[pull] main from pnpm:main

.changeset/empty-paws-march.md

@@ -0,0 +1,6 @@
+---
+"@pnpm/plugin-commands-publishing": patch
+"pnpm": patch
+---
+
+`pnpm publish -r --force` should allow to run publish over already existing versions in the registry [#10272](https://github.com/pnpm/pnpm/issues/10272).

.changeset/fair-nights-grow.md

@@ -0,0 +1,8 @@
+---
+"@pnpm/resolve-dependencies": patch
+"@pnpm/npm-resolver": patch
+"@pnpm/default-reporter": patch
+"@pnpm/outdated": patch
+---
+
+Don't silently skip an optional dependency if it cannot be resolved from a version that satisfies the `minimumReleaseAge` setting [#10270](https://github.com/pnpm/pnpm/issues/10270).

.changeset/flat-clowns-type.md

@@ -0,0 +1,5 @@
+---
+"@pnpm/npm-resolver": major
+---
+
+Changed the error code for no matching version that satisfies the maturity configuration.

.changeset/open-zoos-sniff.md

@@ -0,0 +1,6 @@
+---
+"@pnpm/npm-resolver": patch
+"pnpm": patch
+---
+
+Don't fail with a `ERR_PNPM_MISSING_TIME` error if a package that is excluded from trust policy checks is missing the time field in the metadata.

.github/workflows/audit.yml

@@ -12,7 +12,7 @@ jobs:
 
     steps:
     - name: Checkout Commit
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
     - name: Install pnpm
       uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
       with:

.github/workflows/ci.yml

@@ -37,7 +37,7 @@ jobs:
         git config --global user.name "xyz"
         git config --global user.email "[email protected]"
     - name: Checkout Commit
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
     - name: Install pnpm
       uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
       with:

.github/workflows/codeql-analysis.yml

@@ -42,11 +42,11 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+      uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/init@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -57,7 +57,7 @@ jobs:
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/autobuild@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -71,4 +71,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@fdbfb4d2750291e159f0156def62b853c2798ca2 # v4.31.5
+      uses: github/codeql-action/analyze@cf1bb45a277cb3c205638b2cd5c984db1c46a412 # v4.31.7

.github/workflows/release.yml

@@ -14,7 +14,7 @@ jobs:
     environment: release
     steps:
       - name: Checkout
-        uses: actions/checkout@1af3b93b6815bc44a9784bd300feb67ff0d1eeb3 # v6.0.0
+        uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
       - name: Install ldid
         run: |
           sudo apt-get update
@@ -53,7 +53,7 @@ jobs:
       - name: Generate release description
         run: pnpm run make-release-description
       - name: Release
-        uses: softprops/action-gh-release@5be0e66d93ac7ed76da52eca8bb058f665c3a5fe # v2.4.2
+        uses: softprops/action-gh-release@a06a81a03ee405af7f2048a818ed3f03bbf83c7b # v2.5.0
         with:
           draft: true
           files: dist/*

.github/workflows/update-latest.yml

@@ -19,7 +19,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Setup Node
-      uses: actions/setup-node@2028fbc5c25fe9cf00d9f06a71cc4710d4507903 # v6.0.0
+      uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
     - name: Update tag
       env:
         "npm_config_//registry.npmjs.org/:_authToken": ${{ secrets.NPM_TOKEN }}
@@ -63,7 +63,7 @@ jobs:
     steps:
       - name: Send toot to Mastodon
         id: mastodon
-        uses: cbrgm/mastodon-github-action@96ff691bc465fd7654dfb68697f94465125a7e21 # v2.1.21
+        uses: cbrgm/mastodon-github-action@771a3605941f6e3e8a900efed5807d3e74586e1c # v2.1.22
         with:
           message: |
             pnpm@${{ github.event.inputs.version }} is out!

README.md

@@ -144,13 +144,6 @@ To quote the [Rush](https://rushjs.io/) team:
           </picture>
         </a>
       </td>
-      <td align="center" valign="middle">
-        <a href="https://opensource.mercedes-benz.com/?utm_source=pnpm&utm_medium=readme" target="_blank">
-          <img src="https://pnpm.io/img/users/mercedes.svg" width="32" alt="Vite">
-        </a>
-      </td>
-    </tr>
-    <tr>
       <td align="center" valign="middle">
         <a href="https://oomol.com/?utm_source=pnpm&utm_medium=readme" target="_blank">
           <picture>

cli/default-reporter/src/reportError.ts

@@ -70,6 +70,7 @@ function getErrorInfo (logObj: Log, config?: Config): ErrorInfo | null {
     case 'ERR_PNPM_MISSING_TIME':
       return { title: err.message, body: 'If you cannot fix this registry issue, then set "resolution-mode" to "highest".' }
     case 'ERR_PNPM_NO_MATCHING_VERSION':
+    case 'ERR_PNPM_NO_MATURE_MATCHING_VERSION':
       return formatNoMatchingVersion(err, logObj as unknown as { packageMeta: PackageMeta, immatureVersion?: string })
     case 'ERR_PNPM_RECURSIVE_FAIL':
       return formatRecursiveCommandSummary(logObj as any) // eslint-disable-line @typescript-eslint/no-explicit-any

pkg-manager/resolve-dependencies/src/resolveDependencies.ts

@@ -1357,7 +1357,7 @@ async function resolveDependency (
       bareSpecifier: wantedDependency.bareSpecifier,
       version: wantedDependency.alias ? wantedDependency.bareSpecifier : undefined,
     }
-    if (wantedDependency.optional && err.code !== 'ERR_PNPM_TRUST_DOWNGRADE') {
+    if (wantedDependency.optional && err.code !== 'ERR_PNPM_TRUST_DOWNGRADE' && err.code !== 'ERR_PNPM_NO_MATURE_MATCHING_VERSION') {
       skippedOptionalDependencyLogger.debug({
         details: err.toString(),
         package: wantedDependencyDetails,

pnpm/README.md

@@ -144,13 +144,6 @@ To quote the [Rush](https://rushjs.io/) team:
           </picture>
         </a>
       </td>
-      <td align="center" valign="middle">
-        <a href="https://opensource.mercedes-benz.com/?utm_source=pnpm&utm_medium=readme" target="_blank">
-          <img src="https://pnpm.io/img/users/mercedes.svg" width="32" alt="Vite">
-        </a>
-      </td>
-    </tr>
-    <tr>
       <td align="center" valign="middle">
         <a href="https://oomol.com/?utm_source=pnpm&utm_medium=readme" target="_blank">
           <picture>

releasing/plugin-commands-publishing/src/recursivePublish.ts

@@ -99,6 +99,9 @@ export async function recursivePublish (
     if (opts.dryRun) {
       appendedArgs.push('--dry-run')
     }
+    if (opts.force) {
+      appendedArgs.push('--force')
+    }
     if (opts.cliOptions['otp']) {
       appendedArgs.push(`--otp=${opts.cliOptions['otp'] as string}`)
     }

resolving/npm-resolver/src/index.ts

@@ -48,7 +48,7 @@ import {
 import { fetchMetadataFromFromRegistry, type FetchMetadataFromFromRegistryOptions, RegistryResponseError } from './fetch.js'
 import { workspacePrefToNpm } from './workspacePrefToNpm.js'
 import { whichVersionIsPinned } from './whichVersionIsPinned.js'
-import { pickVersionByVersionRange, assertMetaHasTime } from './pickPackageFromMeta.js'
+import { pickVersionByVersionRange } from './pickPackageFromMeta.js'
 import { failIfTrustDowngraded } from './trustChecks.js'
 
 export interface NoMatchingVersionErrorOptions {
@@ -73,7 +73,7 @@ export class NoMatchingVersionError extends PnpmError {
     } else {
       errorMessage = `No matching version found for ${dep} while fetching it from ${opts.registry}`
     }
-    super('NO_MATCHING_VERSION', errorMessage)
+    super(opts.publishedBy ? 'NO_MATURE_MATCHING_VERSION' : 'NO_MATCHING_VERSION', errorMessage)
     this.packageMeta = opts.packageMeta
     this.immatureVersion = opts.immatureVersion
   }
@@ -308,7 +308,6 @@ async function resolveNpm (
     }
     throw new NoMatchingVersionError({ wantedDependency, packageMeta: meta, registry })
   } else if (opts.trustPolicy === 'no-downgrade') {
-    assertMetaHasTime(meta)
     failIfTrustDowngraded(meta, pickedPackage.version, opts.trustPolicyExclude)
   }
 

resolving/npm-resolver/src/trustChecks.ts

@@ -1,7 +1,8 @@
 import { PnpmError } from '@pnpm/error'
-import { type PackageInRegistry, type PackageMetaWithTime } from '@pnpm/registry.types'
+import { type PackageInRegistry, type PackageMeta, type PackageMetaWithTime } from '@pnpm/registry.types'
 import { type PackageVersionPolicy } from '@pnpm/types'
 import semver from 'semver'
+import { assertMetaHasTime } from './pickPackageFromMeta.js'
 
 type TrustEvidence = 'provenance' | 'trustedPublisher'
 
@@ -11,7 +12,7 @@ const TRUST_RANK = {
 } as const satisfies Record<TrustEvidence, number>
 
 export function failIfTrustDowngraded (
-  meta: PackageMetaWithTime,
+  meta: PackageMeta,
   version: string,
   trustPolicyExclude?: PackageVersionPolicy
 ): void {
@@ -25,6 +26,8 @@ export function failIfTrustDowngraded (
     }
   }
 
+  assertMetaHasTime(meta)
+
   const versionPublishedAt = meta.time[version]
   if (!versionPublishedAt) {
     throw new PnpmError(

resolving/npm-resolver/test/trustChecks.test.ts

@@ -536,4 +536,56 @@ describe('failIfTrustDowngraded with trustPolicyExclude', () => {
       failIfTrustDowngraded(meta, '3.0.0', createPackageVersionPolicy(['bar']))
     }).not.toThrow()
   })
+
+  test('does not fail with ERR_PNPM_MISSING_TIME when package@version is excluded and time field is missing', () => {
+    const meta = {
+      name: 'baz',
+      'dist-tags': { latest: '1.0.0' },
+      versions: {
+        '1.0.0': {
+          name: 'baz',
+          version: '1.0.0',
+          dist: {
+            shasum: 'abc123',
+            tarball: 'https://registry.example.com/baz/-/baz-1.0.0.tgz',
+          },
+        },
+      },
+      // Note: no 'time' field
+    }
+
+    expect(() => {
+      failIfTrustDowngraded(meta, '1.0.0', createPackageVersionPolicy(['[email protected]']))
+    }).not.toThrow()
+  })
+
+  test('does not fail with ERR_PNPM_MISSING_TIME when package name is excluded and time field is missing', () => {
+    const meta = {
+      name: 'qux',
+      'dist-tags': { latest: '2.0.0' },
+      versions: {
+        '1.0.0': {
+          name: 'qux',
+          version: '1.0.0',
+          dist: {
+            shasum: 'abc123',
+            tarball: 'https://registry.example.com/qux/-/qux-1.0.0.tgz',
+          },
+        },
+        '2.0.0': {
+          name: 'qux',
+          version: '2.0.0',
+          dist: {
+            shasum: 'def456',
+            tarball: 'https://registry.example.com/qux/-/qux-2.0.0.tgz',
+          },
+        },
+      },
+      // Note: no 'time' field
+    }
+
+    expect(() => {
+      failIfTrustDowngraded(meta, '2.0.0', createPackageVersionPolicy(['qux']))
+    }).not.toThrow()
+  })
 })

reviewing/outdated/src/createManifestGetter.ts

@@ -63,7 +63,7 @@ export async function getManifest (
     })
     return resolution?.manifest ?? null
   } catch (err) {
-    if ((err as { code?: string }).code === 'ERR_PNPM_NO_MATCHING_VERSION' && opts.publishedBy) {
+    if ((err as { code?: string }).code === 'ERR_PNPM_NO_MATURE_MATCHING_VERSION' && opts.publishedBy) {
       // No versions found that meet the minimumReleaseAge requirement
       return null
     }

reviewing/outdated/test/getManifest.spec.ts

@@ -63,7 +63,7 @@ test('getManifest() with minimumReleaseAge filters latest when too new', async (
 
     // Simulate latest version being too new
     const error = new Error('No matching version found') as Error & { code?: string }
-    error.code = 'ERR_PNPM_NO_MATCHING_VERSION'
+    error.code = 'ERR_PNPM_NO_MATURE_MATCHING_VERSION'
     throw error
   })
 
@@ -110,7 +110,7 @@ test('getManifest() handles NO_MATCHING_VERSION error gracefully', async () => {
 
   const resolve: ResolveFunction = jest.fn(async function () {
     const error = new Error('No matching version found') as Error & { code?: string }
-    error.code = 'ERR_PNPM_NO_MATCHING_VERSION'
+    error.code = 'ERR_PNPM_NO_MATURE_MATCHING_VERSION'
     throw error
   })