@pnpm/releasing.commands 1100.2.8 → 1100.2.10

package/lib/publish/oidc/idToken.d.ts

@@ -57,7 +57,7 @@ export interface IdTokenParams {
  * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js#L37-L110 for npm's implementation
  * @see https://github.com/yarnpkg/berry/blob/bafbef55/packages/plugin-npm/sources/npmHttpUtils.ts#L594-L624 for yarn's implementation
  */
-export declare function getIdToken({ context: { Date, ciInfo: { GITHUB_ACTIONS, GITLAB }, fetch, globalInfo, process: { env } }, options, registry }: IdTokenParams): Promise<string | undefined>;
+export declare function getIdToken({ context: { Date, ciInfo: { GITHUB_ACTIONS }, fetch, globalInfo, process: { env } }, options, registry }: IdTokenParams): Promise<string | undefined>;
 export declare abstract class IdTokenError extends PnpmError {
 }
 export declare class IdTokenGitHubWorkflowIncorrectPermissionsError extends IdTokenError {

package/lib/publish/oidc/idToken.js

@@ -10,11 +10,16 @@ import { SHARED_CONTEXT } from '../utils/shared-context.js';
  * @see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js#L37-L110 for npm's implementation
  * @see https://github.com/yarnpkg/berry/blob/bafbef55/packages/plugin-npm/sources/npmHttpUtils.ts#L594-L624 for yarn's implementation
  */
-export async function getIdToken({ context: { Date, ciInfo: { GITHUB_ACTIONS, GITLAB }, fetch, globalInfo, process: { env }, } = SHARED_CONTEXT, options, registry, }) {
-    if (!GITHUB_ACTIONS && !GITLAB)
-        return undefined;
+export async function getIdToken({ context: { Date, ciInfo: { GITHUB_ACTIONS }, fetch, globalInfo, process: { env }, } = SHARED_CONTEXT, options, registry, }) {
+    // `NPM_ID_TOKEN` is the canonical CI-agnostic injection point for an OIDC ID token.
+    // Any CI provider with its own OIDC mechanism (GitLab natively, CircleCI's
+    // `CIRCLE_OIDC_TOKEN_V2`, Buildkite, etc.) can forward its token here and trusted
+    // publishing will work — we don't need to recognize the provider ourselves.
     if (env?.NPM_ID_TOKEN)
         return env.NPM_ID_TOKEN;
+    // Without an explicit token, the only flow we can drive ourselves is GitHub Actions'
+    // request-token endpoint. Anywhere else (other CIs without `NPM_ID_TOKEN`, local dev)
+    // falls through silently and the publish caller falls back to a static `_authToken`.
     if (!GITHUB_ACTIONS)
         return undefined;
     if (!env?.ACTIONS_ID_TOKEN_REQUEST_TOKEN || !env?.ACTIONS_ID_TOKEN_REQUEST_URL) {

package/lib/publish/pack.d.ts

@@ -29,4 +29,6 @@ export interface PackResult {
     publishedManifest: ExportedManifest;
     contents: string[];
     tarballPath: string;
+    /** Total uncompressed size of all files in the tarball, in bytes. */
+    unpackedSize: number;
 }

package/lib/publish/pack.js

@@ -234,11 +234,27 @@ export async function api(opts) {
     else {
         packedTarballPath = path.relative(opts.dir, path.join(dir, tarballName));
     }
-    const packedContents = files.sort((a, b) => a.localeCompare(b, 'en'));
+    // Derive `contents` and `unpackedSize` from `filesMap` (the full set of tar entries) rather than
+    // from `files` (the packlist subset) so that:
+    //   - workspace LICENSE files appended to `filesMap` after the packlist call are included; and
+    //   - `package.yaml` / `package.json5` entries are reported under the name they actually have in
+    //     the tar (`package.json`), since `packPkg()` rewrites them.
+    const sizes = await Promise.all(Object.entries(filesMap).map(async ([name, source]) => {
+        if (/^package\/package\.(?:json|json5|yaml)$/.test(name)) {
+            return Buffer.byteLength(JSON.stringify(publishManifest, null, 2));
+        }
+        const stat = await fs.promises.stat(source);
+        return stat.size;
+    }));
+    const unpackedSize = sizes.reduce((acc, size) => acc + size, 0);
+    const packedContents = Array.from(new Set(Object.keys(filesMap).map((name) => /^package\/package\.(?:json|json5|yaml)$/.test(name)
+        ? 'package.json'
+        : name.replace(/^package\//, '')))).sort((a, b) => a.localeCompare(b, 'en'));
     return {
         publishedManifest: publishManifest,
         contents: packedContents,
         tarballPath: packedTarballPath,
+        unpackedSize,
     };
 }
 function preventBundledDependenciesWithoutHoistedNodeLinker(nodeLinker, manifest) {

package/lib/publish/publish.d.ts

@@ -2,7 +2,8 @@ import { type Config, type ConfigContext } from '@pnpm/config.reader';
 import { type RunLifecycleHookOptions } from '@pnpm/exec.lifecycle';
 import type { ExportedManifest } from '@pnpm/releasing.exportable-manifest';
 import type { ProjectManifest } from '@pnpm/types';
-import { type PublishRecursiveOpts } from './recursivePublish.js';
+import { type PublishSummary } from './publishPackedPkg.js';
+import { type PublishRecursiveOpts, type RecursivePublishedPackage } from './recursivePublish.js';
 export declare function rcOptionsTypes(): Record<string, unknown>;
 export declare function cliOptionsTypes(): Record<string, unknown>;
 export declare const commandNames: string[];
@@ -12,15 +13,21 @@ export declare function handler(opts: Omit<PublishRecursiveOpts, 'workspaceDir'>
         original: string[];
     };
     engineStrict?: boolean;
+    json?: boolean;
     recursive?: boolean;
     workspaceDir?: string;
 } & Pick<Config, 'bin' | 'gitChecks' | 'ignoreScripts' | 'pnpmHomeDir' | 'publishBranch' | 'embedReadme'> & Pick<ConfigContext, 'allProjects'>, params: string[]): Promise<{
     exitCode?: number;
+    output?: string;
 } | undefined>;
 export interface PublishResult {
     exitCode?: number;
     manifest?: ProjectManifest;
     publishedManifest?: ExportedManifest;
+    /** Per-package summary in the npm-CLI `--json` shape; only populated for single-package publish. */
+    publishSummary?: PublishSummary;
+    /** Per-package summaries collected by recursive publish. */
+    publishedPackages?: RecursivePublishedPackage[];
 }
 export declare function publish(opts: Omit<PublishRecursiveOpts, 'workspaceDir'> & {
     argv: {

package/lib/publish/publish.js

@@ -106,6 +106,16 @@ export function help() {
 const GIT_CHECKS_HINT = 'If you want to disable Git checks on publish, set the "git-checks" setting to "false", or run again with "--no-git-checks".';
 export async function handler(opts, params) {
     const result = await publish(opts, params);
+    // Emit per-package summaries on stdout when --json is set: single object for a single-package
+    // publish, array for recursive publish. Mirrors `pnpm pack --json`'s shape choice.
+    if (opts.json) {
+        if (result?.publishSummary) {
+            return { output: JSON.stringify(result.publishSummary, null, 2), exitCode: 0 };
+        }
+        if (result?.publishedPackages) {
+            return { output: JSON.stringify(result.publishedPackages, null, 2), exitCode: result.exitCode ?? 0 };
+        }
+    }
     if (result?.manifest)
         return;
     return result;
@@ -144,23 +154,27 @@ Do you want to continue?`,
         }
     }
     if (opts.recursive && (opts.selectedProjectsGraph != null)) {
-        const { exitCode } = await recursivePublish({
+        const { exitCode, publishedPackages } = await recursivePublish({
             ...opts,
             selectedProjectsGraph: opts.selectedProjectsGraph,
             workspaceDir: opts.workspaceDir ?? process.cwd(),
         });
-        return { exitCode };
+        return { exitCode, publishedPackages };
     }
     opts = optionsWithOtpEnv(opts, process.env);
     const dirInParams = (params.length > 0) ? params[0] : undefined;
     if (dirInParams != null && isTarballPath(dirInParams)) {
         const tarballPath = dirInParams;
         const publishedManifest = await extractManifestFromPacked(tarballPath);
-        await publishPackedPkg({
+        // Publishing a pre-built tarball bypasses `pack.api()`, so we don't have the file listing
+        // or unpacked size — those summary fields are reported as empty/zero.
+        const publishSummary = await publishPackedPkg({
             tarballPath,
             publishedManifest,
+            contents: [],
+            unpackedSize: 0,
         }, opts);
-        return { exitCode: 0 };
+        return { exitCode: 0, publishSummary };
     }
     const dir = dirInParams ?? opts.dir ?? process.cwd();
     const _runScriptsIfPresent = runScriptsIfPresent.bind(null, {
@@ -187,6 +201,7 @@ Do you want to continue?`,
     // that was generated and packed to the tarball.
     const packDestination = temporaryDirectory();
     let publishedManifest;
+    let publishSummary;
     try {
         const packResult = await pack.api({
             ...opts,
@@ -194,7 +209,7 @@ Do you want to continue?`,
             packDestination,
             dryRun: false,
         });
-        await publishPackedPkg(packResult, opts);
+        publishSummary = await publishPackedPkg(packResult, opts);
         publishedManifest = packResult.publishedManifest;
     }
     finally {
@@ -206,7 +221,7 @@ Do you want to continue?`,
             'postpublish',
         ], manifest);
     }
-    return { manifest, publishedManifest };
+    return { manifest, publishedManifest, publishSummary };
 }
 export async function runScriptsIfPresent(opts, scriptNames, manifest) {
     for (const scriptName of scriptNames) {

package/lib/publish/publishPackedPkg.d.ts

@@ -8,8 +8,56 @@ export type PublishPackedPkgOptions = Pick<Config, 'configByUri' | 'dryRun' | 'f
     provenance?: boolean;
     provenanceFile?: string;
 };
-export declare function publishPackedPkg(packResult: Pick<PackResult, 'publishedManifest' | 'tarballPath'>, opts: PublishPackedPkgOptions): Promise<void>;
+/**
+ * Per-package summary describing a successful publish, modeled after `npm publish --json`.
+ * Returned to callers and serialized to stdout when `pnpm publish --json` is used.
+ */
+export interface PublishSummary {
+    /** Human-readable identifier `${name}@${version}`. */
+    id: string;
+    name: string;
+    version: string;
+    /** Compressed tarball size in bytes. */
+    size: number;
+    /** Total uncompressed size of all files in the tarball, in bytes. */
+    unpackedSize: number;
+    /** Lowercase hex SHA-1 digest of the tarball. */
+    shasum: string;
+    /** SRI-formatted SHA-512 digest of the tarball (e.g. `sha512-...`). */
+    integrity: string;
+    /** Tarball file basename (e.g. `pkg-1.0.0.tgz`). */
+    filename: string;
+    /** Files inside the tarball, in the same shape `pnpm pack --json` emits. */
+    files: Array<{
+        path: string;
+    }>;
+    /** Number of files inside the tarball. */
+    entryCount: number;
+    /** Names of bundled dependencies included in the tarball (typically empty). */
+    bundled: string[];
+}
+export declare function publishPackedPkg(packResult: Pick<PackResult, 'publishedManifest' | 'tarballPath' | 'contents' | 'unpackedSize'>, opts: PublishPackedPkgOptions): Promise<PublishSummary>;
 export declare class PublishUnsupportedRegistryProtocolError extends PnpmError {
     readonly registryUrl: string;
     constructor(registryUrl: string);
 }
+interface OidcTokenProvenanceResult {
+    authToken: string;
+    provenance?: boolean;
+}
+/**
+ * Try fetching an authentication token and provenance by OpenID Connect.
+ *
+ * The result, when defined, is intended to take precedence over any statically configured
+ * authentication. This mirrors the npm CLI's OIDC flow, which always attempts the exchange
+ * in supported CI environments and overwrites a configured `_authToken` on success.
+ *
+ * @returns the OIDC-derived authToken (and provenance flag) on success, or `undefined` when
+ *   OIDC is not applicable / not configured on the registry — in which case callers should
+ *   fall back to whatever static authentication they already have.
+ *
+ * @internal Exported for unit testing of the precedence rules. Not part of the package's
+ *   public API.
+ */
+export declare function fetchTokenAndProvenanceByOidc(packageName: string, registry: string, options: PublishPackedPkgOptions): Promise<OidcTokenProvenanceResult | undefined>;
+export {};

package/lib/publish/publishPackedPkg.js

@@ -1,4 +1,6 @@
+import { createHash } from 'node:crypto';
 import fs from 'node:fs/promises';
+import path from 'node:path';
 import { PnpmError } from '@pnpm/error';
 import { globalInfo, globalWarn } from '@pnpm/logger';
 import { displayError } from './displayError.js';
@@ -10,23 +12,53 @@ import { determineProvenance, ProvenanceError } from './oidc/provenance.js';
 import { publishWithOtpHandling } from './otp.js';
 import { allRegistryConfigKeys, parseSupportedRegistryUrl } from './registryConfigKeys.js';
 export async function publishPackedPkg(packResult, opts) {
-    const { publishedManifest, tarballPath } = packResult;
+    const { publishedManifest, tarballPath, contents, unpackedSize } = packResult;
     const tarballData = await fs.readFile(tarballPath);
     const publishOptions = await createPublishOptions(publishedManifest, opts);
     const { name, version } = publishedManifest;
     const { registry } = publishOptions;
     globalInfo(`📦 ${name}@${version} → ${registry ?? 'the default registry'}`);
+    const summary = {
+        id: `${name}@${version}`,
+        name: name,
+        version: version,
+        size: tarballData.byteLength,
+        unpackedSize,
+        // SHA-1 is what `npm publish --json` reports as `shasum` for back-compat with the registry's
+        // legacy dist.shasum field; `integrity` below is the modern SRI hash.
+        shasum: createHash('sha1').update(tarballData).digest('hex'),
+        integrity: `sha512-${createHash('sha512').update(tarballData).digest('base64')}`,
+        filename: path.basename(tarballPath),
+        files: contents.map((file) => ({ path: file })),
+        entryCount: contents.length,
+        bundled: extractBundledDependencies(publishedManifest),
+    };
     if (opts.dryRun) {
         globalWarn(`Skip publishing ${name}@${version} (dry run)`);
-        return;
+        return summary;
     }
     const response = await publishWithOtpHandling({ manifest: publishedManifest, tarballData, publishOptions });
     if (response.ok) {
         globalInfo(`✅ Published package ${name}@${version}`);
-        return;
+        return summary;
     }
     throw await createFailedToPublishError(packResult, response);
 }
+/**
+ * npm accepts both `bundledDependencies` and `bundleDependencies` in package.json and normalizes
+ * to a list of dependency names. We mirror that normalization so consumers see a consistent array.
+ */
+function extractBundledDependencies(manifest) {
+    const raw = manifest.bundledDependencies ?? manifest.bundleDependencies;
+    if (!raw)
+        return [];
+    if (Array.isArray(raw))
+        return raw;
+    // `true` means "bundle every dependency" per npm's semantics; expand it to the dependency names.
+    if (raw === true)
+        return Object.keys(manifest.dependencies ?? {});
+    return [];
+}
 async function createPublishOptions(manifest, options) {
     const publishConfigRegistry = typeof manifest.publishConfig?.registry === 'string'
         ? manifest.publishConfig.registry
@@ -67,8 +99,14 @@ async function createPublishOptions(manifest, options) {
         password: creds?.basicAuth?.password,
     };
     if (registry) {
-        const oidcTokenProvenance = await fetchTokenAndProvenanceByOidcIfApplicable(publishOptions, manifest.name, registry, options);
-        publishOptions.token ??= oidcTokenProvenance?.authToken;
+        // OIDC takes precedence over a configured static `_authToken`, mirroring the npm CLI's
+        // behavior (see https://github.com/npm/cli/blob/7d900c46/lib/utils/oidc.js). Trusted
+        // publishing wins whenever the registry has it configured for the package; the static
+        // token is used only as a fallback when OIDC is not applicable.
+        const oidcTokenProvenance = await fetchTokenAndProvenanceByOidc(manifest.name, registry, options);
+        if (oidcTokenProvenance?.authToken) {
+            publishOptions.token = oidcTokenProvenance.authToken;
+        }
         publishOptions.provenance ??= oidcTokenProvenance?.provenance;
         appendAuthOptionsForRegistry(publishOptions, registry);
     }
@@ -131,13 +169,20 @@ export class PublishUnsupportedRegistryProtocolError extends PnpmError {
     }
 }
 /**
- * If authentication information doesn't already set in {@link targetPublishOptions},
- * try fetching an authentication token and provenance by OpenID Connect and return it.
+ * Try fetching an authentication token and provenance by OpenID Connect.
+ *
+ * The result, when defined, is intended to take precedence over any statically configured
+ * authentication. This mirrors the npm CLI's OIDC flow, which always attempts the exchange
+ * in supported CI environments and overwrites a configured `_authToken` on success.
+ *
+ * @returns the OIDC-derived authToken (and provenance flag) on success, or `undefined` when
+ *   OIDC is not applicable / not configured on the registry — in which case callers should
+ *   fall back to whatever static authentication they already have.
+ *
+ * @internal Exported for unit testing of the precedence rules. Not part of the package's
+ *   public API.
  */
-async function fetchTokenAndProvenanceByOidcIfApplicable(targetPublishOptions, packageName, registry, options) {
-    if (targetPublishOptions.token != null ||
-        (targetPublishOptions.username && targetPublishOptions.password))
-        return undefined;
+export async function fetchTokenAndProvenanceByOidc(packageName, registry, options) {
     let idToken;
     try {
         idToken = await getIdToken({
@@ -153,7 +198,11 @@ async function fetchTokenAndProvenanceByOidcIfApplicable(targetPublishOptions, p
         throw error;
     }
     if (!idToken) {
-        globalWarn('Skipped OIDC: idToken is not available');
+        // OIDC is simply not applicable here — either we're outside of CI, or we're in a CI
+        // that doesn't natively drive OIDC and the user hasn't forwarded a token via
+        // `NPM_ID_TOKEN`. This is the common case for local publishes, so it must stay
+        // silent — only configuration *errors* in a supported CI environment surface as
+        // warnings, and those come back as `IdTokenError` and are handled above.
         return undefined;
     }
     let authToken;
@@ -190,8 +239,11 @@ async function fetchTokenAndProvenanceByOidcIfApplicable(targetPublishOptions, p
     }
     catch (error) {
         if (error instanceof ProvenanceError) {
+            // Don't lose the OIDC-derived authToken just because we couldn't determine the
+            // provenance flag — the publish itself can still go through, and that's what
+            // the npm CLI does too.
             globalWarn(`Skipped setting provenance: ${displayError(error)}`);
-            return undefined;
+            return { authToken };
         }
         throw error;
     }

package/lib/publish/recursivePublish.d.ts

@@ -1,5 +1,5 @@
 import type { Config, ConfigContext } from '@pnpm/config.reader';
-import type { PublishPackedPkgOptions } from './publishPackedPkg.js';
+import type { PublishPackedPkgOptions, PublishSummary } from './publishPackedPkg.js';
 export type PublishRecursiveOpts = Required<Pick<Config, 'bin' | 'cacheDir' | 'dir' | 'pnpmHomeDir' | 'configByUri' | 'registries' | 'workspaceDir'>> & Required<Pick<ConfigContext, 'cliOptions'>> & Partial<Pick<Config, 'tag' | 'ca' | 'catalogs' | 'cert' | 'fetchTimeout' | 'force' | 'dryRun' | 'extraBinPaths' | 'extraEnv' | 'fetchRetries' | 'fetchRetryFactor' | 'fetchRetryMaxtimeout' | 'fetchRetryMintimeout' | 'key' | 'httpProxy' | 'httpsProxy' | 'localAddress' | 'lockfileDir' | 'noProxy' | 'npmPath' | 'offline' | 'strictSsl' | 'unsafePerm' | 'userAgent' | 'verifyStoreIntegrity'>> & Partial<Pick<ConfigContext, 'selectedProjectsGraph'>> & {
     access?: 'public' | 'restricted';
     argv: {
@@ -7,6 +7,11 @@ export type PublishRecursiveOpts = Required<Pick<Config, 'bin' | 'cacheDir' | 'd
     };
     reportSummary?: boolean;
 } & PublishPackedPkgOptions;
+export type RecursivePublishedPackage = PublishSummary | {
+    name?: string;
+    version?: string;
+};
 export declare function recursivePublish(opts: PublishRecursiveOpts & Required<Pick<ConfigContext, 'selectedProjectsGraph'>>): Promise<{
     exitCode: number;
+    publishedPackages: RecursivePublishedPackage[];
 }>;

package/lib/publish/recursivePublish.js

@@ -83,12 +83,19 @@ export async function recursivePublish(opts) {
                     gitChecks: false,
                     recursive: false,
                 }, [pkg.rootDir]);
-                const publishedManifest = publishResult?.publishedManifest ?? publishResult?.manifest;
-                if (publishedManifest != null) {
-                    publishedPackages.push(pick(['name', 'version'], publishedManifest));
+                if (publishResult?.publishSummary != null) {
+                    publishedPackages.push(publishResult.publishSummary);
                 }
-                else if (publishResult?.exitCode) {
-                    return { exitCode: publishResult.exitCode };
+                else {
+                    // Fallback for paths that don't produce a full PublishSummary (e.g. dry run via the
+                    // legacy npm-CLI bridge, or future call sites that bypass publishPackedPkg).
+                    const publishedManifest = publishResult?.publishedManifest ?? publishResult?.manifest;
+                    if (publishedManifest != null) {
+                        publishedPackages.push(pick(['name', 'version'], publishedManifest));
+                    }
+                    else if (publishResult?.exitCode) {
+                        return { exitCode: publishResult.exitCode, publishedPackages };
+                    }
                 }
             }
         }
@@ -96,7 +103,7 @@ export async function recursivePublish(opts) {
     if (opts.reportSummary) {
         await writeJsonFile(path.join(opts.lockfileDir ?? opts.dir, 'pnpm-publish-summary.json'), { publishedPackages });
     }
-    return { exitCode: 0 };
+    return { exitCode: 0, publishedPackages };
 }
 async function isAlreadyPublished(opts, pkgName, pkgVersion) {
     try {

package/lib/version/index.js

@@ -2,6 +2,7 @@ import path from 'node:path';
 import { readProjectManifest } from '@pnpm/cli.utils';
 import { types as allTypes } from '@pnpm/config.reader';
 import { PnpmError } from '@pnpm/error';
+import { runLifecycleHook } from '@pnpm/exec.lifecycle';
 import { isGitRepo, isWorkingTreeClean } from '@pnpm/network.git-utils';
 import { filterProjectsFromDir } from '@pnpm/workspace.projects-filter';
 import { safeExeca as execa } from 'execa';
@@ -146,6 +147,7 @@ export async function handler(opts, params) {
     if (!opts.recursive && opts.gitTagVersion !== false && await isGitRepo({ cwd: gitCwd })) {
         await commitAndTag(changes, { ...opts, cwd: gitCwd });
     }
+    await Promise.all(changes.map(change => runVersionLifecycleHook('postversion', change, opts)));
     if (opts.json) {
         return JSON.stringify(changes.map(({ manifestPath: _manifestPath, ...change }) => change), null, 2);
     }
@@ -164,6 +166,14 @@ async function bumpPackageVersion(pkgDir, rawBump, explicitVersion, opts) {
     if (!valid(currentVersion)) {
         throw new PnpmError('INVALID_VERSION', `Invalid version in ${pkgDir}: ${currentVersion}`);
     }
+    const preVersionChange = {
+        name: manifest.name,
+        currentVersion,
+        newVersion: currentVersion,
+        path: pkgDir,
+        manifestPath: path.join(pkgDir, fileName),
+    };
+    await runVersionLifecycleHook('preversion', preVersionChange, opts);
     const newVersion = explicitVersion ?? inc(currentVersion, rawBump, false, opts.preid);
     if (!newVersion) {
         throw new PnpmError('VERSION_BUMP_FAILED', `Failed to bump version from ${currentVersion} using ${rawBump}`);
@@ -173,13 +183,35 @@ async function bumpPackageVersion(pkgDir, rawBump, explicitVersion, opts) {
     }
     manifest.version = newVersion;
     await writeProjectManifest(manifest);
-    return {
+    const change = {
         name: manifest.name,
         currentVersion,
         newVersion,
         path: pkgDir,
         manifestPath: path.join(pkgDir, fileName),
     };
+    await runVersionLifecycleHook('version', change, opts);
+    return change;
+}
+async function runVersionLifecycleHook(stage, change, opts) {
+    if (opts.ignoreScripts === true)
+        return;
+    const { manifest } = await readProjectManifest(change.path);
+    const lifecycleOpts = {
+        depPath: change.name,
+        extraBinPaths: opts.extraBinPaths,
+        extraEnv: opts.extraEnv,
+        initCwd: opts.dir,
+        pkgRoot: change.path,
+        rootModulesDir: path.join(change.path, opts.modulesDir ?? 'node_modules'),
+        scriptShell: opts.scriptShell,
+        scriptsPrependNodePath: opts.scriptsPrependNodePath,
+        shellEmulator: opts.shellEmulator,
+        stdio: 'inherit',
+        unsafePerm: opts.unsafePerm ?? false,
+        userAgent: opts.userAgent,
+    };
+    await runLifecycleHook(stage, manifest, lifecycleOpts);
 }
 async function commitAndTag(changes, opts) {
     const resolvedCwd = path.resolve(opts.cwd);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@pnpm/releasing.commands",
-  "version": "1100.2.8",
+  "version": "1100.2.10",
   "description": "Commands for deploy, pack, and publish",
   "keywords": [
     "pnpm",
@@ -27,23 +27,23 @@
     "@pnpm/npm-package-arg": "^2.0.0",
     "@types/normalize-path": "^3.0.2",
     "@zkochan/rimraf": "^4.0.0",
-    "chalk": "^5.6.0",
-    "ci-info": "^4.3.0",
-    "detect-libc": "^2.0.3",
+    "chalk": "^5.6.2",
+    "ci-info": "^4.4.0",
+    "detect-libc": "^2.1.2",
     "enquirer": "^2.4.1",
     "execa": "npm:safe-execa@0.3.0",
     "libnpmpublish": "^11.1.3",
     "normalize-path": "^3.0.0",
     "normalize-registry-url": "2.0.1",
     "p-filter": "^4.1.0",
-    "p-limit": "^7.1.0",
+    "p-limit": "^7.3.0",
     "ramda": "npm:@pnpm/ramda@0.28.1",
     "realpath-missing": "^2.0.0",
     "render-help": "^2.0.0",
-    "semver": "^7.7.2",
-    "tar-stream": "^3.1.7",
+    "semver": "^7.7.4",
+    "tar-stream": "^3.2.0",
     "tempy": "3.0.0",
-    "tinyglobby": "^0.2.14",
+    "tinyglobby": "^0.2.16",
     "validate-npm-package-name": "7.0.2",
     "write-json-file": "^7.0.0",
     "write-yaml-file": "^6.0.0",
@@ -51,34 +51,34 @@
     "@pnpm/catalogs.types": "1100.0.0",
     "@pnpm/cli.common-cli-options-help": "1100.0.1",
     "@pnpm/cli.utils": "1101.0.2",
+    "@pnpm/config.reader": "1101.2.1",
     "@pnpm/config.pick-registry-for-package": "1100.0.2",
-    "@pnpm/config.reader": "1101.2.0",
     "@pnpm/constants": "1100.0.0",
     "@pnpm/deps.path": "1100.0.2",
-    "@pnpm/engine.runtime.commands": "1100.0.10",
-    "@pnpm/engine.runtime.node-resolver": "1101.0.4",
+    "@pnpm/engine.runtime.commands": "1100.0.11",
+    "@pnpm/engine.runtime.node-resolver": "1101.0.5",
     "@pnpm/error": "1100.0.0",
-    "@pnpm/exec.lifecycle": "1100.0.5",
+    "@pnpm/exec.lifecycle": "1100.0.6",
     "@pnpm/exec.pnpm-cli-runner": "1100.0.0",
-    "@pnpm/fetching.directory-fetcher": "1100.0.5",
-    "@pnpm/fs.indexed-pkg-importer": "1100.0.4",
+    "@pnpm/fetching.directory-fetcher": "1100.0.6",
+    "@pnpm/fs.indexed-pkg-importer": "1100.0.5",
     "@pnpm/fs.is-empty-dir-or-nothing": "1100.0.0",
     "@pnpm/fs.packlist": "1100.0.0",
-    "@pnpm/installing.client": "1100.0.9",
-    "@pnpm/installing.commands": "1100.1.9",
-    "@pnpm/lockfile.types": "1100.0.3",
+    "@pnpm/installing.client": "1100.0.11",
+    "@pnpm/installing.commands": "1100.1.11",
+    "@pnpm/lockfile.fs": "1100.0.6",
+    "@pnpm/lockfile.types": "1100.0.4",
     "@pnpm/network.fetch": "1100.0.2",
-    "@pnpm/lockfile.fs": "1100.0.4",
     "@pnpm/network.git-utils": "1100.0.1",
     "@pnpm/network.web-auth": "1101.0.0",
     "@pnpm/releasing.exportable-manifest": "1100.0.3",
+    "@pnpm/resolving.resolver-base": "1100.1.2",
     "@pnpm/types": "1101.0.0",
-    "@pnpm/resolving.resolver-base": "1100.1.1",
-    "@pnpm/workspace.projects-sorter": "1100.0.1",
-    "@pnpm/workspace.projects-filter": "1100.0.7"
+    "@pnpm/workspace.projects-filter": "1100.0.8",
+    "@pnpm/workspace.projects-sorter": "1100.0.1"
   },
   "peerDependencies": {
-    "@pnpm/logger": ">=1001.0.0 <1002.0.0"
+    "@pnpm/logger": "^1001.0.1"
   },
   "devDependencies": {
     "@jest/globals": "30.3.0",
@@ -92,21 +92,22 @@
     "@types/tar": "^7.0.87",
     "@types/tar-stream": "^3.1.4",
     "@types/validate-npm-package-name": "^4.0.2",
-    "ci-info": "^4.3.0",
+    "ci-info": "^4.4.0",
     "cross-spawn": "^7.0.6",
     "is-windows": "^1.0.2",
     "load-json-file": "^7.0.1",
-    "tar": "^7.5.10",
+    "tar": "^7.5.13",
+    "undici": "^7.25.0",
     "write-yaml-file": "^6.0.0",
+    "@pnpm/assert-project": "1100.0.5",
     "@pnpm/catalogs.config": "1100.0.0",
-    "@pnpm/assert-project": "1100.0.4",
+    "@pnpm/hooks.pnpmfile": "1100.0.6",
     "@pnpm/logger": "1100.0.0",
-    "@pnpm/prepare": "1100.0.4",
-    "@pnpm/releasing.commands": "1100.2.8",
-    "@pnpm/hooks.pnpmfile": "1100.0.5",
+    "@pnpm/prepare": "1100.0.5",
+    "@pnpm/releasing.commands": "1100.2.10",
     "@pnpm/test-fixtures": "1100.0.0",
-    "@pnpm/testing.command-defaults": "1100.0.1",
-    "@pnpm/test-ipc-server": "1100.0.0"
+    "@pnpm/test-ipc-server": "1100.0.0",
+    "@pnpm/testing.command-defaults": "1100.0.1"
   },
   "engines": {
     "node": ">=22.13"