@pnpm/releasing.commands 1100.2.18 → 1100.3.1

package/lib/stage/parsing.js

@@ -0,0 +1,27 @@
+import { PnpmError } from '@pnpm/error';
+import npa from '@pnpm/npm-package-arg';
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/i;
+export function parseStagePackageSpec(rawSpec) {
+    let spec;
+    try {
+        spec = npa(rawSpec);
+    }
+    catch {
+        throw new PnpmError('INVALID_PACKAGE_SPEC', `Invalid package spec: ${rawSpec}`);
+    }
+    if (!spec.name) {
+        throw new PnpmError('INVALID_PACKAGE_SPEC', `Invalid package spec: ${rawSpec}`);
+    }
+    return { name: spec.name, rawSpec: spec.rawSpec };
+}
+export function requireStageId(params, subcommand) {
+    if (!params[0]) {
+        throw new PnpmError('STAGE_ID_REQUIRED', `Missing required <stage-id> for "pnpm stage ${subcommand}"`);
+    }
+    const stageId = params[0];
+    if (!UUID_REGEX.test(stageId)) {
+        throw new PnpmError('INVALID_STAGE_ID', 'stage-id must be a valid UUID');
+    }
+    return stageId;
+}
+//# sourceMappingURL=parsing.js.map

package/lib/stage/publish.d.ts

@@ -0,0 +1,7 @@
+import type { StageOptions } from './types.js';
+type StagePublishResult = {
+    exitCode?: number;
+    output?: string;
+} | undefined;
+export declare function stagePublish(opts: StageOptions, params: string[]): Promise<StagePublishResult>;
+export {};

package/lib/stage/publish.js

@@ -0,0 +1,38 @@
+import * as publishCommand from '../publish/publish.js';
+import { renderStagePublishSummary } from './rendering.js';
+export async function stagePublish(opts, params) {
+    const result = await publishCommand.publish({
+        ...opts,
+        stage: true,
+    }, params);
+    if (opts.json) {
+        if (result.publishSummary) {
+            return { output: JSON.stringify(keyByPackageName([result.publishSummary]), null, 2), exitCode: 0 };
+        }
+        if (result.publishedPackages) {
+            return { output: JSON.stringify(keyByPackageName(result.publishedPackages), null, 2), exitCode: result.exitCode ?? 0 };
+        }
+    }
+    const publishedPackages = result.publishSummary
+        ? [result.publishSummary]
+        : result.publishedPackages ?? [];
+    if (publishedPackages.length > 0) {
+        return {
+            output: publishedPackages.map((summary) => renderStagePublishSummary(summary, { dryRun: opts.dryRun === true })).join('\n'),
+            exitCode: result.exitCode ?? 0,
+        };
+    }
+    if (result.exitCode)
+        return { exitCode: result.exitCode };
+    return undefined;
+}
+function keyByPackageName(packages) {
+    const keyed = {};
+    for (const pkg of packages) {
+        const key = pkg.name ?? ('id' in pkg ? pkg.id : undefined);
+        if (key)
+            keyed[key] = pkg;
+    }
+    return keyed;
+}
+//# sourceMappingURL=publish.js.map

package/lib/stage/reject.d.ts

@@ -0,0 +1,2 @@
+import type { StageOptions } from './types.js';
+export declare function stageReject(opts: StageOptions, params: string[]): Promise<string>;

package/lib/stage/reject.js

@@ -0,0 +1,16 @@
+import { globalWarn } from '@pnpm/logger';
+import { createStageContext } from './context.js';
+import { requireStageId } from './parsing.js';
+import { stageRequestWithOtp } from './request.js';
+export async function stageReject(opts, params) {
+    const stageId = requireStageId(params, 'reject');
+    const context = createStageContext(opts);
+    globalWarn('Rejecting will permanently delete this staged publish record and tarball from the registry.');
+    await stageRequestWithOtp(context, {
+        url: new URL(`-/stage/${stageId}`, context.registry).href,
+        init: { method: 'DELETE' },
+        action: `reject staged package ${stageId}`,
+    });
+    return `Staged package ${stageId} has been rejected.`;
+}
+//# sourceMappingURL=reject.js.map

package/lib/stage/rendering.d.ts

@@ -0,0 +1,11 @@
+import type { PublishSummary } from '../tarball/publishSummary.js';
+import type { StageItem } from './types.js';
+export declare function renderStageItem(item: StageItem): string;
+export declare function renderTarballSummary(summary: PublishSummary): string;
+export declare function renderStagePublishSummary(summary: PublishSummary | {
+    name?: string;
+    version?: string;
+}, opts: {
+    dryRun: boolean;
+}): string;
+export declare function normalizePackageName(name: string): string;

package/lib/stage/rendering.js

@@ -0,0 +1,52 @@
+export function renderStageItem(item) {
+    const { id, packageName, version, tag, createdAt, actor, actorType, shasum, ...rest } = item;
+    return renderKeyValues({
+        id,
+        'package name': packageName,
+        version,
+        tag,
+        'date staged': createdAt,
+        'staged by': actorType ? `${actor ?? ''} (${actorType})` : actor,
+        shasum,
+        ...rest,
+    });
+}
+export function renderTarballSummary(summary) {
+    return `package: ${summary.name}@${summary.version}
+Tarball Contents
+${summary.files.map(({ path }) => path).join('\n')}
+Tarball Details
+name: ${summary.name}
+version: ${summary.version}
+filename: ${summary.filename}
+package size: ${summary.size}
+unpacked size: ${summary.unpackedSize}
+shasum: ${summary.shasum}
+integrity: ${summary.integrity}
+total files: ${summary.entryCount}`;
+}
+export function renderStagePublishSummary(summary, opts) {
+    const id = 'id' in summary && summary.id
+        ? summary.id
+        : summary.name && summary.version
+            ? `${summary.name}@${summary.version}`
+            : summary.name ?? '<unknown package>';
+    if (opts.dryRun)
+        return `+ ${id} (would stage)`;
+    if ('stageId' in summary && summary.stageId) {
+        return `+ ${id} (staged with id ${summary.stageId})`;
+    }
+    return `+ ${id} (staged)`;
+}
+export function normalizePackageName(name) {
+    return name.replace('@', '').replace('/', '-');
+}
+function renderKeyValues(values) {
+    return Object.entries(values)
+        .flatMap(([key, value]) => value == null ? [] : [`${key}: ${renderValue(value)}`])
+        .join('\n');
+}
+function renderValue(value) {
+    return typeof value === 'object' ? JSON.stringify(value) : String(value);
+}
+//# sourceMappingURL=rendering.js.map

package/lib/stage/request.d.ts

@@ -0,0 +1,29 @@
+import type { StageContext } from './context.js';
+export interface StageRequestInit {
+    body?: string;
+    headers?: Record<string, string>;
+    method: 'DELETE' | 'GET' | 'POST';
+}
+interface StageRequestParams {
+    url: string;
+    action: string;
+    init?: StageRequestInit;
+    otp?: string;
+}
+export declare function stageJsonRequest<T>(context: StageContext, params: {
+    url: string;
+    action: string;
+}): Promise<T>;
+/**
+ * Wraps {@link stageRequest} with OTP / web-auth handling. The first attempt
+ * carries any user-configured `--otp`; if the registry responds with an OTP
+ * challenge, `withOtpHandling` drives the browser-based authentication flow
+ * and retries the operation with the resulting token.
+ */
+export declare function stageRequestWithOtp(context: StageContext, params: {
+    url: string;
+    init: StageRequestInit;
+    action: string;
+}): Promise<Response>;
+export declare function stageRequest(context: StageContext, params: StageRequestParams): Promise<Response>;
+export {};

package/lib/stage/request.js

@@ -0,0 +1,110 @@
+import { globalWarn } from '@pnpm/logger';
+import { SyntheticOtpError, withOtpHandling } from '@pnpm/network.web-auth';
+import { createPublishContext } from '../publish/publishPackedPkg.js';
+import { StageRegistryError } from './errors.js';
+export async function stageJsonRequest(context, params) {
+    const response = await stageRequest(context, {
+        url: params.url,
+        action: params.action,
+        init: { method: 'GET' },
+    });
+    return await response.json();
+}
+/**
+ * Wraps {@link stageRequest} with OTP / web-auth handling. The first attempt
+ * carries any user-configured `--otp`; if the registry responds with an OTP
+ * challenge, `withOtpHandling` drives the browser-based authentication flow
+ * and retries the operation with the resulting token.
+ */
+export async function stageRequestWithOtp(context, params) {
+    return withOtpHandling({
+        context: createPublishContext(context.opts),
+        fetchOptions: createWebAuthFetchOptions(context.opts),
+        operation: async (otp) => stageRequest(context, {
+            url: params.url,
+            action: params.action,
+            init: params.init,
+            otp: otp ?? getConfiguredOtp(context.opts),
+        }),
+    });
+}
+export async function stageRequest(context, params) {
+    const init = params.init ?? { method: 'GET' };
+    const response = await context.fetchFromRegistry(params.url, {
+        authHeaderValue: context.authHeaderValue,
+        body: init.body,
+        fullMetadata: true,
+        headers: {
+            'npm-auth-type': 'web',
+            'npm-command': 'stage',
+            ...init.headers,
+            ...(params.otp != null ? { 'npm-otp': params.otp } : {}),
+        },
+        method: init.method,
+        timeout: context.opts.fetchTimeout,
+    });
+    if (!response.ok) {
+        await throwOnErrorResponse(response, params.action);
+    }
+    return response;
+}
+async function throwOnErrorResponse(response, action) {
+    let text = '';
+    try {
+        text = await response.text();
+    }
+    catch { }
+    let parsed;
+    try {
+        parsed = text ? JSON.parse(text) : undefined;
+    }
+    catch { }
+    if (response.status === 401 && isOtpChallenge(response, parsed)) {
+        throw SyntheticOtpError.fromUnknownBody(globalWarn, parsed);
+    }
+    throw new StageRegistryError({
+        action,
+        status: response.status,
+        statusText: response.statusText,
+        text,
+    });
+}
+/**
+ * Identify a 401 response as an OTP / web-auth challenge.
+ *
+ * Two signals are accepted because the npm registry uses one or both in
+ * practice: the legacy `www-authenticate: otp` header for classic TOTP,
+ * and a JSON body containing `authUrl` + `doneUrl` for the browser-based
+ * web-auth flow.
+ */
+function isOtpChallenge(response, body) {
+    if (hasWebAuthUrls(body))
+        return true;
+    const wwwAuthenticate = response.headers.get('www-authenticate')?.toLowerCase();
+    return wwwAuthenticate?.includes('otp') === true;
+}
+function hasWebAuthUrls(body) {
+    if (body == null || typeof body !== 'object')
+        return false;
+    const record = body;
+    return typeof record.authUrl === 'string' && typeof record.doneUrl === 'string';
+}
+function getConfiguredOtp(opts) {
+    if (typeof opts.otp === 'string')
+        return opts.otp;
+    const cliOtp = opts.cliOptions?.otp;
+    return typeof cliOtp === 'string' ? cliOtp : undefined;
+}
+function createWebAuthFetchOptions(opts) {
+    return {
+        method: 'GET',
+        retry: {
+            factor: opts.fetchRetryFactor,
+            maxTimeout: opts.fetchRetryMaxtimeout,
+            minTimeout: opts.fetchRetryMintimeout,
+            retries: opts.fetchRetries,
+        },
+        timeout: opts.fetchTimeout,
+    };
+}
+//# sourceMappingURL=request.js.map

package/lib/stage/types.d.ts

@@ -0,0 +1,38 @@
+import * as publishCommand from '../publish/publish.js';
+export declare const STAGE_SUBCOMMANDS: readonly ['publish', 'list', 'view', 'approve', 'reject', 'download'];
+export type StageSubcommand = (typeof STAGE_SUBCOMMANDS)[number];
+/**
+ * Options accepted by every `pnpm stage` subcommand.
+ *
+ * `pnpm stage publish` forwards to {@link publishCommand.publish}, so we
+ * intentionally inherit that command's option contract. The remaining
+ * subcommands need only a subset (registry/auth/fetch/retry settings),
+ * but accepting the full set keeps a single type across the dispatcher.
+ */
+export type StageOptions = Parameters<typeof publishCommand.publish>[0] & {
+    cliOptions?: Record<string, unknown>;
+    json?: boolean;
+    otp?: string;
+    registry?: string;
+};
+/**
+ * Single staged package version as returned by the registry's `-/stage` and
+ * `-/stage/<id>` endpoints. Every field is optional because the registry's
+ * exact schema is not pinned, and the index signature keeps future fields
+ * available to display without a code change.
+ */
+export interface StageItem {
+    id?: string;
+    packageName?: string;
+    version?: string;
+    tag?: string;
+    createdAt?: string;
+    actor?: string;
+    actorType?: string;
+    shasum?: string;
+    [key: string]: unknown;
+}
+export interface StageListResponse {
+    items: StageItem[];
+    total: number;
+}

package/lib/stage/types.js

@@ -0,0 +1,3 @@
+import * as publishCommand from '../publish/publish.js';
+export const STAGE_SUBCOMMANDS = ['publish', 'list', 'view', 'approve', 'reject', 'download'];
+//# sourceMappingURL=types.js.map

package/lib/stage/view.d.ts

@@ -0,0 +1,2 @@
+import type { StageOptions } from './types.js';
+export declare function stageView(opts: StageOptions, params: string[]): Promise<string>;

package/lib/stage/view.js

@@ -0,0 +1,14 @@
+import { createStageContext } from './context.js';
+import { requireStageId } from './parsing.js';
+import { renderStageItem } from './rendering.js';
+import { stageJsonRequest } from './request.js';
+export async function stageView(opts, params) {
+    const stageId = requireStageId(params, 'view');
+    const context = createStageContext(opts);
+    const item = await stageJsonRequest(context, {
+        url: new URL(`-/stage/${stageId}`, context.registry).href,
+        action: `view staged package ${stageId}`,
+    });
+    return opts.json ? JSON.stringify(item, null, 2) : renderStageItem(item);
+}
+//# sourceMappingURL=view.js.map

package/lib/tarball/index.d.ts

@@ -0,0 +1,2 @@
+export { extractBundledDependencies, type PublishSummary } from './publishSummary.js';
+export { summarizeTarball } from './summarizeTarball.js';

package/lib/tarball/index.js

@@ -0,0 +1,3 @@
+export { extractBundledDependencies } from './publishSummary.js';
+export { summarizeTarball } from './summarizeTarball.js';
+//# sourceMappingURL=index.js.map

package/lib/tarball/publishSummary.d.ts

@@ -0,0 +1,39 @@
+/**
+ * Per-package summary describing a successful publish, modeled after `npm publish --json`.
+ * Returned to callers and serialized to stdout when `pnpm publish --json` is used.
+ */
+export interface PublishSummary {
+    /** Human-readable identifier `${name}@${version}`. */
+    id: string;
+    name: string;
+    version: string;
+    /** Compressed tarball size in bytes. */
+    size: number;
+    /** Total uncompressed size of all files in the tarball, in bytes. */
+    unpackedSize: number;
+    /** Lowercase hex SHA-1 digest of the tarball. */
+    shasum: string;
+    /** SRI-formatted SHA-512 digest of the tarball (e.g. `sha512-...`). */
+    integrity: string;
+    /** Tarball file basename (e.g. `pkg-1.0.0.tgz`). */
+    filename: string;
+    /** Files inside the tarball, in the same shape `pnpm pack --json` emits. */
+    files: Array<{
+        path: string;
+    }>;
+    /** Number of files inside the tarball. */
+    entryCount: number;
+    /** Names of bundled dependencies included in the tarball (typically empty). */
+    bundled: string[];
+    /** Staged publish identifier returned by the registry. Only present for staged publishes. */
+    stageId?: string;
+}
+/**
+ * Normalize the two equivalent manifest keys (`bundledDependencies` and `bundleDependencies`)
+ * into a flat list of dependency names, matching npm's interpretation.
+ */
+export declare function extractBundledDependencies(manifest: {
+    bundledDependencies?: unknown;
+    bundleDependencies?: unknown;
+    dependencies?: Record<string, unknown>;
+}): string[];

package/lib/tarball/publishSummary.js

@@ -0,0 +1,16 @@
+/**
+ * Normalize the two equivalent manifest keys (`bundledDependencies` and `bundleDependencies`)
+ * into a flat list of dependency names, matching npm's interpretation.
+ */
+export function extractBundledDependencies(manifest) {
+    const raw = manifest.bundledDependencies ?? manifest.bundleDependencies;
+    if (!raw)
+        return [];
+    if (Array.isArray(raw))
+        return raw.filter((name) => typeof name === 'string');
+    // `true` means "bundle every dependency" per npm's semantics; expand it to the dependency names.
+    if (raw === true)
+        return Object.keys(manifest.dependencies ?? {});
+    return [];
+}
+//# sourceMappingURL=publishSummary.js.map

package/lib/tarball/summarizeTarball.d.ts

@@ -0,0 +1,12 @@
+import { type PublishSummary } from './publishSummary.js';
+/**
+ * Parse a packed (gzipped or plain) tarball buffer and return the same
+ * {@link PublishSummary} shape that `pnpm publish --json` emits.
+ *
+ * Used when we hold the tarball bytes already and need a summary without
+ * re-packing — e.g. inspecting a staged publish via `pnpm stage download`.
+ *
+ * @throws {@link PnpmError} with code `STAGE_TARBALL_MANIFEST_NOT_FOUND` when the tarball
+ *   does not contain `package/package.json`, or when that file is unparseable JSON.
+ */
+export declare function summarizeTarball(tarballData: Buffer): Promise<PublishSummary>;

package/lib/tarball/summarizeTarball.js

@@ -0,0 +1,86 @@
+import { createHash } from 'node:crypto';
+import { gunzipSync } from 'node:zlib';
+import { PnpmError } from '@pnpm/error';
+import tar from 'tar-stream';
+import { extractBundledDependencies } from './publishSummary.js';
+/**
+ * Parse a packed (gzipped or plain) tarball buffer and return the same
+ * {@link PublishSummary} shape that `pnpm publish --json` emits.
+ *
+ * Used when we hold the tarball bytes already and need a summary without
+ * re-packing — e.g. inspecting a staged publish via `pnpm stage download`.
+ *
+ * @throws {@link PnpmError} with code `STAGE_TARBALL_MANIFEST_NOT_FOUND` when the tarball
+ *   does not contain `package/package.json`, or when that file is unparseable JSON.
+ */
+export async function summarizeTarball(tarballData) {
+    const extract = tar.extract();
+    const files = [];
+    const bundled = new Set();
+    let manifest;
+    let entryCount = 0;
+    let unpackedSize = 0;
+    await new Promise((resolve, reject) => {
+        extract.on('entry', (header, stream, next) => {
+            const chunks = [];
+            if (header.type === 'file') {
+                entryCount++;
+                unpackedSize += header.size ?? 0;
+                files.push({ path: header.name.replace(/^package\//, '') });
+                const bundledMatch = /^package\/node_modules\/((?:@[^/]+\/)?[^/]+)/.exec(header.name);
+                if (bundledMatch?.[1]) {
+                    bundled.add(bundledMatch[1]);
+                }
+            }
+            if (header.name === 'package/package.json') {
+                stream.on('data', (chunk) => chunks.push(Buffer.from(chunk)));
+            }
+            stream.on('error', reject);
+            stream.on('end', () => {
+                if (header.name === 'package/package.json') {
+                    try {
+                        manifest = JSON.parse(Buffer.concat(chunks).toString());
+                    }
+                    catch (error) {
+                        reject(error);
+                        return;
+                    }
+                }
+                next();
+            });
+            stream.resume();
+        });
+        extract.on('error', reject);
+        extract.on('finish', resolve);
+        extract.end(maybeGunzip(tarballData));
+    });
+    if (!manifest?.name || !manifest.version) {
+        throw new PnpmError('STAGE_TARBALL_MANIFEST_NOT_FOUND', 'Could not read package.json from tarball');
+    }
+    files.sort((a, b) => a.path.localeCompare(b.path, 'en'));
+    return {
+        id: manifest._id ?? `${manifest.name}@${manifest.version}`,
+        name: manifest.name,
+        version: manifest.version,
+        size: tarballData.byteLength,
+        unpackedSize,
+        shasum: createHash('sha1').update(tarballData).digest('hex'),
+        integrity: `sha512-${createHash('sha512').update(tarballData).digest('base64')}`,
+        filename: `${normalizePackageName(manifest.name)}-${manifest.version}.tgz`,
+        files,
+        entryCount,
+        bundled: bundled.size > 0 ? Array.from(bundled).sort() : extractBundledDependencies(manifest),
+    };
+}
+function maybeGunzip(tarballData) {
+    try {
+        return gunzipSync(tarballData);
+    }
+    catch {
+        return tarballData;
+    }
+}
+function normalizePackageName(name) {
+    return name.replace('@', '').replace('/', '-');
+}
+//# sourceMappingURL=summarizeTarball.js.map

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/releasing.commands",
-  "version": "1100.2.18",
+  "version": "1100.3.1",
   "description": "Commands for deploy, pack, and publish",
   "keywords": [
     "pnpm",
@@ -27,58 +27,59 @@
     "@pnpm/npm-package-arg": "^2.0.0",
     "@types/normalize-path": "^3.0.2",
     "@zkochan/rimraf": "^4.0.0",
-    "chalk": "^5.6.0",
-    "ci-info": "^4.3.0",
-    "detect-libc": "^2.0.3",
+    "chalk": "^5.6.2",
+    "ci-info": "^4.4.0",
+    "detect-libc": "^2.1.2",
     "enquirer": "^2.4.1",
     "execa": "npm:safe-execa@0.3.0",
-    "libnpmpublish": "^11.1.3",
+    "libnpmpublish": "^11.2.0",
     "normalize-path": "^3.0.0",
     "normalize-registry-url": "2.0.1",
     "p-filter": "^4.1.0",
-    "p-limit": "^7.1.0",
+    "p-limit": "^7.3.0",
     "ramda": "npm:@pnpm/ramda@0.28.1",
     "realpath-missing": "^2.0.0",
     "render-help": "^2.0.0",
-    "semver": "^7.7.2",
-    "tar-stream": "^3.1.7",
+    "semver": "^7.8.1",
+    "tar-stream": "^3.2.0",
     "tempy": "3.0.0",
-    "tinyglobby": "^0.2.14",
+    "tinyglobby": "^0.2.16",
     "validate-npm-package-name": "7.0.2",
     "write-json-file": "^7.0.0",
     "write-yaml-file": "^6.0.0",
     "@pnpm/catalogs.types": "1100.0.0",
-    "@pnpm/bins.resolver": "1100.0.4",
-    "@pnpm/config.pick-registry-for-package": "1100.0.5",
-    "@pnpm/cli.utils": "1101.0.6",
+    "@pnpm/cli.utils": "1101.0.8",
     "@pnpm/cli.common-cli-options-help": "1100.0.1",
-    "@pnpm/config.reader": "1101.3.3",
-    "@pnpm/deps.path": "1100.0.4",
+    "@pnpm/config.reader": "1101.4.1",
+    "@pnpm/config.pick-registry-for-package": "1100.0.6",
+    "@pnpm/deps.path": "1100.0.5",
     "@pnpm/constants": "1100.0.0",
-    "@pnpm/engine.runtime.commands": "1100.0.16",
     "@pnpm/error": "1100.0.0",
-    "@pnpm/exec.lifecycle": "1100.0.12",
-    "@pnpm/engine.runtime.node-resolver": "1101.1.0",
+    "@pnpm/exec.lifecycle": "1100.0.14",
     "@pnpm/exec.pnpm-cli-runner": "1100.0.1",
-    "@pnpm/fs.indexed-pkg-importer": "1100.0.9",
-    "@pnpm/fs.is-empty-dir-or-nothing": "1100.0.0",
-    "@pnpm/fetching.directory-fetcher": "1100.0.11",
-    "@pnpm/installing.commands": "1100.4.2",
+    "@pnpm/engine.runtime.commands": "1100.1.0",
+    "@pnpm/bins.resolver": "1100.0.5",
+    "@pnpm/fs.indexed-pkg-importer": "1100.0.10",
+    "@pnpm/fetching.directory-fetcher": "1100.0.13",
+    "@pnpm/installing.client": "1100.2.3",
+    "@pnpm/engine.runtime.node-resolver": "1101.1.2",
     "@pnpm/fs.packlist": "1100.0.1",
-    "@pnpm/installing.client": "1100.2.1",
+    "@pnpm/fs.is-empty-dir-or-nothing": "1100.0.0",
+    "@pnpm/installing.commands": "1100.6.0",
+    "@pnpm/lockfile.types": "1100.0.8",
+    "@pnpm/lockfile.fs": "1100.1.2",
+    "@pnpm/network.fetch": "1100.0.7",
     "@pnpm/network.git-utils": "1100.0.1",
-    "@pnpm/lockfile.types": "1100.0.7",
-    "@pnpm/network.fetch": "1100.0.6",
-    "@pnpm/types": "1101.1.1",
-    "@pnpm/workspace.projects-filter": "1100.0.14",
-    "@pnpm/releasing.exportable-manifest": "1100.0.7",
-    "@pnpm/resolving.resolver-base": "1100.3.0",
-    "@pnpm/workspace.projects-sorter": "1100.0.3",
     "@pnpm/network.web-auth": "1101.0.0",
-    "@pnpm/lockfile.fs": "1100.1.1"
+    "@pnpm/releasing.exportable-manifest": "1100.1.1",
+    "@pnpm/network.auth-header": "1101.0.0",
+    "@pnpm/resolving.resolver-base": "1100.3.1",
+    "@pnpm/types": "1101.2.0",
+    "@pnpm/workspace.projects-filter": "1100.0.16",
+    "@pnpm/workspace.projects-sorter": "1100.0.4"
   },
   "peerDependencies": {
-    "@pnpm/logger": ">=1001.0.0 <1002.0.0"
+    "@pnpm/logger": "^1001.0.1"
   },
   "devDependencies": {
     "@jest/globals": "30.3.0",
@@ -92,21 +93,21 @@
     "@types/tar": "^7.0.87",
     "@types/tar-stream": "^3.1.4",
     "@types/validate-npm-package-name": "^4.0.2",
-    "ci-info": "^4.3.0",
+    "ci-info": "^4.4.0",
     "cross-spawn": "^7.0.6",
     "is-windows": "^1.0.2",
     "load-json-file": "^7.0.1",
-    "tar": "^7.5.10",
-    "undici": "^7.2.0",
+    "tar": "^7.5.15",
+    "undici": "^7.26.0",
     "write-yaml-file": "^6.0.0",
-    "@pnpm/hooks.pnpmfile": "1100.0.10",
-    "@pnpm/assert-project": "1100.0.10",
-    "@pnpm/prepare": "1100.0.10",
+    "@pnpm/assert-project": "1100.0.11",
+    "@pnpm/hooks.pnpmfile": "1100.0.11",
     "@pnpm/logger": "1100.0.0",
+    "@pnpm/releasing.commands": "1100.3.1",
     "@pnpm/test-fixtures": "1100.0.0",
-    "@pnpm/releasing.commands": "1100.2.18",
-    "@pnpm/test-ipc-server": "1100.0.0",
     "@pnpm/catalogs.config": "1100.0.0",
+    "@pnpm/prepare": "1100.0.11",
+    "@pnpm/test-ipc-server": "1100.0.0",
     "@pnpm/testing.command-defaults": "1100.0.1"
   },
   "engines": {