@pnpm/deps.graph-builder 1100.0.19 → 1100.0.21

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md ADDED
@@ -0,0 +1,1239 @@
1
+ # @pnpm/deps.graph-builder
2
+
3
+ ## 1100.0.21
4
+
5
+ ### Patch Changes
6
+
7
+ - Updated dependencies [a897ef7]
8
+ - @pnpm/hooks.types@1100.2.0
9
+ - @pnpm/lockfile.utils@1100.1.2
10
+ - @pnpm/deps.graph-hasher@1100.2.9
11
+ - @pnpm/lockfile.fs@1100.1.10
12
+
13
+ ## 1100.0.20
14
+
15
+ ### Patch Changes
16
+
17
+ - 51300fd: Prevent a crafted `pnpm-lock.yaml` from writing package content outside the virtual store. A dependency path key whose name reconstructs to a path-traversal sequence (e.g. `../../../tmp/x@1.0.0`) is now rejected by the isolated (virtual-store) linker and the Plug'n'Play resolver map, matching the containment already applied to the hoisted linker. Under the global virtual store, a traversal in the version-derived path segment (e.g. a snapshot `version: "../../x"`) is now rejected at `formatGlobalVirtualStorePath`, the single point every global-virtual-store slot path funnels through — closing the same escape in the isolated linker, the resolver's dependency-graph builder, and the config-dependency installer.
18
+ - 51300fd: Fixed a path traversal vulnerability where a dependency whose manifest `name` was a scoped path traversal (e.g. `@x/../../../<path>`) could be written outside `node_modules` to an attacker-controlled location during `pnpm install`, even with `--ignore-scripts`. The isolated linker now validates the package name before using it as a directory name, matching the existing protection in the hoisted linker.
19
+ - Updated dependencies [51300fd]
20
+ - Updated dependencies [f8058eb]
21
+ - @pnpm/deps.graph-hasher@1100.2.8
22
+ - @pnpm/lockfile.fs@1100.1.9
23
+
24
+ ## 1100.0.19
25
+
26
+ ### Patch Changes
27
+
28
+ - Updated dependencies [dcabb78]
29
+ - @pnpm/store.controller-types@1100.1.7
30
+ - @pnpm/deps.graph-hasher@1100.2.7
31
+ - @pnpm/hooks.types@1100.1.1
32
+ - @pnpm/lockfile.utils@1100.1.1
33
+ - @pnpm/lockfile.fs@1100.1.8
34
+
35
+ ## 1100.0.18
36
+
37
+ ### Patch Changes
38
+
39
+ - bae694f: Some registries generate tarballs on-demand and cannot provide an integrity checksum in their package metadata. In that case pnpm now computes the integrity from the downloaded tarball and stores it in the lockfile, so the entry is verifiable on subsequent installs instead of being written without an integrity (which would fail the next install). This also applies to `--lockfile-only`: the tarball is downloaded so its integrity can be computed. A lockfile entry that is still missing its integrity is rejected as a `ERR_PNPM_MISSING_TARBALL_INTEGRITY` lockfile verification violation (the install fails closed) rather than being silently re-fetched.
40
+ - Updated dependencies [bae694f]
41
+ - Updated dependencies [a84d2a1]
42
+ - @pnpm/hooks.types@1100.1.0
43
+ - @pnpm/store.controller-types@1100.1.6
44
+ - @pnpm/lockfile.utils@1100.1.0
45
+ - @pnpm/deps.graph-hasher@1100.2.6
46
+ - @pnpm/lockfile.fs@1100.1.7
47
+ - @pnpm/config.package-is-installable@1100.0.12
48
+ - @pnpm/patching.config@1100.0.9
49
+
50
+ ## 1100.0.17
51
+
52
+ ### Patch Changes
53
+
54
+ - Updated dependencies [61969fb]
55
+ - @pnpm/lockfile.fs@1100.1.6
56
+
57
+ ## 1100.0.16
58
+
59
+ ### Patch Changes
60
+
61
+ - a31faa7: Updated dependency ranges. Notably:
62
+
63
+ - `@pnpm/logger` peer dependency range moved to `^1100.0.0`.
64
+ - `msgpackr` 1.11.8 → 2.0.4 (store index files remain byte-compatible in both directions).
65
+ - `open` ^7.4.2 → ^11.0.0, `memoize` ^10 → ^11, `cli-truncate` ^5 → ^6, `pidtree` ^0.6 → ^1.
66
+ - `@yarnpkg/core` 4.5.0 → 4.8.0, `@rushstack/worker-pool` 0.7.7 → 0.7.18, `@cyclonedx/cyclonedx-library` 10.0.0 → 10.1.0, `@pnpm/config.nerf-dart` ^1 → ^2, `@pnpm/log.group` 3.0.2 → 4.0.1, `@pnpm/util.lex-comparator` ^3 → ^4.
67
+
68
+ - Updated dependencies [f20ad8f]
69
+ - Updated dependencies [681b593]
70
+ - Updated dependencies [d50d691]
71
+ - Updated dependencies [a31faa7]
72
+ - @pnpm/lockfile.utils@1100.0.13
73
+ - @pnpm/types@1101.3.2
74
+ - @pnpm/lockfile.fs@1100.1.5
75
+ - @pnpm/config.package-is-installable@1100.0.11
76
+ - @pnpm/core-loggers@1100.2.1
77
+ - @pnpm/deps.path@1100.0.8
78
+ - @pnpm/patching.config@1100.0.8
79
+ - @pnpm/deps.graph-hasher@1100.2.5
80
+ - @pnpm/hooks.types@1100.0.12
81
+ - @pnpm/installing.modules-yaml@1100.0.9
82
+ - @pnpm/store.controller-types@1100.1.5
83
+
84
+ ## 1100.0.15
85
+
86
+ ### Patch Changes
87
+
88
+ - Updated dependencies [f11b4fc]
89
+ - Updated dependencies [52be454]
90
+ - @pnpm/core-loggers@1100.2.0
91
+ - @pnpm/config.package-is-installable@1100.0.10
92
+
93
+ ## 1100.0.14
94
+
95
+ ### Patch Changes
96
+
97
+ - bf1b731: Require trusted package identity before package-name `allowBuilds` entries can approve lifecycle scripts for git, git-hosted tarball, direct tarball, and local directory artifacts. To approve one of those artifacts explicitly, use its peer-suffix-free lockfile depPath as the `allowBuilds` key. Lockfile verification now rejects lockfiles where a registry-style dependency path (`name@semver`) is backed by a git, directory, or git-hosted tarball resolution (`ERR_PNPM_RESOLUTION_SHAPE_MISMATCH`), so the dependency path is a reliable artifact identity by the time scripts can run.
98
+ - Updated dependencies [bf1b731]
99
+ - @pnpm/deps.graph-hasher@1100.2.4
100
+ - @pnpm/types@1101.3.1
101
+ - @pnpm/config.package-is-installable@1100.0.9
102
+ - @pnpm/core-loggers@1100.1.4
103
+ - @pnpm/deps.path@1100.0.7
104
+ - @pnpm/hooks.types@1100.0.11
105
+ - @pnpm/installing.modules-yaml@1100.0.8
106
+ - @pnpm/lockfile.fs@1100.1.4
107
+ - @pnpm/lockfile.utils@1100.0.12
108
+ - @pnpm/store.controller-types@1100.1.4
109
+ - @pnpm/patching.config@1100.0.7
110
+
111
+ ## 1100.0.13
112
+
113
+ ### Patch Changes
114
+
115
+ - Updated dependencies [a017bf3]
116
+ - @pnpm/types@1101.3.0
117
+ - @pnpm/config.package-is-installable@1100.0.8
118
+ - @pnpm/core-loggers@1100.1.3
119
+ - @pnpm/deps.graph-hasher@1100.2.3
120
+ - @pnpm/deps.path@1100.0.6
121
+ - @pnpm/hooks.types@1100.0.10
122
+ - @pnpm/installing.modules-yaml@1100.0.7
123
+ - @pnpm/lockfile.fs@1100.1.3
124
+ - @pnpm/lockfile.utils@1100.0.11
125
+ - @pnpm/store.controller-types@1100.1.3
126
+ - @pnpm/patching.config@1100.0.6
127
+
128
+ ## 1100.0.12
129
+
130
+ ### Patch Changes
131
+
132
+ - Updated dependencies [e55f4b5]
133
+ - Updated dependencies [35d2355]
134
+ - @pnpm/lockfile.utils@1100.0.10
135
+ - @pnpm/types@1101.2.0
136
+ - @pnpm/deps.graph-hasher@1100.2.2
137
+ - @pnpm/lockfile.fs@1100.1.2
138
+ - @pnpm/config.package-is-installable@1100.0.7
139
+ - @pnpm/core-loggers@1100.1.2
140
+ - @pnpm/deps.path@1100.0.5
141
+ - @pnpm/hooks.types@1100.0.9
142
+ - @pnpm/installing.modules-yaml@1100.0.6
143
+ - @pnpm/store.controller-types@1100.1.2
144
+ - @pnpm/patching.config@1100.0.5
145
+
146
+ ## 1100.0.11
147
+
148
+ ### Patch Changes
149
+
150
+ - Updated dependencies [9cb48bb]
151
+ - Updated dependencies [64afc92]
152
+ - @pnpm/lockfile.fs@1100.1.1
153
+ - @pnpm/types@1101.1.1
154
+ - @pnpm/deps.graph-hasher@1100.2.1
155
+ - @pnpm/hooks.types@1100.0.8
156
+ - @pnpm/lockfile.utils@1100.0.9
157
+ - @pnpm/store.controller-types@1100.1.1
158
+ - @pnpm/config.package-is-installable@1100.0.6
159
+ - @pnpm/core-loggers@1100.1.1
160
+ - @pnpm/deps.path@1100.0.4
161
+ - @pnpm/installing.modules-yaml@1100.0.5
162
+ - @pnpm/patching.config@1100.0.4
163
+
164
+ ## 1100.0.10
165
+
166
+ ### Patch Changes
167
+
168
+ - 3ddde2b: **fix**: anchor the side-effects-cache key and global-virtual-store hash to the project's script-runner Node — `engines.runtime` pin when present, shell `node` otherwise — instead of pnpm's own runtime.
169
+
170
+ `ENGINE_NAME` (the `<platform>;<arch>;node<major>` prefix used as the side-effects-cache key and the engine portion of the GVS hash) was computed from `process.version` — the Node that runs pnpm itself. That was wrong in two situations:
171
+
172
+ 1. **`@pnpm/exe` SEA bundle.** The bundle has its own embedded Node, not the `node` on the user's `PATH` that actually spawns lifecycle scripts. Two pnpm installations on the same machine (one SEA, one npm-package) therefore disagreed on the cache key, partitioning the side-effects cache and the global virtual store across two Node majors even though both installs would run scripts on the same shell `node`.
173
+ 2. **`engines.runtime` / `devEngines.runtime` pin.** When a project pins a Node version via `devEngines.runtime` (pnpm v11+), pnpm downloads that Node into `node_modules/node/` and uses it to run lifecycle scripts. But the hash still anchored to whichever Node ran pnpm itself, not to the pinned Node — so two installs of the same project with two different runner Nodes would still disagree on the GVS slot path even though scripts run on the same pinned Node.
174
+
175
+ Three changes:
176
+
177
+ - `@pnpm/engine.runtime.system-node-version` now exports `engineName(nodeVersion?)`. Resolves the version in this order: explicit override → `getSystemNodeVersion()` (which already prefers `node --version` over `process.version` in SEA contexts) → `process.version`.
178
+ - `@pnpm/deps.graph-hasher` now exports `findRuntimeNodeVersion(snapshotKeys)` — scans an iterable of lockfile snapshot keys for a `node@runtime:<version>` entry and returns its bare version string. `calcDepState` and `calcGraphNodeHash`/`iterateHashedGraphNodes` accept a `nodeVersion?` (in the options bag for the first, as a trailing parameter / ctx field for the others), forwarded to `engineName()`. The default (no override) preserves the pre-change behaviour. The legacy `ENGINE_NAME` constant in `@pnpm/constants` is unchanged so external consumers and existing tests keep working; in non-SEA, non-pinned contexts every value lines up.
179
+ - Every install-side caller of the graph-hasher (`@pnpm/installing.deps-resolver`, `@pnpm/installing.deps-restorer`, `@pnpm/installing.deps-installer`, `@pnpm/building.during-install`, `@pnpm/building.after-install`, `@pnpm/deps.graph-builder`) now derives the project's pinned runtime via `findRuntimeNodeVersion(Object.keys(graph))` once per invocation and threads it through.
180
+
181
+ On upgrade, two one-time GVS slot churns are possible:
182
+
183
+ - **SEA-pnpm users** without a runtime pin: slots that previously hashed under the embedded-Node major (e.g. `node26`) now hash under the shell-Node major (e.g. `node24`), matching what pacquet, the npm-published `pnpm` package, and any other pnpm-compatible tool already produce.
184
+ - **Projects with a `devEngines.runtime` pin**: slots that previously hashed under the runner's Node major now hash under the pinned Node major, matching what the lifecycle scripts will actually run on.
185
+
186
+ In both cases the old slots become prune-eligible.
187
+
188
+ - Updated dependencies [4195766]
189
+ - Updated dependencies [6e93f35]
190
+ - Updated dependencies [3ddde2b]
191
+ - Updated dependencies [5dc8be8]
192
+ - Updated dependencies [4a79336]
193
+ - Updated dependencies [2a9bd89]
194
+ - @pnpm/store.controller-types@1100.1.0
195
+ - @pnpm/lockfile.fs@1100.1.0
196
+ - @pnpm/deps.graph-hasher@1100.2.0
197
+ - @pnpm/core-loggers@1100.1.0
198
+ - @pnpm/hooks.types@1100.0.7
199
+ - @pnpm/lockfile.utils@1100.0.8
200
+ - @pnpm/config.package-is-installable@1100.0.5
201
+
202
+ ## 1100.0.9
203
+
204
+ ### Patch Changes
205
+
206
+ - Updated dependencies [180aee9]
207
+ - Updated dependencies [c2c2890]
208
+ - @pnpm/lockfile.fs@1100.0.8
209
+ - @pnpm/store.controller-types@1100.0.7
210
+
211
+ ## 1100.0.8
212
+
213
+ ### Patch Changes
214
+
215
+ - Updated dependencies [b61e268]
216
+ - @pnpm/types@1101.1.0
217
+ - @pnpm/config.package-is-installable@1100.0.4
218
+ - @pnpm/core-loggers@1100.0.2
219
+ - @pnpm/deps.graph-hasher@1100.1.5
220
+ - @pnpm/deps.path@1100.0.3
221
+ - @pnpm/hooks.types@1100.0.6
222
+ - @pnpm/installing.modules-yaml@1100.0.4
223
+ - @pnpm/lockfile.fs@1100.0.7
224
+ - @pnpm/lockfile.utils@1100.0.7
225
+ - @pnpm/store.controller-types@1100.0.6
226
+ - @pnpm/patching.config@1100.0.3
227
+
228
+ ## 1100.0.7
229
+
230
+ ### Patch Changes
231
+
232
+ - Updated dependencies [cfa271b]
233
+ - @pnpm/lockfile.utils@1100.0.6
234
+ - @pnpm/deps.graph-hasher@1100.1.4
235
+ - @pnpm/lockfile.fs@1100.0.6
236
+
237
+ ## 1100.0.6
238
+
239
+ ### Patch Changes
240
+
241
+ - Updated dependencies [12313f1]
242
+ - Updated dependencies [27425d7]
243
+ - @pnpm/installing.modules-yaml@1100.0.3
244
+ - @pnpm/lockfile.fs@1100.0.5
245
+ - @pnpm/lockfile.utils@1100.0.5
246
+ - @pnpm/deps.graph-hasher@1100.1.3
247
+ - @pnpm/hooks.types@1100.0.5
248
+ - @pnpm/store.controller-types@1100.0.5
249
+
250
+ ## 1100.0.5
251
+
252
+ ### Patch Changes
253
+
254
+ - 184ce26: Fix the package name in README.md.
255
+ - Updated dependencies [184ce26]
256
+ - Updated dependencies [6b891a5]
257
+ - @pnpm/config.package-is-installable@1100.0.3
258
+ - @pnpm/installing.modules-yaml@1100.0.2
259
+ - @pnpm/store.controller-types@1100.0.4
260
+ - @pnpm/deps.graph-hasher@1100.1.2
261
+ - @pnpm/deps.path@1100.0.2
262
+ - @pnpm/lockfile.utils@1100.0.4
263
+ - @pnpm/hooks.types@1100.0.4
264
+ - @pnpm/lockfile.fs@1100.0.4
265
+ - @pnpm/patching.config@1100.0.2
266
+
267
+ ## 1100.0.4
268
+
269
+ ### Patch Changes
270
+
271
+ - Updated dependencies [d96a1bf]
272
+ - @pnpm/config.package-is-installable@1100.0.2
273
+
274
+ ## 1100.0.3
275
+
276
+ ### Patch Changes
277
+
278
+ - @pnpm/hooks.types@1100.0.3
279
+ - @pnpm/store.controller-types@1100.0.3
280
+ - @pnpm/lockfile.utils@1100.0.3
281
+ - @pnpm/deps.graph-hasher@1100.1.1
282
+ - @pnpm/lockfile.fs@1100.0.3
283
+
284
+ ## 1100.0.2
285
+
286
+ ### Patch Changes
287
+
288
+ - 72c1e05: Fix: different platform variants of the same runtime (e.g. `node@runtime:25.9.0` glibc vs. musl) no longer share a single global-virtual-store entry. The virtual store path now incorporates the selected variant's integrity, so installs with different `--os`/`--cpu`/`--libc` end up in separate directories and `pnpm add --libc=musl node@runtime:<v>` reliably fetches the musl binary even when the glibc variant is already cached.
289
+ - Updated dependencies [72c1e05]
290
+ - @pnpm/deps.graph-hasher@1100.1.0
291
+ - @pnpm/hooks.types@1100.0.2
292
+ - @pnpm/lockfile.utils@1100.0.2
293
+ - @pnpm/store.controller-types@1100.0.2
294
+ - @pnpm/lockfile.fs@1100.0.2
295
+
296
+ ## 1100.0.1
297
+
298
+ ### Patch Changes
299
+
300
+ - Updated dependencies [ff28085]
301
+ - @pnpm/types@1101.0.0
302
+ - @pnpm/config.package-is-installable@1100.0.1
303
+ - @pnpm/core-loggers@1100.0.1
304
+ - @pnpm/deps.graph-hasher@1100.0.1
305
+ - @pnpm/deps.path@1100.0.1
306
+ - @pnpm/hooks.types@1100.0.1
307
+ - @pnpm/installing.modules-yaml@1100.0.1
308
+ - @pnpm/lockfile.fs@1100.0.1
309
+ - @pnpm/lockfile.utils@1100.0.1
310
+ - @pnpm/store.controller-types@1100.0.1
311
+ - @pnpm/patching.config@1100.0.1
312
+
313
+ ## 1003.0.0
314
+
315
+ ### Major Changes
316
+
317
+ - 5f73b0f: Runtime dependencies are always linked from the global virtual store [#10233](https://github.com/pnpm/pnpm/pull/10233).
318
+ - 491a84f: This package is now pure ESM.
319
+ - 7d2fd48: Node.js v18, 19, 20, and 21 support discontinued.
320
+
321
+ ### Minor Changes
322
+
323
+ - cd743ef: Use `allowBuilds` config to compute engine-agnostic GVS hashes for pure-JS packages [#10837](https://github.com/pnpm/pnpm/issues/10837).
324
+
325
+ When the global virtual store is enabled, packages that are not allowed to build (and don't transitively depend on packages that are) now get hashes that don't include the engine name (platform, architecture, Node.js major version). This means ~95% of packages in the GVS survive Node.js upgrades and architecture changes without re-import.
326
+
327
+ ### Patch Changes
328
+
329
+ - 394d88c: Fixed injected local packages to work correctly with the global virtual store [#10366](https://github.com/pnpm/pnpm/pull/10366).
330
+
331
+ When using `nodeLinker: 'isolated'` with `enableGlobalVirtualStore: true`, injected workspace packages now use the correct hash-based paths from the global virtual store instead of project-relative paths.
332
+
333
+ - 312226c: Skip local `file:` protocol dependencies during `pnpm fetch`. This fixes an issue where `pnpm fetch` would fail in Docker builds when local directory dependencies were not available [#10460](https://github.com/pnpm/pnpm/issues/10460).
334
+ - 97f049f: Skip re-importing packages from the global virtual store when `node_modules` is deleted but the store directories are still warm. The global store directory hash already encodes engine, integrity, and full dependency subgraph, so existence is proof of validity.
335
+ - 38b8e35: Support for custom resolvers and fetchers.
336
+ - Updated dependencies [5f73b0f]
337
+ - Updated dependencies [facdd71]
338
+ - Updated dependencies [c55c614]
339
+ - Updated dependencies [76718b3]
340
+ - Updated dependencies [a8f016c]
341
+ - Updated dependencies [cc1b8e3]
342
+ - Updated dependencies [3cfffaa]
343
+ - Updated dependencies [05fb1ae]
344
+ - Updated dependencies [cd743ef]
345
+ - Updated dependencies [491a84f]
346
+ - Updated dependencies [075aa99]
347
+ - Updated dependencies [c4045fc]
348
+ - Updated dependencies [ba065f6]
349
+ - Updated dependencies [d458ab3]
350
+ - Updated dependencies [7d2fd48]
351
+ - Updated dependencies [efb48dc]
352
+ - Updated dependencies [56a59df]
353
+ - Updated dependencies [50fbeca]
354
+ - Updated dependencies [cb367b9]
355
+ - Updated dependencies [7b1c189]
356
+ - Updated dependencies [8ffb1a7]
357
+ - Updated dependencies [05fb1ae]
358
+ - Updated dependencies [71de2b3]
359
+ - Updated dependencies [10bc391]
360
+ - Updated dependencies [38b8e35]
361
+ - Updated dependencies [394d88c]
362
+ - Updated dependencies [1e6de25]
363
+ - Updated dependencies [2df8b71]
364
+ - Updated dependencies [15549a9]
365
+ - Updated dependencies [cc7c0d2]
366
+ - Updated dependencies [3cfffaa]
367
+ - Updated dependencies [9d3f00b]
368
+ - Updated dependencies [98a0410]
369
+ - Updated dependencies [efb48dc]
370
+ - @pnpm/deps.path@1002.0.0
371
+ - @pnpm/deps.graph-hasher@1003.0.0
372
+ - @pnpm/store.controller-types@1005.0.0
373
+ - @pnpm/constants@1002.0.0
374
+ - @pnpm/types@1001.0.0
375
+ - @pnpm/lockfile.fs@1002.0.0
376
+ - @pnpm/lockfile.utils@1004.0.0
377
+ - @pnpm/installing.modules-yaml@1001.0.0
378
+ - @pnpm/config.package-is-installable@1001.0.0
379
+ - @pnpm/core-loggers@1002.0.0
380
+ - @pnpm/patching.config@1002.0.0
381
+ - @pnpm/patching.types@1001.0.0
382
+ - @pnpm/hooks.types@1002.0.0
383
+
384
+ ## 1002.3.0
385
+
386
+ ### Minor Changes
387
+
388
+ - dee39ec: You can now allow specific versions of dependencies to run postinstall scripts. `onlyBuiltDependencies` now accepts package names with lists of trusted versions. For example:
389
+
390
+ ```yaml
391
+ onlyBuiltDependencies:
392
+ - nx@21.6.4 || 21.6.5
393
+ - esbuild@0.25.1
394
+ ```
395
+
396
+ Related PR: [#10104](https://github.com/pnpm/pnpm/pull/10104).
397
+
398
+ ### Patch Changes
399
+
400
+ - Updated dependencies [7c1382f]
401
+ - Updated dependencies [7c1382f]
402
+ - Updated dependencies [dee39ec]
403
+ - @pnpm/types@1000.9.0
404
+ - @pnpm/store-controller-types@1004.1.0
405
+ - @pnpm/package-is-installable@1000.0.15
406
+ - @pnpm/lockfile.fs@1001.1.21
407
+ - @pnpm/lockfile.utils@1003.0.3
408
+ - @pnpm/calc-dep-state@1002.0.8
409
+ - @pnpm/core-loggers@1001.0.4
410
+ - @pnpm/dependency-path@1001.1.3
411
+ - @pnpm/modules-yaml@1000.3.6
412
+ - @pnpm/patching.config@1001.0.11
413
+
414
+ ## 1002.2.6
415
+
416
+ ### Patch Changes
417
+
418
+ - @pnpm/dependency-path@1001.1.2
419
+ - @pnpm/lockfile.fs@1001.1.20
420
+ - @pnpm/lockfile.utils@1003.0.2
421
+ - @pnpm/calc-dep-state@1002.0.7
422
+ - @pnpm/patching.config@1001.0.10
423
+
424
+ ## 1002.2.5
425
+
426
+ ### Patch Changes
427
+
428
+ - Updated dependencies [6365bc4]
429
+ - @pnpm/constants@1001.3.1
430
+ - @pnpm/lockfile.fs@1001.1.19
431
+ - @pnpm/calc-dep-state@1002.0.6
432
+ - @pnpm/package-is-installable@1000.0.14
433
+ - @pnpm/patching.config@1001.0.9
434
+
435
+ ## 1002.2.4
436
+
437
+ ### Patch Changes
438
+
439
+ - Updated dependencies [df8d57f]
440
+ - Updated dependencies [e792927]
441
+ - @pnpm/package-is-installable@1000.0.13
442
+ - @pnpm/types@1000.8.0
443
+ - @pnpm/lockfile.fs@1001.1.18
444
+ - @pnpm/lockfile.utils@1003.0.1
445
+ - @pnpm/calc-dep-state@1002.0.5
446
+ - @pnpm/core-loggers@1001.0.3
447
+ - @pnpm/dependency-path@1001.1.1
448
+ - @pnpm/modules-yaml@1000.3.5
449
+ - @pnpm/store-controller-types@1004.0.2
450
+ - @pnpm/patching.config@1001.0.8
451
+
452
+ ## 1002.2.3
453
+
454
+ ### Patch Changes
455
+
456
+ - 9908269: Fix an edge case bug causing local tarballs to not re-link into the virtual store. This bug would happen when changing the contents of the tarball without renaming the file and running a filtered install.
457
+ - e9b589c: Add a JSDoc for the `lockfileToDepGraph` function.
458
+ - Updated dependencies [d1edf73]
459
+ - Updated dependencies [d1edf73]
460
+ - Updated dependencies [86b33e9]
461
+ - @pnpm/dependency-path@1001.1.0
462
+ - @pnpm/constants@1001.3.0
463
+ - @pnpm/lockfile.utils@1003.0.0
464
+ - @pnpm/lockfile.fs@1001.1.17
465
+ - @pnpm/calc-dep-state@1002.0.4
466
+ - @pnpm/patching.config@1001.0.7
467
+ - @pnpm/store-controller-types@1004.0.1
468
+ - @pnpm/package-is-installable@1000.0.12
469
+
470
+ ## 1002.2.2
471
+
472
+ ### Patch Changes
473
+
474
+ - Updated dependencies [1a07b8f]
475
+ - Updated dependencies [2e85f29]
476
+ - Updated dependencies [1a07b8f]
477
+ - Updated dependencies [1a07b8f]
478
+ - Updated dependencies [1a07b8f]
479
+ - @pnpm/types@1000.7.0
480
+ - @pnpm/lockfile.utils@1002.1.0
481
+ - @pnpm/store-controller-types@1004.0.0
482
+ - @pnpm/constants@1001.2.0
483
+ - @pnpm/package-is-installable@1000.0.11
484
+ - @pnpm/lockfile.fs@1001.1.16
485
+ - @pnpm/calc-dep-state@1002.0.3
486
+ - @pnpm/core-loggers@1001.0.2
487
+ - @pnpm/dependency-path@1001.0.2
488
+ - @pnpm/modules-yaml@1000.3.4
489
+ - @pnpm/patching.config@1001.0.6
490
+
491
+ ## 1002.2.1
492
+
493
+ ### Patch Changes
494
+
495
+ - @pnpm/dependency-path@1001.0.1
496
+ - @pnpm/lockfile.fs@1001.1.15
497
+ - @pnpm/lockfile.utils@1002.0.1
498
+ - @pnpm/calc-dep-state@1002.0.2
499
+ - @pnpm/patching.config@1001.0.5
500
+
501
+ ## 1002.2.0
502
+
503
+ ### Minor Changes
504
+
505
+ - b982a0d: New option added: includeUnchangedDeps.
506
+
507
+ ### Patch Changes
508
+
509
+ - Updated dependencies [540986f]
510
+ - @pnpm/dependency-path@1001.0.0
511
+ - @pnpm/lockfile.utils@1002.0.0
512
+ - @pnpm/lockfile.fs@1001.1.14
513
+ - @pnpm/calc-dep-state@1002.0.1
514
+ - @pnpm/patching.config@1001.0.4
515
+
516
+ ## 1002.1.0
517
+
518
+ ### Minor Changes
519
+
520
+ - b0ead51: **Experimental**. Added support for global virtual stores. When the global virtual store is enabled, `node_modules` doesn’t contain regular files, only symlinks to a central virtual store (by default the central store is located at `<store-path>/links`; run `pnpm store path` to find `<store-path>`).
521
+
522
+ To enable the global virtual store, add `enableGlobalVirtualStore: true` to your root `pnpm-workspace.yaml`.
523
+
524
+ A global virtual store can make installations significantly faster when a warm cache is present. In CI, however, it will probably slow installations because there is usually no cache.
525
+
526
+ Related PR: [#8190](https://github.com/pnpm/pnpm/pull/8190).
527
+
528
+ ### Patch Changes
529
+
530
+ - Updated dependencies [b0ead51]
531
+ - Updated dependencies [b3898db]
532
+ - Updated dependencies [b0ead51]
533
+ - @pnpm/calc-dep-state@1002.0.0
534
+ - @pnpm/lockfile.utils@1001.0.12
535
+ - @pnpm/store-controller-types@1003.0.3
536
+ - @pnpm/lockfile.fs@1001.1.13
537
+
538
+ ## 1002.0.5
539
+
540
+ ### Patch Changes
541
+
542
+ - Updated dependencies [509948d]
543
+ - @pnpm/store-controller-types@1003.0.2
544
+
545
+ ## 1002.0.4
546
+
547
+ ### Patch Changes
548
+
549
+ - 09cf46f: Update `@pnpm/logger` in peer dependencies.
550
+ - Updated dependencies [09cf46f]
551
+ - Updated dependencies [5ec7255]
552
+ - Updated dependencies [c24c66e]
553
+ - @pnpm/package-is-installable@1000.0.10
554
+ - @pnpm/core-loggers@1001.0.1
555
+ - @pnpm/patching.config@1001.0.3
556
+ - @pnpm/lockfile.fs@1001.1.12
557
+ - @pnpm/types@1000.6.0
558
+ - @pnpm/store-controller-types@1003.0.1
559
+ - @pnpm/lockfile.utils@1001.0.11
560
+ - @pnpm/dependency-path@1000.0.9
561
+ - @pnpm/modules-yaml@1000.3.3
562
+
563
+ ## 1002.0.3
564
+
565
+ ### Patch Changes
566
+
567
+ - Updated dependencies [8a9f3a4]
568
+ - Updated dependencies [5b73df1]
569
+ - Updated dependencies [9c3dd03]
570
+ - Updated dependencies [5b73df1]
571
+ - @pnpm/store-controller-types@1003.0.0
572
+ - @pnpm/core-loggers@1001.0.0
573
+ - @pnpm/logger@1001.0.0
574
+ - @pnpm/types@1000.5.0
575
+ - @pnpm/lockfile.utils@1001.0.10
576
+ - @pnpm/package-is-installable@1000.0.9
577
+ - @pnpm/lockfile.fs@1001.1.11
578
+ - @pnpm/dependency-path@1000.0.8
579
+ - @pnpm/modules-yaml@1000.3.2
580
+ - @pnpm/patching.config@1001.0.2
581
+
582
+ ## 1002.0.2
583
+
584
+ ### Patch Changes
585
+
586
+ - @pnpm/lockfile.utils@1001.0.9
587
+ - @pnpm/store-controller-types@1002.0.1
588
+ - @pnpm/lockfile.fs@1001.1.10
589
+
590
+ ## 1002.0.1
591
+
592
+ ### Patch Changes
593
+
594
+ - Updated dependencies [750ae7d]
595
+ - Updated dependencies [72cff38]
596
+ - Updated dependencies [750ae7d]
597
+ - @pnpm/types@1000.4.0
598
+ - @pnpm/store-controller-types@1002.0.0
599
+ - @pnpm/core-loggers@1000.2.0
600
+ - @pnpm/package-is-installable@1000.0.8
601
+ - @pnpm/lockfile.fs@1001.1.9
602
+ - @pnpm/lockfile.utils@1001.0.8
603
+ - @pnpm/dependency-path@1000.0.7
604
+ - @pnpm/modules-yaml@1000.3.1
605
+ - @pnpm/patching.config@1001.0.1
606
+
607
+ ## 1002.0.0
608
+
609
+ ### Major Changes
610
+
611
+ - 5f7be64: Add an ability to patch dependencies by version ranges. Exact versions override version ranges, which in turn override name-only patches. Version range `*` is the same as name-only, except that patch application failure will not be ignored.
612
+
613
+ For example:
614
+
615
+ ```yaml
616
+ patchedDependencies:
617
+ foo: patches/foo-1.patch
618
+ foo@^2.0.0: patches/foo-2.patch
619
+ foo@2.1.0: patches/foo-3.patch
620
+ ```
621
+
622
+ The above configuration would apply `patches/foo-3.patch` to `foo@2.1.0`, `patches/foo-2.patch` to all `foo` versions which satisfy `^2.0.0` except `2.1.0`, and `patches/foo-1.patch` to the remaining `foo` versions.
623
+
624
+ > [!WARNING]
625
+ > The version ranges should not overlap. If you want to specialize a sub range, make sure to exclude it from the other keys. For example:
626
+ >
627
+ > ```yaml
628
+ > # pnpm-workspace.yaml
629
+ > patchedDependencies:
630
+ > # the specialized sub range
631
+ > 'foo@2.2.0-2.8.0': patches/foo.2.2.0-2.8.0.patch
632
+ > # the more general patch, excluding the sub range above
633
+ > 'foo@>=2.0.0 <2.2.0 || >2.8.0': 'patches/foo.gte2.patch
634
+ > ```
635
+ >
636
+ > In most cases, however, it's sufficient to just define an exact version to override the range.
637
+
638
+ ### Patch Changes
639
+
640
+ - Updated dependencies [5f7be64]
641
+ - Updated dependencies [5f7be64]
642
+ - Updated dependencies [64f6b4f]
643
+ - Updated dependencies [5f7be64]
644
+ - @pnpm/patching.config@1001.0.0
645
+ - @pnpm/patching.types@1000.1.0
646
+ - @pnpm/types@1000.3.0
647
+ - @pnpm/modules-yaml@1000.3.0
648
+ - @pnpm/package-is-installable@1000.0.7
649
+ - @pnpm/lockfile.fs@1001.1.8
650
+ - @pnpm/lockfile.utils@1001.0.7
651
+ - @pnpm/core-loggers@1000.1.5
652
+ - @pnpm/dependency-path@1000.0.6
653
+ - @pnpm/store-controller-types@1001.0.5
654
+
655
+ ## 1001.0.10
656
+
657
+ ### Patch Changes
658
+
659
+ - Updated dependencies [d612dcf]
660
+ - Updated dependencies [d612dcf]
661
+ - @pnpm/modules-yaml@1000.2.0
662
+ - @pnpm/lockfile.utils@1001.0.6
663
+ - @pnpm/store-controller-types@1001.0.4
664
+ - @pnpm/lockfile.fs@1001.1.7
665
+
666
+ ## 1001.0.9
667
+
668
+ ### Patch Changes
669
+
670
+ - @pnpm/dependency-path@1000.0.5
671
+ - @pnpm/lockfile.fs@1001.1.6
672
+ - @pnpm/lockfile.utils@1001.0.5
673
+
674
+ ## 1001.0.8
675
+
676
+ ### Patch Changes
677
+
678
+ - Updated dependencies [a5e4965]
679
+ - @pnpm/types@1000.2.1
680
+ - @pnpm/dependency-path@1000.0.4
681
+ - @pnpm/package-is-installable@1000.0.6
682
+ - @pnpm/lockfile.fs@1001.1.5
683
+ - @pnpm/lockfile.utils@1001.0.4
684
+ - @pnpm/core-loggers@1000.1.4
685
+ - @pnpm/modules-yaml@1000.1.4
686
+ - @pnpm/store-controller-types@1001.0.3
687
+
688
+ ## 1001.0.7
689
+
690
+ ### Patch Changes
691
+
692
+ - Updated dependencies [8fcc221]
693
+ - @pnpm/types@1000.2.0
694
+ - @pnpm/package-is-installable@1000.0.5
695
+ - @pnpm/lockfile.fs@1001.1.4
696
+ - @pnpm/lockfile.utils@1001.0.3
697
+ - @pnpm/core-loggers@1000.1.3
698
+ - @pnpm/dependency-path@1000.0.3
699
+ - @pnpm/modules-yaml@1000.1.3
700
+ - @pnpm/store-controller-types@1001.0.2
701
+
702
+ ## 1001.0.6
703
+
704
+ ### Patch Changes
705
+
706
+ - @pnpm/lockfile.fs@1001.1.3
707
+
708
+ ## 1001.0.5
709
+
710
+ ### Patch Changes
711
+
712
+ - Updated dependencies [9a44e6c]
713
+ - Updated dependencies [b562deb]
714
+ - @pnpm/constants@1001.1.0
715
+ - @pnpm/types@1000.1.1
716
+ - @pnpm/lockfile.fs@1001.1.2
717
+ - @pnpm/package-is-installable@1000.0.4
718
+ - @pnpm/lockfile.utils@1001.0.2
719
+ - @pnpm/core-loggers@1000.1.2
720
+ - @pnpm/dependency-path@1000.0.2
721
+ - @pnpm/modules-yaml@1000.1.2
722
+ - @pnpm/store-controller-types@1001.0.1
723
+
724
+ ## 1001.0.4
725
+
726
+ ### Patch Changes
727
+
728
+ - Updated dependencies [dde650b]
729
+ - @pnpm/store-controller-types@1001.0.0
730
+
731
+ ## 1001.0.3
732
+
733
+ ### Patch Changes
734
+
735
+ - Updated dependencies [9591a18]
736
+ - @pnpm/types@1000.1.0
737
+ - @pnpm/package-is-installable@1000.0.3
738
+ - @pnpm/lockfile.fs@1001.1.1
739
+ - @pnpm/lockfile.utils@1001.0.1
740
+ - @pnpm/core-loggers@1000.1.1
741
+ - @pnpm/dependency-path@1000.0.1
742
+ - @pnpm/modules-yaml@1000.1.1
743
+ - @pnpm/store-controller-types@1000.1.1
744
+
745
+ ## 1001.0.2
746
+
747
+ ### Patch Changes
748
+
749
+ - Updated dependencies [516c4b3]
750
+ - Updated dependencies [4771813]
751
+ - @pnpm/core-loggers@1000.1.0
752
+ - @pnpm/modules-yaml@1000.1.0
753
+ - @pnpm/package-is-installable@1000.0.2
754
+
755
+ ## 1001.0.1
756
+
757
+ ### Patch Changes
758
+
759
+ - Updated dependencies [3f0e4f0]
760
+ - @pnpm/lockfile.fs@1001.1.0
761
+
762
+ ## 1001.0.0
763
+
764
+ ### Major Changes
765
+
766
+ - a76da0c: Removed lockfile conversion from v6 to v9. If you need to convert lockfile v6 to v9, use pnpm CLI v9.
767
+
768
+ ### Patch Changes
769
+
770
+ - Updated dependencies [d2e83b0]
771
+ - Updated dependencies [6483b64]
772
+ - Updated dependencies [a76da0c]
773
+ - @pnpm/constants@1001.0.0
774
+ - @pnpm/store-controller-types@1000.1.0
775
+ - @pnpm/lockfile.utils@1001.0.0
776
+ - @pnpm/lockfile.fs@1001.0.0
777
+ - @pnpm/package-is-installable@1000.0.1
778
+
779
+ ## 2.0.6
780
+
781
+ ### Patch Changes
782
+
783
+ - Updated dependencies [19d5b51]
784
+ - Updated dependencies [8108680]
785
+ - Updated dependencies [dcd2917]
786
+ - Updated dependencies [e476b07]
787
+ - Updated dependencies [d55b259]
788
+ - Updated dependencies [c4f5231]
789
+ - @pnpm/constants@10.0.0
790
+ - @pnpm/dependency-path@6.0.0
791
+ - @pnpm/package-is-installable@9.0.12
792
+ - @pnpm/lockfile.fs@1.0.6
793
+ - @pnpm/lockfile.utils@1.0.5
794
+ - @pnpm/store-controller-types@18.1.6
795
+
796
+ ## 2.0.5
797
+
798
+ ### Patch Changes
799
+
800
+ - @pnpm/package-is-installable@9.0.11
801
+ - @pnpm/dependency-path@5.1.7
802
+ - @pnpm/lockfile.fs@1.0.5
803
+ - @pnpm/lockfile.utils@1.0.4
804
+
805
+ ## 2.0.4
806
+
807
+ ### Patch Changes
808
+
809
+ - Updated dependencies [83681da]
810
+ - @pnpm/constants@9.0.0
811
+ - @pnpm/lockfile.fs@1.0.4
812
+ - @pnpm/package-is-installable@9.0.10
813
+
814
+ ## 2.0.3
815
+
816
+ ### Patch Changes
817
+
818
+ - Updated dependencies [d500d9f]
819
+ - @pnpm/types@12.2.0
820
+ - @pnpm/package-is-installable@9.0.9
821
+ - @pnpm/lockfile.fs@1.0.3
822
+ - @pnpm/lockfile.utils@1.0.3
823
+ - @pnpm/core-loggers@10.0.7
824
+ - @pnpm/dependency-path@5.1.6
825
+ - @pnpm/modules-yaml@13.1.7
826
+ - @pnpm/store-controller-types@18.1.6
827
+
828
+ ## 2.0.2
829
+
830
+ ### Patch Changes
831
+
832
+ - Updated dependencies [7ee59a1]
833
+ - @pnpm/types@12.1.0
834
+ - @pnpm/package-is-installable@9.0.8
835
+ - @pnpm/lockfile.fs@1.0.2
836
+ - @pnpm/lockfile.utils@1.0.2
837
+ - @pnpm/core-loggers@10.0.6
838
+ - @pnpm/dependency-path@5.1.5
839
+ - @pnpm/modules-yaml@13.1.6
840
+ - @pnpm/store-controller-types@18.1.5
841
+
842
+ ## 2.0.1
843
+
844
+ ### Patch Changes
845
+
846
+ - Updated dependencies [33ba536]
847
+ - @pnpm/package-is-installable@9.0.7
848
+
849
+ ## 2.0.0
850
+
851
+ ### Major Changes
852
+
853
+ - cb006df: Add ability to apply patch to all versions:
854
+ If the key of `pnpm.patchedDependencies` is a package name without a version (e.g. `pkg`), pnpm will attempt to apply the patch to all versions of
855
+ the package, failure will be skipped.
856
+ If it is a package name and an exact version (e.g. `pkg@x.y.z`), pnpm will attempt to apply the patch to that exact version only, failure will
857
+ cause pnpm to fail.
858
+
859
+ If there's only one version of `pkg` installed, `pnpm patch pkg` and subsequent `pnpm patch-commit $edit_dir` will create an entry named `pkg` in
860
+ `pnpm.patchedDependencies`. And pnpm will attempt to apply this patch to other versions of `pkg` in the future.
861
+
862
+ If there's multiple versions of `pkg` installed, `pnpm patch pkg` will ask which version to edit and whether to attempt to apply the patch to all.
863
+ If the user chooses to apply the patch to all, `pnpm patch-commit $edit_dir` would create a `pkg` entry in `pnpm.patchedDependencies`.
864
+ If the user chooses not to apply the patch to all, `pnpm patch-commit $edit_dir` would create a `pkg@x.y.z` entry in `pnpm.patchedDependencies` with
865
+ `x.y.z` being the version the user chose to edit.
866
+
867
+ If the user runs `pnpm patch pkg@x.y.z` with `x.y.z` being the exact version of `pkg` that has been installed, `pnpm patch-commit $edit_dir` will always
868
+ create a `pkg@x.y.z` entry in `pnpm.patchedDependencies`.
869
+
870
+ ### Patch Changes
871
+
872
+ - Updated dependencies [cb006df]
873
+ - @pnpm/patching.config@1.0.0
874
+ - @pnpm/patching.types@1.0.0
875
+ - @pnpm/types@12.0.0
876
+ - @pnpm/lockfile.fs@1.0.1
877
+ - @pnpm/lockfile.utils@1.0.1
878
+ - @pnpm/package-is-installable@9.0.6
879
+ - @pnpm/core-loggers@10.0.5
880
+ - @pnpm/dependency-path@5.1.4
881
+ - @pnpm/modules-yaml@13.1.5
882
+ - @pnpm/store-controller-types@18.1.4
883
+
884
+ ## 1.1.9
885
+
886
+ ### Patch Changes
887
+
888
+ - Updated dependencies [c5ef9b0]
889
+ - Updated dependencies [8055a30]
890
+ - @pnpm/lockfile.utils@1.0.0
891
+ - @pnpm/lockfile.fs@1.0.0
892
+
893
+ ## 1.1.8
894
+
895
+ ### Patch Changes
896
+
897
+ - Updated dependencies [0ef168b]
898
+ - @pnpm/types@11.1.0
899
+ - @pnpm/package-is-installable@9.0.5
900
+ - @pnpm/lockfile-file@9.1.3
901
+ - @pnpm/lockfile-utils@11.0.4
902
+ - @pnpm/core-loggers@10.0.4
903
+ - @pnpm/dependency-path@5.1.3
904
+ - @pnpm/modules-yaml@13.1.4
905
+ - @pnpm/store-controller-types@18.1.3
906
+
907
+ ## 1.1.7
908
+
909
+ ### Patch Changes
910
+
911
+ - Updated dependencies [dd00eeb]
912
+ - Updated dependencies
913
+ - @pnpm/types@11.0.0
914
+ - @pnpm/lockfile-utils@11.0.3
915
+ - @pnpm/store-controller-types@18.1.2
916
+ - @pnpm/package-is-installable@9.0.4
917
+ - @pnpm/lockfile-file@9.1.2
918
+ - @pnpm/core-loggers@10.0.3
919
+ - @pnpm/dependency-path@5.1.2
920
+ - @pnpm/modules-yaml@13.1.3
921
+
922
+ ## 1.1.6
923
+
924
+ ### Patch Changes
925
+
926
+ - Updated dependencies [13e55b2]
927
+ - @pnpm/types@10.1.1
928
+ - @pnpm/package-is-installable@9.0.3
929
+ - @pnpm/lockfile-file@9.1.1
930
+ - @pnpm/lockfile-utils@11.0.2
931
+ - @pnpm/core-loggers@10.0.2
932
+ - @pnpm/dependency-path@5.1.1
933
+ - @pnpm/modules-yaml@13.1.2
934
+ - @pnpm/store-controller-types@18.1.1
935
+
936
+ ## 1.1.5
937
+
938
+ ### Patch Changes
939
+
940
+ - Updated dependencies [47341e5]
941
+ - @pnpm/dependency-path@5.1.0
942
+ - @pnpm/lockfile-file@9.1.0
943
+ - @pnpm/lockfile-utils@11.0.1
944
+
945
+ ## 1.1.4
946
+
947
+ ### Patch Changes
948
+
949
+ - Updated dependencies [0c08e1c]
950
+ - @pnpm/store-controller-types@18.1.0
951
+
952
+ ## 1.1.3
953
+
954
+ ### Patch Changes
955
+
956
+ - Updated dependencies [45f4262]
957
+ - Updated dependencies
958
+ - @pnpm/types@10.1.0
959
+ - @pnpm/lockfile-utils@11.0.0
960
+ - @pnpm/dependency-path@5.0.0
961
+ - @pnpm/package-is-installable@9.0.2
962
+ - @pnpm/lockfile-file@9.0.6
963
+ - @pnpm/core-loggers@10.0.1
964
+ - @pnpm/modules-yaml@13.1.1
965
+ - @pnpm/store-controller-types@18.0.1
966
+
967
+ ## 1.1.2
968
+
969
+ ### Patch Changes
970
+
971
+ - @pnpm/package-is-installable@9.0.1
972
+ - @pnpm/lockfile-file@9.0.5
973
+
974
+ ## 1.1.1
975
+
976
+ ### Patch Changes
977
+
978
+ - Updated dependencies [7a0536e]
979
+ - @pnpm/lockfile-utils@10.1.1
980
+ - @pnpm/lockfile-file@9.0.4
981
+
982
+ ## 1.1.0
983
+
984
+ ### Minor Changes
985
+
986
+ - 9719a42: New setting called `virtual-store-dir-max-length` added to modify the maximum allowed length of the directories inside `node_modules/.pnpm`. The default length is set to 120 characters. This setting is particularly useful on Windows, where there is a limit to the maximum length of a file path [#7355](https://github.com/pnpm/pnpm/issues/7355).
987
+
988
+ ### Patch Changes
989
+
990
+ - Updated dependencies [9719a42]
991
+ - @pnpm/dependency-path@4.0.0
992
+ - @pnpm/modules-yaml@13.1.0
993
+ - @pnpm/lockfile-utils@10.1.0
994
+ - @pnpm/lockfile-file@9.0.3
995
+
996
+ ## 1.0.3
997
+
998
+ ### Patch Changes
999
+
1000
+ - Updated dependencies [c969f37]
1001
+ - @pnpm/lockfile-file@9.0.2
1002
+
1003
+ ## 1.0.2
1004
+
1005
+ ### Patch Changes
1006
+
1007
+ - Updated dependencies [2cbf7b7]
1008
+ - Updated dependencies [6b6ca69]
1009
+ - @pnpm/lockfile-file@9.0.1
1010
+
1011
+ ## 1.0.1
1012
+
1013
+ ### Patch Changes
1014
+
1015
+ - b7d2ed4: The `engines.pnpm` field in the `package.json` files of dependencies should be ignored [#7965](https://github.com/pnpm/pnpm/issues/7965).
1016
+
1017
+ ## 1.0.0
1018
+
1019
+ ### Major Changes
1020
+
1021
+ - 43cdd87: Node.js v16 support dropped. Use at least Node.js v18.12.
1022
+
1023
+ ### Minor Changes
1024
+
1025
+ - cdd8365: Package ID does not contain the registry domain.
1026
+ - 730929e: Add a field named `ignoredOptionalDependencies`. This is an array of strings. If an optional dependency has its name included in this array, it will be skipped.
1027
+
1028
+ ### Patch Changes
1029
+
1030
+ - Updated dependencies [7733f3a]
1031
+ - Updated dependencies [cdd8365]
1032
+ - Updated dependencies [c692f80]
1033
+ - Updated dependencies [89b396b]
1034
+ - Updated dependencies [43cdd87]
1035
+ - Updated dependencies [086b69c]
1036
+ - Updated dependencies [d381a60]
1037
+ - Updated dependencies [f67ad31]
1038
+ - Updated dependencies [730929e]
1039
+ - Updated dependencies [98a1266]
1040
+ - @pnpm/types@10.0.0
1041
+ - @pnpm/dependency-path@3.0.0
1042
+ - @pnpm/lockfile-utils@10.0.0
1043
+ - @pnpm/constants@8.0.0
1044
+ - @pnpm/package-is-installable@9.0.0
1045
+ - @pnpm/store-controller-types@18.0.0
1046
+ - @pnpm/modules-yaml@13.0.0
1047
+ - @pnpm/lockfile-file@9.0.0
1048
+ - @pnpm/core-loggers@10.0.0
1049
+
1050
+ ## 0.2.8
1051
+
1052
+ ### Patch Changes
1053
+
1054
+ - Updated dependencies [31054a63e]
1055
+ - @pnpm/store-controller-types@17.2.0
1056
+ - @pnpm/lockfile-utils@9.0.5
1057
+
1058
+ ## 0.2.7
1059
+
1060
+ ### Patch Changes
1061
+
1062
+ - Updated dependencies [d349bc3a2]
1063
+ - @pnpm/modules-yaml@12.1.7
1064
+
1065
+ ## 0.2.6
1066
+
1067
+ ### Patch Changes
1068
+
1069
+ - Updated dependencies [4d34684f1]
1070
+ - @pnpm/types@9.4.2
1071
+ - @pnpm/lockfile-file@8.1.6
1072
+ - @pnpm/lockfile-utils@9.0.4
1073
+ - @pnpm/package-is-installable@8.1.2
1074
+ - @pnpm/core-loggers@9.0.6
1075
+ - @pnpm/dependency-path@2.1.7
1076
+ - @pnpm/modules-yaml@12.1.6
1077
+ - @pnpm/store-controller-types@17.1.4
1078
+
1079
+ ## 0.2.5
1080
+
1081
+ ### Patch Changes
1082
+
1083
+ - Updated dependencies
1084
+ - @pnpm/types@9.4.1
1085
+ - @pnpm/lockfile-file@8.1.5
1086
+ - @pnpm/lockfile-utils@9.0.3
1087
+ - @pnpm/package-is-installable@8.1.1
1088
+ - @pnpm/core-loggers@9.0.5
1089
+ - @pnpm/dependency-path@2.1.6
1090
+ - @pnpm/modules-yaml@12.1.5
1091
+ - @pnpm/store-controller-types@17.1.3
1092
+
1093
+ ## 0.2.4
1094
+
1095
+ ### Patch Changes
1096
+
1097
+ - Updated dependencies [d5a176af7]
1098
+ - @pnpm/lockfile-utils@9.0.2
1099
+
1100
+ ## 0.2.3
1101
+
1102
+ ### Patch Changes
1103
+
1104
+ - Updated dependencies [b4194fe52]
1105
+ - @pnpm/lockfile-utils@9.0.1
1106
+
1107
+ ## 0.2.2
1108
+
1109
+ ### Patch Changes
1110
+
1111
+ - fe1f0f734: Fixed a performance regression on running installation on a project with an up to date lockfile [#7297](https://github.com/pnpm/pnpm/issues/7297).
1112
+ - Updated dependencies [291607c5a]
1113
+ - @pnpm/store-controller-types@17.1.2
1114
+
1115
+ ## 0.2.1
1116
+
1117
+ ### Patch Changes
1118
+
1119
+ - Updated dependencies [4c2450208]
1120
+ - Updated dependencies [7ea45afbe]
1121
+ - @pnpm/lockfile-utils@9.0.0
1122
+ - @pnpm/store-controller-types@17.1.1
1123
+
1124
+ ## 0.2.0
1125
+
1126
+ ### Minor Changes
1127
+
1128
+ - 43ce9e4a6: Support for multiple architectures when installing dependencies [#5965](https://github.com/pnpm/pnpm/issues/5965).
1129
+
1130
+ You can now specify architectures for which you'd like to install optional dependencies, even if they don't match the architecture of the system running the install. Use the `supportedArchitectures` field in `package.json` to define your preferences.
1131
+
1132
+ For example, the following configuration tells pnpm to install optional dependencies for Windows x64:
1133
+
1134
+ ```json
1135
+ {
1136
+ "pnpm": {
1137
+ "supportedArchitectures": {
1138
+ "os": ["win32"],
1139
+ "cpu": ["x64"]
1140
+ }
1141
+ }
1142
+ }
1143
+ ```
1144
+
1145
+ Whereas this configuration will have pnpm install optional dependencies for Windows, macOS, and the architecture of the system currently running the install. It includes artifacts for both x64 and arm64 CPUs:
1146
+
1147
+ ```json
1148
+ {
1149
+ "pnpm": {
1150
+ "supportedArchitectures": {
1151
+ "os": ["win32", "darwin", "current"],
1152
+ "cpu": ["x64", "arm64"]
1153
+ }
1154
+ }
1155
+ }
1156
+ ```
1157
+
1158
+ Additionally, `supportedArchitectures` also supports specifying the `libc` of the system.
1159
+
1160
+ ### Patch Changes
1161
+
1162
+ - Updated dependencies [43ce9e4a6]
1163
+ - @pnpm/package-is-installable@8.1.0
1164
+ - @pnpm/store-controller-types@17.1.0
1165
+ - @pnpm/types@9.4.0
1166
+ - @pnpm/lockfile-file@8.1.4
1167
+ - @pnpm/lockfile-utils@8.0.7
1168
+ - @pnpm/core-loggers@9.0.4
1169
+ - @pnpm/dependency-path@2.1.5
1170
+ - @pnpm/modules-yaml@12.1.4
1171
+
1172
+ ## 0.1.5
1173
+
1174
+ ### Patch Changes
1175
+
1176
+ - Updated dependencies [d774a3196]
1177
+ - @pnpm/types@9.3.0
1178
+ - @pnpm/package-is-installable@8.0.5
1179
+ - @pnpm/lockfile-file@8.1.3
1180
+ - @pnpm/lockfile-utils@8.0.6
1181
+ - @pnpm/core-loggers@9.0.3
1182
+ - @pnpm/dependency-path@2.1.4
1183
+ - @pnpm/modules-yaml@12.1.3
1184
+ - @pnpm/store-controller-types@17.0.1
1185
+
1186
+ ## 0.1.4
1187
+
1188
+ ### Patch Changes
1189
+
1190
+ - Updated dependencies [f394cfccd]
1191
+ - @pnpm/lockfile-utils@8.0.5
1192
+
1193
+ ## 0.1.3
1194
+
1195
+ ### Patch Changes
1196
+
1197
+ - Updated dependencies [9caa33d53]
1198
+ - Updated dependencies [9caa33d53]
1199
+ - @pnpm/store-controller-types@17.0.0
1200
+
1201
+ ## 0.1.2
1202
+
1203
+ ### Patch Changes
1204
+
1205
+ - Updated dependencies [03cdccc6e]
1206
+ - @pnpm/store-controller-types@16.1.0
1207
+
1208
+ ## 0.1.1
1209
+
1210
+ ### Patch Changes
1211
+
1212
+ - @pnpm/store-controller-types@16.0.1
1213
+
1214
+ ## 0.1.0
1215
+
1216
+ ### Minor Changes
1217
+
1218
+ - 494f87544: Breaking changes to the API.
1219
+
1220
+ ### Patch Changes
1221
+
1222
+ - Updated dependencies [494f87544]
1223
+ - Updated dependencies [e9aa6f682]
1224
+ - @pnpm/store-controller-types@16.0.0
1225
+ - @pnpm/lockfile-utils@8.0.4
1226
+
1227
+ ## 0.0.1
1228
+
1229
+ ### Patch Changes
1230
+
1231
+ - Updated dependencies [aa2ae8fe2]
1232
+ - @pnpm/types@9.2.0
1233
+ - @pnpm/package-is-installable@8.0.4
1234
+ - @pnpm/lockfile-file@8.1.2
1235
+ - @pnpm/lockfile-utils@8.0.3
1236
+ - @pnpm/core-loggers@9.0.2
1237
+ - @pnpm/dependency-path@2.1.3
1238
+ - @pnpm/modules-yaml@12.1.2
1239
+ - @pnpm/store-controller-types@15.0.2
@@ -4,6 +4,7 @@ import { packageIsInstallable } from '@pnpm/config.package-is-installable';
4
4
  import { WANTED_LOCKFILE } from '@pnpm/constants';
5
5
  import { progressLogger, } from '@pnpm/core-loggers';
6
6
  import * as dp from '@pnpm/deps.path';
7
+ import { safeJoinModulesDir } from '@pnpm/fs.symlink-dependency';
7
8
  import { packageIdFromSnapshot, pkgSnapshotToResolution, } from '@pnpm/lockfile.utils';
8
9
  import { logger } from '@pnpm/logger';
9
10
  import { getPatchInfo } from '@pnpm/patching.config';
@@ -102,7 +103,11 @@ async function buildGraphFromPackages(lockfile, currentLockfile, opts) {
102
103
  equals(currentPackages[depPath].dependencies, pkgSnapshot.dependencies);
103
104
  const depIntegrityIsUnchanged = isIntegrityEqual(pkgSnapshot.resolution, currentPackages[depPath]?.resolution);
104
105
  const modules = path.join(dirInVirtualStore, 'node_modules');
105
- const dir = path.join(modules, pkgName);
106
+ // `pkgName` is reconstructed from the (attacker-controllable) lockfile
107
+ // depPath key via `dp.parse`, which does no validation. Contain it here so
108
+ // a traversal name (e.g. `../../../tmp/x`) can't make the package import
109
+ // escape the virtual store. Mirrors the guard on the hoisted linker.
110
+ const dir = safeJoinModulesDir(modules, pkgName);
106
111
  locationByDepPath[depPath] = dir;
107
112
  // Track directory deps for injected workspace packages
108
113
  if (isDirectoryDep) {
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pnpm/deps.graph-builder",
3
- "version": "1100.0.19",
3
+ "version": "1100.0.21",
4
4
  "description": "A package for building a dependency graph from a lockfile",
5
5
  "keywords": [
6
6
  "pnpm",
@@ -27,29 +27,31 @@
27
27
  "!*.map"
28
28
  ],
29
29
  "dependencies": {
30
- "path-exists": "^5.0.0",
31
- "ramda": "npm:@pnpm/ramda@0.28.1",
32
30
  "@pnpm/config.package-is-installable": "1100.0.12",
33
31
  "@pnpm/constants": "1100.0.0",
34
- "@pnpm/deps.graph-hasher": "1100.2.7",
32
+ "@pnpm/core-loggers": "1100.2.1",
33
+ "@pnpm/deps.graph-hasher": "1100.2.9",
35
34
  "@pnpm/deps.path": "1100.0.8",
36
- "@pnpm/lockfile.fs": "1100.1.8",
37
- "@pnpm/lockfile.utils": "1100.1.1",
35
+ "@pnpm/fs.symlink-dependency": "1100.0.10",
36
+ "@pnpm/hooks.types": "1100.2.0",
38
37
  "@pnpm/installing.modules-yaml": "1100.0.9",
38
+ "@pnpm/lockfile.fs": "1100.1.10",
39
+ "@pnpm/lockfile.utils": "1100.1.2",
40
+ "@pnpm/patching.config": "1100.0.9",
39
41
  "@pnpm/patching.types": "1100.0.0",
40
42
  "@pnpm/store.controller-types": "1100.1.7",
41
43
  "@pnpm/types": "1101.3.2",
42
- "@pnpm/core-loggers": "1100.2.1",
43
- "@pnpm/hooks.types": "1100.1.1",
44
- "@pnpm/patching.config": "1100.0.9"
44
+ "path-exists": "^5.0.0",
45
+ "ramda": "npm:@pnpm/ramda@0.28.1"
45
46
  },
46
47
  "peerDependencies": {
47
48
  "@pnpm/logger": "^1100.0.0"
48
49
  },
49
50
  "devDependencies": {
50
- "@types/ramda": "0.31.1",
51
- "@pnpm/deps.graph-builder": "1100.0.19",
52
- "@pnpm/logger": "1100.0.0"
51
+ "@jest/globals": "30.4.1",
52
+ "@pnpm/deps.graph-builder": "1100.0.21",
53
+ "@pnpm/logger": "1100.0.0",
54
+ "@types/ramda": "0.31.1"
53
55
  },
54
56
  "engines": {
55
57
  "node": ">=22.13"
@@ -58,8 +60,9 @@
58
60
  "preset": "@pnpm/jest-config"
59
61
  },
60
62
  "scripts": {
61
- "lint": "eslint \"src/**/*.ts\"",
62
- "test": "pn compile",
63
- "compile": "tsgo --build && pn lint --fix"
63
+ "lint": "eslint \"src/**/*.ts\" \"test/**/*.ts\"",
64
+ "test": "pn compile && pn .test",
65
+ "compile": "tsgo --build && pn lint --fix",
66
+ ".test": "cross-env NODE_OPTIONS=\"$NODE_OPTIONS --experimental-vm-modules --disable-warning=ExperimentalWarning --disable-warning=DEP0169\" jest"
64
67
  }
65
68
  }