Commit 29dfa5b
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update pnpm to v11.3.0 (#785)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [pnpm](https://pnpm.io)
([source](https://redirect.github.com/pnpm/pnpm/tree/HEAD/pnpm)) |
[`11.1.3` →
`11.3.0`](https://renovatebot.com/diffs/npm/pnpm/11.1.3/11.3.0) |
|
|
---
### Release Notes
<details>
<summary>pnpm/pnpm (pnpm)</summary>
###
[`v11.3.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1130)
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.2...v11.3.0)
##### Minor Changes
- Added `pnpm stage` with `publish`, `list`, `view`, `approve`,
`reject`, and `download` subcommands for npm staged publishing.
- Added a new setting `trustLockfile`. When `true`, `pnpm install` skips
the supply-chain verification pass that re-applies `minimumReleaseAge` /
`trustPolicy='no-downgrade'` to every entry in the loaded lockfile. The
install treats the lockfile as already-trusted — useful for
closed-source projects where every commit comes from a trusted author.
Defaults to `false`; verification stays on by default. Set in
`pnpm-workspace.yaml`.
Also cut the memory footprint of the verification pass itself: the
per-(registry, name) trust-meta cache previously retained the full
packument — dependency graphs, scripts, README, and per-version
manifests — for the entire install. On large workspaces (`~4k` lockfile
entries with `minimumReleaseAge` + `trustPolicy: no-downgrade` enabled)
this could OOM CI runners with a 2GB heap cap. The cache now stores only
the fields the trust check actually reads (`time`, per-version
`_npmUser.trustedPublisher`, `dist.attestations.provenance`). The
abbreviated-metadata cache is similarly projected to just the
package-level `modified` field and the set of currently-listed version
names. Fixes
[#​11860](https://redirect.github.com/pnpm/pnpm/issues/11860).
- Implemented `pnpm pkg` command natively, following `npm pkg`
standards.
- Implemented `pnpm repo` command natively, following `npm repo`
standards.
- Implemented `pnpm set-script` (alias `ss`) natively. Adds or updates
an entry in the `scripts` field of the project manifest, supporting
`package.json`, `package.json5`, and `package.yaml` formats.
- Add a `skip-manifest-obfuscation` option for `pnpm pack` and `pnpm
publish`. When enabled, the original `packageManager` field and publish
lifecycle scripts are kept in the packed/published manifest instead of
being stripped. The pnpm-specific `pnpm` field continues to be omitted.
##### Patch Changes
- Fixed `pnpm dlx` failing with `ERR_PNPM_NO_IMPORTER_MANIFEST_FOUND`
when the installed package's CAS slot is missing its `package.json`.
Observed in the wild for `pnpm dlx node@runtime:<version>` when the GVS
slot was populated without the synthesized manifest runtime archives
need (they don't ship a `package.json` of their own, so the synthesized
one is the only way it gets there; an existing slot from an earlier code
path that skipped the synthesis stays incomplete). The bin link itself
is wired up from the resolution and remains valid, so `dlx` now falls
back to the scopeless package name when the slot's manifest is
unreadable — for single-bin packages (the dlx common case, including
every `runtime:` spec) this matches what `manifest.bin` would have
named. Multi-bin packages already require `--package=<spec> <bin>` to
disambiguate and don't enter this code path.
- Fixed non-determinism in `pnpm dedupe` and `pnpm install` when a
dependency graph contains packages with transitive peer dependencies on
each other (e.g. `@aws-sdk/client-sts` and `@aws-sdk/client-sso-oidc`)
and `auto-install-peers` is enabled. The lockfile no longer flips
between two equally-valid forms across consecutive runs. The root cause
was that `resolveDependencies` pushed onto its `pkgAddresses` /
`postponedResolutionsQueue` arrays from inside `Promise.all`-spawned
callbacks, so completion-order timing leaked into the array order and
downstream cyclic-peer suffix assignment. Fixes
[#​8155](https://redirect.github.com/pnpm/pnpm/issues/8155).
- Fixed a regression introduced by
[#​11711](https://redirect.github.com/pnpm/pnpm/pull/11711) where
`pnpm add <github-shorthand>` (and any other wanted-dependency whose
alias can't be parsed from the user-supplied spec, e.g. tarball URLs or
`pnpm/test-git-fetch#sha`) was silently dropped from the manifest update
and from `pendingBuilds`. The alias-keyed lookup added in that PR
couldn't find a `wantedDependency` whose `alias` was `undefined` at
parse time but resolved to a package name only after fetching, so the
entry never made it into `specsToUpsert`. Restored the original
index-based pairing between `directDependencies` and
`wantedDependencies`; the catalog-protocol preservation that PR was
originally fixing is unaffected because it's driven by
`rdd.catalogLookup.userSpecifiedBareSpecifier`, not by the lookup. Fixes
the three `rebuilds dependencies` / `rebuilds specific dependencies` /
`rebuild with pending option` failures in
`building/commands/test/build/index.ts`.
- Fixed `pnpm add --config` leaving orphan entries in
`pnpm-lock.env.yaml` (the optional subdependencies of the previously
resolved version of the updated config dependency).
###
[`v11.2.2`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1122)
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.1...v11.2.2)
##### Patch Changes
- When the install engine is delegated to pacquet via
`configDependencies`, the user's CLI flags passed to `pnpm install`
(e.g. `--no-runtime`, `--prod`, `--dev`, `--no-optional`,
`--node-linker`, `--cpu`/`--os`/`--libc`, `--offline`,
`--prefer-offline`) are now forwarded to pacquet's `install` subcommand
verbatim. Previously pacquet was invoked with a fixed argument list, so
flags like `--no-runtime` were silently dropped. Flag forwarding is
gated on the command being `install`/`i`; `add`, `update`, and `dedupe`
still don't forward (their flag surface doesn't line up with pacquet's
`install`).
- Fixed `pnpm up` (and `pnpm add` / `pnpm remove`) failing with
`pacquet_package_manager::outdated_lockfile` when pacquet is declared in
`configDependencies`. pnpm now passes `--ignore-manifest-check` to
pacquet so its `--frozen-lockfile` check doesn't fire against the
(pre-mutation) `package.json` pnpm hasn't written yet
[#​11797](https://redirect.github.com/pnpm/pnpm/issues/11797).
Requires a pacquet release that supports the flag — bump
`PACQUET_VERSION` in the e2e tests once it ships.
###
[`v11.2.1`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1121)
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.2.0...v11.2.1)
##### Patch Changes
- Mark optional subdependency snapshots of config dependencies with
`optional: true` in the env lockfile, matching how optional dependencies
are recorded elsewhere in `pnpm-lock.yaml`. Previously, snapshots for
the platform-specific subdeps pulled in via a config dep's
`optionalDependencies` were written as empty objects, which was
inconsistent with the rest of the lockfile and made it look like those
non-host platform variants were required.
- Fix `pickRegistryForPackage` returning the wrong registry for an
unscoped `npm:` alias under a scoped local name. A manifest entry like
`"@​private/foo": "npm:lodash@^1"` was routing the `lodash` fetch
through `registries["@​private"]`, even though `lodash` is
unscoped and doesn't live on that registry. The npm-alias branch now
returns the alias target's own scope (or `null` for an unscoped target,
falling through to `registries.default`) instead of leaking into the
local key's scope.
- Don't print "Installing config dependencies..." when config
dependencies are already installed and nothing needs to be fetched,
re-linked, or removed.
###
[`v11.2.0`](https://redirect.github.com/pnpm/pnpm/blob/HEAD/pnpm/CHANGELOG.md#1120)
[Compare
Source](https://redirect.github.com/pnpm/pnpm/compare/v11.1.3...v11.2.0)
##### Minor Changes
- **Experimental:** Adding
[`@pnpm/pacquet`](https://npmx.dev/package/@​pnpm/pacquet) (the
Rust port of pnpm) to `configDependencies` in `pnpm-workspace.yaml` now
delegates the materialization phase of `pnpm install` to the pacquet
binary. pnpm still owns dependency resolution; pacquet only fetches and
imports from the freshly-written lockfile. This is an opt-in preview of
the Rust install engine
[#​11723](https://redirect.github.com/pnpm/pnpm/issues/11723).
To configure pacquet in a project, run:
```
pnpm add @​pnpm/pacquet --config
```
You'll see changes in `pnpm-workspace.yaml` and `pnpm-lock.yaml` that
should be committed. If you experience any issues with pacquet, please
let us know by mentioning this in the GitHub issue you create.
- `configDependencies` now resolve and install one level of
`optionalDependencies` declared by the config dependency, with
`os`/`cpu`/`libc` platform filtering applied at install time. This
unlocks the esbuild/swc-style pattern where a package ships
platform-specific binaries via `optionalDependencies` — a config
dependency can now do the same and have the matching binary symlinked
next to it in the global virtual store, so
`require('pkg-platform-arch')` from inside the config dependency
resolves correctly.
The env lockfile records all platform variants regardless of host
platform, so it remains portable across machines. Each entry in a config
dependency's `optionalDependencies` must declare an exact version —
ranges and tags are rejected to keep installs reproducible.
- Implement the documented `pnpm login --scope <scope>` flag. The scope
is normalized (a leading `@` is added if missing; blank values are
ignored) and an `@<scope>:registry=<registry>` mapping is written to the
pnpm auth file alongside the auth token. Subsequent installs of
`@<scope>/*` packages then route to the chosen registry. Previously
`pnpm login --scope foo` errored with `Unknown option: 'scope'` despite
the flag being listed in the online documentation
[#​11716](https://redirect.github.com/pnpm/pnpm/issues/11716).
- `pnpm outdated` and `pnpm update --interactive` now report Node.js,
Deno, and Bun runtimes installed as project dependencies (`runtime:`
specifiers). Previously these were silently skipped.
##### Patch Changes
- Fix `cafile=<relative-path>` in `.npmrc` being read from the wrong
directory when pnpm is invoked from a different cwd (e.g. `pnpm --dir
<project> install` from a CI wrapper or monorepo script). The path is
now resolved against the directory of the `.npmrc` that declared it, not
`process.cwd()`. Before this fix the CA file silently failed to load —
the install proceeded without the configured CA and the user only saw
TLS errors against a private registry, with no log line tying back to
the wrongly resolved path
[#​11624](https://redirect.github.com/pnpm/pnpm/issues/11624).
- Fix `config.registry` getting a trailing slash appended when
`registry` is set in `.npmrc` and no `registries.default` is provided by
`pnpm-workspace.yaml`. The sync from `registries.default` to
`config.registry` introduced in
[#​11744](https://redirect.github.com/pnpm/pnpm/issues/11744) now
only fires when the workspace manifest actually contributes a different
default.
- Fix global add/update to handle minimumReleaseAge policy violations
instead of surfacing an internal resolver guardrail error.
- Fix two crashes with `injectWorkspacePackages: true` when the lockfile
has been pruned (e.g. by `turbo prune --docker`):
- `Cannot use 'in' operator to search for 'directory' in undefined`: a
peer-dependency-variant injected snapshot inherits its `resolution` from
the base `packages:` entry; when a pruner drops that base entry the
readers crash. `convertToLockfileObject` now reconstructs the directory
resolution from the `file:` depPath at load time — a single
normalization point, so every reader sees a fully-formed snapshot.
- `ERR_PNPM_ENOENT` on `node_modules/.bin/<tool>`: after
`prepare`/`postinstall`, `runLifecycleHooksConcurrently` re-imported
each injected workspace package; the `scanDir`-into-`filesMap`
workaround fed target-internal paths to the importer, which the
`makeEmptyDir` fast path
([#​11088](https://redirect.github.com/pnpm/pnpm/issues/11088))
then wiped. Drop the workaround and pass `keepModulesDir: true` so the
importer preserves the target's existing `node_modules` (bin links +
transitive deps) and source files keep their hardlinks.
- Fixed `pnpm login` and `pnpm logout` ignoring `registries.default`
from `pnpm-workspace.yaml`
[#​10099](https://redirect.github.com/pnpm/pnpm/issues/10099).
- Fix the `minimumReleaseAge` (publishedBy) maturity shortcut to be
inclusive at the cutoff. Previously, abbreviated metadata whose
`modified` field equalled the cutoff fell off the fast path and
triggered a full-metadata re-fetch (or a `MISSING_TIME` error when full
metadata wasn't permitted). Since `modified` is an upper bound on every
version's publish time, `modified == publishedBy` already implies every
version passes the per-version `<=` filter in
`filterPkgMetadataByPublishDate`, so the shortcut now accepts the
boundary case directly. Strictly `>` (was `>=`) at the rejection branch.
- Honor `publishConfig.access` when publishing packages.
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- At any time (no schedule defined)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/node-modules/urllib).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xODUuMSIsInVwZGF0ZWRJblZlciI6IjQzLjE5NC4wIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbXX0=-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 8132c07 commit 29dfa5b
1 file changed
Lines changed: 1 addition & 1 deletion
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
111 | 111 | | |
112 | 112 | | |
113 | 113 | | |
114 | | - | |
| 114 | + | |
115 | 115 | | |
116 | 116 | | |
117 | 117 | | |
| |||
0 commit comments