a1: Renamed rawConfig to authConfig on the Config interface. This field now only contains auth/registry data from .npmrc files. Non-auth settings are no longer written to it.

    Added nodeDownloadMirrors setting to configure custom Node.js download mirrors in pnpm-workspace.yaml:

    nodeDownloadMirrors:
  release: https://my-mirror.example.com/download/release/
  nightly: https://my-mirror.example.com/download/nightly/

    Replaced rawConfig: object with userAgent?: string in lifecycle hook options. Removed unused rawConfig from fetcher and prepare-package options.

    Removed support for the npm init-module setting. Custom init scripts via .pnpm-init.js are no longer executed by pnpm init.

Patch Changes

  • 3bf5e21: Runtime dependencies (node, bun, deno) are now added to the store with a package.json file.

  • 260899d: Fix path traversal vulnerability in binary fetcher ZIP extraction

    • Validate ZIP entry paths before extraction to prevent writing files outside target directory
    • Validate BinaryResolution.prefix (basename) to prevent directory escape via crafted prefix
    • Both attack vectors now throw ERR_PNPM_PATH_TRAVERSAL error

  • 50fbeca: fix: preserve bundled node_modules from Node.js Windows zip so that npm/npx shims are created correctly on Windows.

    The Windows Node.js distribution places npm inside a root-level node_modules/ directory of the zip archive. addFilesFromDir was skipping root-level node_modules (to avoid treating a package's own npm dependencies as part of its content), which caused the bundled npm to be missing after installation. This prevented pnpm env use from creating the npm and npx shims on Windows.

    Added an includeNodeModules option to addFilesFromDir and set it to true in the binary fetcher so that the complete Node.js distribution, including its bundled npm, is preserved.

  • Updated dependencies [e2e0a32]

  • Updated dependencies [7cec347]

  • Updated dependencies [491a84f]

  • Updated dependencies [50fbeca]

  • Updated dependencies [ba065f6]

  • Updated dependencies [3bf5e21]

  • Updated dependencies [bb8baa7]

  • Updated dependencies [ee9fe58]

  • Updated dependencies [7d2fd48]

  • Updated dependencies [56a59df]

  • Updated dependencies [780af09]

  • Updated dependencies [6c480a4]

  • Updated dependencies [4893853]

  • Updated dependencies [b7f0f21]

  • Updated dependencies [831f574]

  • Updated dependencies [98a0410]

    • @pnpm/worker@1001.0.0
    • @pnpm/fetching.types@1001.0.0
    • @pnpm/fetching.fetcher-base@1002.0.0
    • @pnpm/error@1001.0.0
    • @pnpm/store.index@1000.0.0

1002.0.0

Patch Changes

  • Updated dependencies [8993f68]
    • @pnpm/worker@1000.3.0
    • @pnpm/fetcher-base@1001.0.2

1001.0.0

Patch Changes

  • Updated dependencies [06d2160]
    • @pnpm/worker@1000.2.0

1000.0.3

Patch Changes

  • @pnpm/error@1000.0.5
  • @pnpm/worker@1000.1.13

1000.0.2

Patch Changes

  • @pnpm/fetcher-base@1001.0.1
  • @pnpm/worker@1000.1.12

1000.0.1

Patch Changes

  • 2b0d35f: @pnpm/worker should always be a peer dependency.

1000.0.0

Major Changes

  • d1edf73: Added support for binary fetcher.

Patch Changes

  • Updated dependencies [d1edf73]
    • @pnpm/fetcher-base@1001.0.0
    • @pnpm/error@1000.0.4
    • @pnpm/worker@1000.1.11
Reference in New Issue View Git Blame Copy Permalink