@pnpm/pnpr.client 1.3.1 → 1.3.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/CHANGELOG.md +188 -0
  2. package/package.json +5 -5
package/CHANGELOG.md ADDED
@@ -0,0 +1,188 @@
1
+ # @pnpm/agent.client
2
+
3
+ ## 1.3.3
4
+
5
+ ### Patch Changes
6
+
7
+ - Updated dependencies:
8
+ - @pnpm/lockfile.fs@1100.1.11
9
+ - @pnpm/lockfile.types@1100.0.14
10
+
11
+ ## 1.3.2
12
+
13
+ ### Patch Changes
14
+
15
+ - @pnpm/lockfile.fs@1100.1.10
16
+
17
+ ## 1.3.1
18
+
19
+ ### Patch Changes
20
+
21
+ - Updated dependencies [f8058eb]
22
+ - @pnpm/lockfile.fs@1100.1.9
23
+
24
+ ## 1.3.0
25
+
26
+ ### Minor Changes
27
+
28
+ - 1dd12bd: When resolving through a pnpr install-accelerator server, pnpm no longer forwards its own upstream registry credentials in the resolve request. Only the `Authorization` header identifying the caller to pnpr is sent. The pnpr server now selects upstream credentials from its own route policy (operator-configured upstream credential aliases), so private dependencies resolve through a pnpr-managed alias the caller is authorized to use, rather than by sending the client's registry tokens to the server.
29
+
30
+ ### Patch Changes
31
+
32
+ - @pnpm/lockfile.types@1100.0.13
33
+ - @pnpm/lockfile.fs@1100.1.8
34
+
35
+ ## 1.2.3
36
+
37
+ ### Patch Changes
38
+
39
+ - 4d3fe4b: The pnpr resolver endpoints moved under the reserved `/-/pnpr` namespace: `POST /v1/resolve` is now `POST /-/pnpr/v0/resolve` and `POST /v1/verify-lockfile` is now `POST /-/pnpr/v0/verify-lockfile`. The capability handshake at `GET /-/pnpr` advertises protocol version `0` to match. This keeps every pnpr-proprietary route in npm's reserved namespace, so it can never collide with a package path.
40
+ - @pnpm/lockfile.types@1100.0.12
41
+ - @pnpm/lockfile.fs@1100.1.7
42
+
43
+ ## 1.2.2
44
+
45
+ ### Patch Changes
46
+
47
+ - Updated dependencies [61969fb]
48
+ - @pnpm/lockfile.fs@1100.1.6
49
+
50
+ ## 1.2.1
51
+
52
+ ### Patch Changes
53
+
54
+ - 681b593: pnpm can now use different auth tokens for different package scopes, even when those scopes use the same registry URL.
55
+
56
+ Previously, auth was selected only by registry URL. If `@org-a` and `@org-b` both used `https://npm.pkg.github.com/`, they had to share the same token. This caused problems for registries that issue tokens per organization or per scope.
57
+
58
+ Configure a scope-specific token by adding the package scope after the registry URL in the auth key:
59
+
60
+ ```ini
61
+ @org-a:registry=https://npm.pkg.github.com/
62
+ @org-b:registry=https://npm.pkg.github.com/
63
+
64
+ //npm.pkg.github.com/:@org-a:_authToken=${ORG_A_TOKEN}
65
+ //npm.pkg.github.com/:@org-b:_authToken=${ORG_B_TOKEN}
66
+
67
+ //npm.pkg.github.com/:_authToken=${FALLBACK_TOKEN}
68
+ ```
69
+
70
+ `pnpm login --registry=https://npm.pkg.github.com --scope=@org-a` writes the token to the same scope-specific auth key.
71
+
72
+ When installing or publishing `@org-a/*`, pnpm uses `ORG_A_TOKEN`. For `@org-b/*`, pnpm uses `ORG_B_TOKEN`. Packages without a matching scope continue to use the registry-wide fallback token.
73
+
74
+ - Updated dependencies [d50d691]
75
+ - Updated dependencies [a31faa7]
76
+ - @pnpm/lockfile.fs@1100.1.5
77
+ - @pnpm/lockfile.types@1100.0.11
78
+
79
+ ## 1.2.0
80
+
81
+ ### Minor Changes
82
+
83
+ - 089484a: The pnpr install accelerator is now used only to create the lockfile. Previously `POST /v1/install` returned the resolved lockfile **and** all missing file contents inline over a single connection, which was bandwidth-bound on cold/WAN installs (one TCP stream can't compete with a registry's parallel CDN fetches). The accelerator is now a two-phase flow: the pnpr server resolves and verifies the lockfile server-side (collapsing resolution's round-trip depth), then the client fetches every tarball directly from the registries in parallel, exactly like a normal install. This makes the accelerated path never slower than a plain install, and turns pnpr into a stateless resolver that stores no tarballs and serves no file content [#12230](https://github.com/pnpm/pnpm/issues/12230).
84
+
85
+ ### Patch Changes
86
+
87
+ - de32f83: The pnpr client now reads the `POST /v1/resolve` response as an `application/x-ndjson` stream, matching the server's streaming protocol [#12234](https://github.com/pnpm/pnpm/issues/12234). It parses the terminal `done` / `error` / `violations` frame instead of expecting a single buffered JSON object.
88
+ - @pnpm/lockfile.fs@1100.1.4
89
+ - @pnpm/lockfile.types@1100.0.10
90
+
91
+ ## 1.1.0
92
+
93
+ ### Minor Changes
94
+
95
+ - 5192edf: The pnpr install accelerator now forwards the caller's per-registry credentials on `POST /v1/install`, so it can resolve, verify, and fetch private dependencies from external registries as the caller. The client sends an `Authorization` header identifying itself to the pnpr server plus an `authHeaders` map of the registry tokens (built with `@pnpm/network.auth-header`), and the server threads those credentials through resolution and fetch instead of reaching the registry anonymously. Externally-resolved private content carries no pnpr access policy, so the server gates it per user against the owning registry — serving a cache hit only to a user the registry has cleared — and re-checks access (clearing it on a `401`/`403`) rather than letting the store's possession of the bytes authorize anyone. Packages the registry serves anonymously are classified public once (globally) and then served to everyone without per-user access checks, so a registry that mixes public and private packages doesn't pay the per-user cost for its public ones.
96
+ - f429f93: `pnpm install --lockfile-only` (and the `lockfileOnly` setting) is now honored when a `pnprServer` is configured. The pnpr path resolves and writes `pnpm-lock.yaml` but fetches no files into the store and links no `node_modules`, matching the local lockfile-only behavior. The client ignores any file/index lines an older pnpr server still streams, so the store stays untouched even against a server that predates the resolve-only mode [#12146](https://github.com/pnpm/pnpm/issues/12146).
97
+ - a017bf3: Renamed the experimental `agent` setting to `pnprServer` so the pnpm CLI matches the same setting name pacquet uses for offloading resolution to a [pnpr](https://github.com/pnpm/pnpm/tree/main/pnpr) server. Point pnpm at a pnpr server with `pnprServer: <url>` in `pnpm-workspace.yaml` (or `--pnpr-server <url>`); the previous `agent` / `--agent` name no longer works. The client package was likewise renamed from `@pnpm/agent.client` to `@pnpm/pnpr.client`.
98
+
99
+ ### Patch Changes
100
+
101
+ - a017bf3: Fixed `optionalDependencies` being dropped when resolving through a `pnprServer`. The pnpr request now carries each project's optional dependencies (for both single-project and workspace installs), so the server resolves them like the local resolver does instead of producing a lockfile as if they did not exist.
102
+ - 3b76b8e: The pnpr install accelerator now serves resolved files only in the single gzipped `POST /v1/install` response and authorizes every package whose bytes it serves against the server's access policy. The separate unauthenticated `POST /v1/files` endpoint has been removed: the client materializes the inlined files straight into its content-addressable store, and a content-addressed digest is no longer a bearer capability for a package the caller cannot read.
103
+ - Updated dependencies [3b76b8e]
104
+ - @pnpm/worker@1100.1.9
105
+ - @pnpm/lockfile.fs@1100.1.3
106
+ - @pnpm/lockfile.types@1100.0.9
107
+ - @pnpm/store.cafs@1100.1.8
108
+
109
+ ## 1.0.8
110
+
111
+ ### Patch Changes
112
+
113
+ - Updated dependencies [aa6149d]
114
+ - @pnpm/worker@1100.1.8
115
+ - @pnpm/lockfile.types@1100.0.8
116
+ - @pnpm/store.cafs@1100.1.7
117
+
118
+ ## 1.0.7
119
+
120
+ ### Patch Changes
121
+
122
+ - @pnpm/lockfile.types@1100.0.7
123
+ - @pnpm/store.cafs@1100.1.6
124
+ - @pnpm/worker@1100.1.7
125
+
126
+ ## 1.0.6
127
+
128
+ ### Patch Changes
129
+
130
+ - @pnpm/lockfile.types@1100.0.6
131
+ - @pnpm/store.cafs@1100.1.5
132
+ - @pnpm/worker@1100.1.6
133
+
134
+ ## 1.0.5
135
+
136
+ ### Patch Changes
137
+
138
+ - @pnpm/store.cafs@1100.1.4
139
+ - @pnpm/worker@1100.1.5
140
+
141
+ ## 1.0.4
142
+
143
+ ### Patch Changes
144
+
145
+ - @pnpm/lockfile.types@1100.0.5
146
+ - @pnpm/store.cafs@1100.1.3
147
+ - @pnpm/worker@1100.1.4
148
+
149
+ ## 1.0.3
150
+
151
+ ### Patch Changes
152
+
153
+ - Updated dependencies [0c67cb5]
154
+ - @pnpm/store.index@1100.1.0
155
+ - @pnpm/worker@1100.1.3
156
+
157
+ ## 1.0.2
158
+
159
+ ### Patch Changes
160
+
161
+ - Updated dependencies [27425d7]
162
+ - @pnpm/lockfile.types@1100.0.4
163
+ - @pnpm/store.cafs@1100.1.2
164
+ - @pnpm/worker@1100.1.2
165
+
166
+ ## 1.0.1
167
+
168
+ ### Patch Changes
169
+
170
+ - @pnpm/worker@1100.1.1
171
+ - @pnpm/lockfile.types@1100.0.3
172
+ - @pnpm/store.cafs@1100.1.1
173
+
174
+ ## 1.0.0
175
+
176
+ ### Patch Changes
177
+
178
+ - Updated dependencies [421317c]
179
+ - @pnpm/store.cafs@1100.1.0
180
+ - @pnpm/worker@1100.1.0
181
+
182
+ ## 0.0.1
183
+
184
+ ### Patch Changes
185
+
186
+ - @pnpm/lockfile.types@1100.0.2
187
+ - @pnpm/store.cafs@1100.0.2
188
+ - @pnpm/worker@1100.0.2
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@pnpm/pnpr.client",
3
- "version": "1.3.1",
3
+ "version": "1.3.3",
4
4
  "description": "Client for the pnpr server — resolves a project server-side and receives the resolved lockfile",
5
5
  "keywords": [
6
6
  "pnpm",
@@ -27,12 +27,12 @@
27
27
  "!*.map"
28
28
  ],
29
29
  "dependencies": {
30
- "@pnpm/lockfile.types": "1100.0.13",
31
- "@pnpm/lockfile.fs": "1100.1.9"
30
+ "@pnpm/lockfile.fs": "1100.1.11",
31
+ "@pnpm/lockfile.types": "1100.0.14"
32
32
  },
33
33
  "devDependencies": {
34
- "@pnpm/pnpr.client": "1.3.1",
35
- "@pnpm/types": "1101.3.2"
34
+ "@pnpm/pnpr.client": "1.3.3",
35
+ "@pnpm/types": "1101.4.0"
36
36
  },
37
37
  "engines": {
38
38
  "node": ">=22.13"