-
-
Notifications
You must be signed in to change notification settings - Fork 364
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[skip netlify] Update pnpm to v9.14.4 #11203
Conversation
245a05e
to
0bca13d
Compare
🚨 Potential security issues detected. Learn more about Socket for GitHub ↗︎ To accept the risk, merge this PR and you will not be notified again.
Next stepsWhat is a typosquat?Package name is similar to other popular packages and may not be the package you want. Use care when consuming similarly named packages and ensure that you did not intend to consume a different package. Malicious packages often publish using similar names as existing popular packages. Take a deeper look at the dependencyTake a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support [AT] socket [DOT] dev. Remove the packageIf you happen to install a dependency that Socket reports as Known Malware you should immediately remove it and select a different dependency. For other alert types, you may may wish to investigate alternative packages or consider if there are other ways to mitigate the specific risk posed by the dependency. Mark a package as acceptable riskTo ignore an alert, reply with a comment starting with
|
Quality Gate passedIssues Measures |
Renovate Ignore NotificationBecause you closed this PR without merging, Renovate will ignore this update ( If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR. |
This PR contains the following updates:
9
->9.14.4
Release Notes
pnpm/pnpm (pnpm)
v9.14.4
Compare Source
v9.14.3
Compare Source
v9.14.2
Compare Source
Patch Changes
pnpm publish --json
should work #8788.Platinum Sponsors
Gold Sponsors
v9.14.1
Compare Source
Minor Changes
pnpm pack --json
to print packed tarball and contents in JSON format #8765.Patch Changes
pnpm exec
should print a meaningful error message when no command is provided #8752.pnpm setup
should remove the CLI from the target location before moving the new binary #8173.ERR_PNPM_TARBALL_EXTRACT
error while installing a dependency from GitHub having a slash in branch name #7697.use-node-version
setting is used and the system has no Node.js installed #8769..npmrc
files to their correct types. For instance,child-concurrency
should be a number, not a string #5075.manage-package-manager-versions
is set totrue
.pnpm init
should respect the--dir
option #8768.Platinum Sponsors
Gold Sponsors
v9.14.0
Compare Source
v9.13.2
: pnpm 9.13.2Compare Source
Patch Changes
dlx
processes.Platinum Sponsors
Gold Sponsors
Silver Sponsors
v9.13.1
: pnpm 9.13.1Compare Source
Patch Changes
Platinum Sponsors
Gold Sponsors
Silver Sponsors
v9.13.0
: pnpm 9.13Compare Source
Minor Changes
The
self-update
now accepts a version specifier to install a specific version of pnpm. E.g.:or
Patch Changes
Cannot read properties of undefined (reading 'name')
that is printed while trying to render the missing peer dependencies warning message #8538.Platinum Sponsors
Gold Sponsors
Silver Sponsors
v9.12.3
Compare Source
Patch Changes
node_modules
, when typing "n" in the prompt that asks whether to removenode_modules
before installation #8655.manage-package-manager-versions=true
is set and the.tools
directory is corrupt.crypto.hash
, when available, for improved performance #8629.package.json
at the root of the workspace #8667.manage-package-manager-versions
is set totrue
, errors spawning a self-managed version ofpnpm
will now be shown (instead of being silent).v9.12.2
Compare Source
Patch Changes
v9.12.1
Compare Source
Patch Changes
pnpm update --latest
should not update the automatically installed peer dependencies #6657.pnpm publish
should be able to publish from a local tarball #7950.EBUSY
errors caused by creating symlinks in paralleldlx
processes #8604.v9.12.0
Compare Source
Minor Changes
Fix peer dependency resolution dead lock #8570. This change might change some of the keys in the
snapshots
field insidepnpm-lock.yaml
but it should happen very rarely.pnpm outdated
command supports now a--sort-by=name
option for sorting outdated dependencies by package name #8523.Added the ability for
overrides
to remove dependencies by specifying"-"
as the field value #8572. For example, to removelodash
from the dependencies, use this configuration inpackage.json
:Patch Changes
pnpm list --json pkg
showed"private": false
for a private package #8519.libc
that differ frompnpm.supportedArchitectures.libc
are not downloaded #7362.ENOENT
errors caused by runningstore prune
in parallel #8586.pnpm bugs
#8596.v9.11.0
Compare Source
Minor Changes
pnpm cache
commands for inspecting the metadata cache #8512.Patch Changes
pnpm deploy
withnode-linker=hoisted
produces an emptynode_modules
directory #6682.pnpm deploy
should work in workspace withshared-workspace-lockfile=false
#8475.v9.10.0
Compare Source
Minor Changes
Support for a new CLI flag,
--exclude-peers
, added to thelist
andwhy
commands. When--exclude-peers
is used, peer dependencies are not printed in the results, but dependencies of peer dependencies are still scanned #8506.Added a new setting to
package.json
atpnpm.auditConfig.ignoreGhsas
for ignoring vulnerabilities by their GHSA code #6838.For instance:
Patch Changes
v9.9.0
Compare Source
Minor Changes
Minor breaking change. This change might result in resolving your peer dependencies slightly differently but we don't expect it to introduce issues.
We had to optimize how we resolve peer dependencies in order to fix some infinite loops and out-of-memory errors during peer dependencies resolution.
When a peer dependency is a prod dependency somewhere in the dependency graph (with the same version), pnpm will resolve the peers of that peer dependency in the same way across the subgraph.
For example, we have
react-dom
in the peer deps of theform
andbutton
packages.card
hasreact-dom
andreact
as regular dependencies andcard
is a dependency ofform
.These are the direct dependencies of our example project:
These are the dependencies of card:
When resolving peers, pnpm will not re-resolve
react-dom
forcard
, even thoughcard
shadowsreact@16
from the root withreact@17
. So, all 3 packages (form
,card
, andbutton
) will usereact-dom@16
, which in turn usesreact@16
.form
will usereact@16
, whilecard
andbutton
will usereact@17
.Before this optimization
react-dom@16
was duplicated for thecard
, so thatcard
andbutton
would use areact-dom@16
instance that usesreact@17
.Before the change:
After the change
Patch Changes
pnpm deploy
should write thenode_modules/.modules.yaml
to thenode_modules
directory within the deploy directory #7731.node_modules
if it already points to the right location pnpm/symlink-dir#54.v9.8.0
Compare Source
Minor Changes
Added a new command for upgrading pnpm itself when it isn't managed by Corepack:
pnpm self-update
. This command will work, when pnpm was installed via the standalone script from the pnpm installation page #8424.When executed in a project that has a
packageManager
field in itspackage.json
file, pnpm will update its version in thepackageManager
field.Patch Changes
CLI tools installed in the root of the workspace should be added to the PATH, when running scripts and
use-node-version
is set.pnpm setup
should never switch to another version of pnpm.This fixes installation with the standalone script from a directory that has a
package.json
with thepackageManager
field. pnpm was installing the version of pnpm specified in thepackageManager
field due to this issue.Ignore non-string value in the os, cpu, libc fields, which checking optional dependencies #8431.
Remember the state of edit dir, allow running
pnpm patch-commit
the second time without having to re-runpnpm patch
.v9.7.1
Compare Source
Patch Changes
public-hoist-pattern
andhoist-pattern
via env variables #8339.pnpm setup
no longer creates Batch/Powershell scripts on Linux and macOS #8418.pnpm exec
now supports executionEnv #8356.pnpm
field, add warnings for non-rootpnpm
subfields that aren'texecutionEnv
#8143.patch-commit
in which relative path is rejected #8405.@pnpm/exe
to v20.v9.7.0
Compare Source
Minor Changes
Added pnpm version management to pnpm. If the
manage-package-manager-versions
setting is set totrue
, pnpm will switch to the version specified in thepackageManager
field ofpackage.json
#8363. This is the same field used by Corepack. Example:Added the ability to apply patch to all versions:
If the key of
pnpm.patchedDependencies
is a package name without a version (e.g.pkg
), pnpm will attempt to apply the patch to all versions ofthe package. Failures will be skipped.
If it is a package name and an exact version (e.g.
[email protected]
), pnpm will attempt to apply the patch to that exact version only. Failures willcause pnpm to fail.
If there's only one version of
pkg
installed,pnpm patch pkg
and subsequentpnpm patch-commit $edit_dir
will create an entry namedpkg
inpnpm.patchedDependencies
. And pnpm will attempt to apply this patch to other versions ofpkg
in the future.If there are multiple versions of
pkg
installed,pnpm patch pkg
will ask which version to edit and whether to attempt to apply the patch to all.If the user chooses to apply the patch to all,
pnpm patch-commit $edit_dir
would create apkg
entry inpnpm.patchedDependencies
.If the user chooses not to apply the patch to all,
pnpm patch-commit $edit_dir
would create a[email protected]
entry inpnpm.patchedDependencies
withx.y.z
being the version the user chose to edit.If the user runs
pnpm patch [email protected]
withx.y.z
being the exact version ofpkg
that has been installed,pnpm patch-commit $edit_dir
will alwayscreate a
[email protected]
entry inpnpm.patchedDependencies
.Change the default edit dir location when running
pnpm patch
from a temporary directory tonode_modules/.pnpm_patches/pkg[@​version]
to allow the code editor to open the edit dir in the same file tree as the main project.Substitute environment variables in config keys #6679.
Patch Changes
pnpm install
should runnode-gyp rebuild
if the project has abinding.gyp
file even if the project doesn't have an install script #8293.v9.6.0
Compare Source
Minor Changes
pnpm.executionEnv.nodeVersion
inpackage.json
) for running lifecycle scripts per each package in a workspace #6720.catalogs:
protocol #8303.Patch Changes
pnpm deploy
command now supports thecatalog:
protocol #8298.pnpm outdated
command now supports thecatalog:
protocol #8304.pnpm patch
withoutnode_modules/.modules.yaml
#8257.pnpm exec
command #7608.v9.5.0
Compare Source
Minor Changes
Added support for catalogs 8122.
Catalogs may be declared in the
pnpm-workspace.yaml
file. For example:v9.4.0
Compare Source
Minor Changes
strict-store-pkg-content-check
setting tofalse
#4724.Patch Changes
package-manager-strict-version
missing in config #8195.v9.3.0
Compare Source
Minor Changes
peers-suffix-max-length
setting #8177.Patch Changes
reporter-hide-prefix
totrue
by default forpnpm exec
. In order to show prefix, the user now has to explicitly setreporter-hide-prefix=false
#8174.v9.2.0
Compare Source
Minor Changes
package-manager-strict-version
is set totrue
, pnpm will fail if its version doesn't exactly match the version in the "packageManager" field ofpackage.json
.Patch Changes
@yarnpkg/pnp
to the latest version, fixing issue withnode:
imports #8161.package.json
#8087.exec
now also streams prefixed output when--recursive
or--parallel
is specified just asrun
does #8065.v9.1.4
Compare Source
Patch Changes
v9.1.3
Compare Source
Patch Changes
optional=false
#8066.v9.1.2
Compare Source
Patch Changes
pnpm licenses
output are not misplaced anymore #8071.v9.1.1
Compare Source
Patch Changes
link:
now preserve absolute path #8053.file:
overrides for workspace package #8053.resolution-mode
is set totime-based
and the registry fails to return the"time"
field in the package's metadata.v9.1.0
Compare Source
Minor Changes
virtual-store-dir-max-length
added to modify the maximum allowed length of the directories insidenode_modules/.pnpm
. The default length is set to 120 characters. This setting is particularly useful on WConfiguration
📅 Schedule: Branch creation - "before 3am on Monday" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.