pnpm 10.34.2 → 10.34.3

package/dist/node_modules/.modules.yaml

@@ -19,45 +19,36 @@
     "nopt@8.1.0": [
       "node_modules/nopt"
     ],
-    "exponential-backoff@3.1.3": [
-      "node_modules/exponential-backoff"
-    ],
-    "which@5.0.0": [
-      "node_modules/which"
+    "tar@7.5.16": [
+      "node_modules/tar"
     ],
     "tinyglobby@0.2.17": [
       "node_modules/tinyglobby"
     ],
+    "which@5.0.0": [
+      "node_modules/which"
+    ],
     "env-paths@2.2.1": [
       "node_modules/env-paths"
     ],
     "proc-log@5.0.0": [
       "node_modules/proc-log"
     ],
-    "tar@7.5.16": [
-      "node_modules/tar"
+    "exponential-backoff@3.1.3": [
+      "node_modules/exponential-backoff"
     ],
-    "semver@7.8.3": [
+    "graceful-fs@4.2.11": [
+      "node_modules/graceful-fs"
+    ],
+    "semver@7.8.4": [
       "node_modules/semver"
     ],
     "make-fetch-happen@14.0.3": [
       "node_modules/make-fetch-happen"
     ],
-    "graceful-fs@4.2.11": [
-      "node_modules/graceful-fs"
-    ],
     "abbrev@3.0.1": [
       "node_modules/abbrev"
     ],
-    "isexe@3.1.1": [
-      "node_modules/isexe"
-    ],
-    "fdir@6.5.0(picomatch@4.0.4)": [
-      "node_modules/fdir"
-    ],
-    "picomatch@4.0.4": [
-      "node_modules/picomatch"
-    ],
     "chownr@3.0.0": [
       "node_modules/chownr"
     ],
@@ -73,11 +64,14 @@
     "minipass@7.1.3": [
       "node_modules/minipass"
     ],
-    "ssri@12.0.0": [
-      "node_modules/ssri"
+    "fdir@6.5.0(picomatch@4.0.4)": [
+      "node_modules/fdir"
     ],
-    "negotiator@1.0.0": [
-      "node_modules/negotiator"
+    "picomatch@4.0.4": [
+      "node_modules/picomatch"
+    ],
+    "isexe@3.1.1": [
+      "node_modules/isexe"
     ],
     "promise-retry@2.0.1": [
       "node_modules/promise-retry"
@@ -92,17 +86,23 @@
       "node_modules/minipass-pipeline/node_modules/yallist",
       "node_modules/minipass-sized/node_modules/yallist"
     ],
-    "cacache@19.0.1": [
-      "node_modules/cacache"
+    "negotiator@1.0.0": [
+      "node_modules/negotiator"
     ],
-    "http-cache-semantics@4.2.0": [
-      "node_modules/http-cache-semantics"
+    "minipass-fetch@4.0.1": [
+      "node_modules/minipass-fetch"
     ],
     "@npmcli/agent@3.0.0": [
       "node_modules/@npmcli/agent"
     ],
-    "minipass-fetch@4.0.1": [
-      "node_modules/minipass-fetch"
+    "http-cache-semantics@4.2.0": [
+      "node_modules/http-cache-semantics"
+    ],
+    "cacache@19.0.1": [
+      "node_modules/cacache"
+    ],
+    "ssri@12.0.0": [
+      "node_modules/ssri"
     ],
     "retry@0.12.0": [
       "node_modules/retry"
@@ -110,51 +110,60 @@
     "err-code@2.0.3": [
       "node_modules/err-code"
     ],
-    "minipass-collect@2.0.1": [
-      "node_modules/minipass-collect"
+    "encoding@0.1.13": [
+      "node_modules/encoding"
     ],
-    "p-map@7.0.4": [
-      "node_modules/p-map"
+    "http-proxy-agent@7.0.2": [
+      "node_modules/http-proxy-agent"
+    ],
+    "https-proxy-agent@7.0.6": [
+      "node_modules/https-proxy-agent"
+    ],
+    "socks-proxy-agent@8.0.5": [
+      "node_modules/socks-proxy-agent"
+    ],
+    "agent-base@7.1.4": [
+      "node_modules/agent-base"
+    ],
+    "lru-cache@10.4.3": [
+      "node_modules/lru-cache"
     ],
     "fs-minipass@3.0.3": [
       "node_modules/fs-minipass"
     ],
+    "minipass-collect@2.0.1": [
+      "node_modules/minipass-collect"
+    ],
     "unique-filename@4.0.0": [
       "node_modules/unique-filename"
     ],
-    "lru-cache@10.4.3": [
-      "node_modules/lru-cache"
-    ],
     "@npmcli/fs@4.0.0": [
       "node_modules/@npmcli/fs"
     ],
+    "p-map@7.0.4": [
+      "node_modules/p-map"
+    ],
     "glob@10.5.0": [
       "node_modules/glob"
     ],
-    "agent-base@7.1.4": [
-      "node_modules/agent-base"
-    ],
-    "http-proxy-agent@7.0.2": [
-      "node_modules/http-proxy-agent"
-    ],
-    "socks-proxy-agent@8.0.5": [
-      "node_modules/socks-proxy-agent"
+    "iconv-lite@0.6.3": [
+      "node_modules/iconv-lite"
     ],
-    "https-proxy-agent@7.0.6": [
-      "node_modules/https-proxy-agent"
+    "debug@4.4.3": [
+      "node_modules/debug"
     ],
-    "encoding@0.1.13": [
-      "node_modules/encoding"
+    "socks@2.8.9": [
+      "node_modules/socks"
     ],
     "unique-slug@5.0.0": [
       "node_modules/unique-slug"
     ],
-    "package-json-from-dist@1.0.1": [
-      "node_modules/package-json-from-dist"
-    ],
     "foreground-child@3.3.1": [
       "node_modules/foreground-child"
     ],
+    "package-json-from-dist@1.0.1": [
+      "node_modules/package-json-from-dist"
+    ],
     "jackspeak@3.4.3": [
       "node_modules/jackspeak"
     ],
@@ -164,14 +173,17 @@
     "minimatch@9.0.9": [
       "node_modules/minimatch"
     ],
-    "debug@4.4.3": [
-      "node_modules/debug"
+    "safer-buffer@2.1.2": [
+      "node_modules/safer-buffer"
     ],
-    "socks@2.8.9": [
-      "node_modules/socks"
+    "ms@2.1.3": [
+      "node_modules/ms"
     ],
-    "iconv-lite@0.6.3": [
-      "node_modules/iconv-lite"
+    "ip-address@10.2.0": [
+      "node_modules/ip-address"
+    ],
+    "smart-buffer@4.2.0": [
+      "node_modules/smart-buffer"
     ],
     "imurmurhash@0.1.4": [
       "node_modules/imurmurhash"
@@ -194,24 +206,12 @@
     "brace-expansion@2.1.1": [
       "node_modules/brace-expansion"
     ],
-    "ms@2.1.3": [
-      "node_modules/ms"
-    ],
-    "smart-buffer@4.2.0": [
-      "node_modules/smart-buffer"
-    ],
-    "ip-address@10.2.0": [
-      "node_modules/ip-address"
-    ],
-    "safer-buffer@2.1.2": [
-      "node_modules/safer-buffer"
+    "shebang-command@2.0.0": [
+      "node_modules/shebang-command"
     ],
     "path-key@3.1.1": [
       "node_modules/path-key"
     ],
-    "shebang-command@2.0.0": [
-      "node_modules/shebang-command"
-    ],
     "strip-ansi@7.2.0": [
       "node_modules/strip-ansi"
     ],
@@ -289,7 +289,7 @@
   "packageManager": "pnpm@10.33.1",
   "pendingBuilds": [],
   "publicHoistPattern": [],
-  "prunedAt": "Wed, 10 Jun 2026 13:59:47 GMT",
+  "prunedAt": "Thu, 11 Jun 2026 17:03:03 GMT",
   "registries": {
     "default": "https://registry.npmjs.org/",
     "@jsr": "https://npm.jsr.io/"

package/dist/node_modules/.pnpm/lock.yaml

@@ -321,8 +321,8 @@ packages:
   safer-buffer@2.1.2:
     resolution: {integrity: sha512-YZo3K82SD7Riyi0E1EQPojLz7kpepnSQI9IyPbHHg1XXXevb5dJI7tpyN2ADxGcQbHG7vcyRHk0cbwqcQriUtg==}
 
-  semver@7.8.3:
-    resolution: {integrity: sha512-wnilbGyMxzbY7dNOl7jpKbLSjcfeweJWU5j4+u5qW+6/wuGD9KzIGOyZnQVSBM9E7DtWaaH3CyHkppYrKYoxwg==}
+  semver@7.8.4:
+    resolution: {integrity: sha512-rUCObTnP32Q08R2uuIrt7r9PlEonuTmtuXYcW6s5kjdlj3xbnwe+21yXptAUYcMAABLkYYTtnmzb3w3EDZfueA==}
     engines: {node: '>=10'}
     hasBin: true
 
@@ -444,7 +444,7 @@ snapshots:
 
   '@npmcli/fs@4.0.0':
     dependencies:
-      semver: 7.8.3
+      semver: 7.8.4
     optional: true
 
   '@pkgjs/parseargs@0.11.0':
@@ -696,7 +696,7 @@ snapshots:
       make-fetch-happen: 14.0.3
       nopt: 8.1.0
       proc-log: 5.0.0
-      semver: 7.8.3
+      semver: 7.8.4
       tar: 7.5.16
       tinyglobby: 0.2.17
       which: 5.0.0
@@ -742,7 +742,7 @@ snapshots:
   safer-buffer@2.1.2:
     optional: true
 
-  semver@7.8.3:
+  semver@7.8.4:
     optional: true
 
   shebang-command@2.0.0:

package/dist/node_modules/.pnpm-workspace-state-v1.json

@@ -1,5 +1,5 @@
 {
-  "lastValidatedTimestamp": 1781099987600,
+  "lastValidatedTimestamp": 1781197383368,
   "projects": {},
   "pnpmfiles": [],
   "settings": {

package/dist/node_modules/semver/classes/range.js

@@ -277,6 +277,11 @@ const parseComparator = (comp, options) => {
 
 const isX = id => !id || id.toLowerCase() === 'x' || id === '*'
 
+const invalidXRangeOrder = (M, m, p) => (
+  (isX(M) && !isX(m)) ||
+  (isX(m) && p && !isX(p))
+)
+
 // ~, ~> --> * (any, kinda silly)
 // ~2, ~2.x, ~2.x.x, ~>2, ~>2.x ~>2.x.x --> >=2.0.0 <3.0.0-0
 // ~2.0, ~2.0.x, ~>2.0, ~>2.0.x --> >=2.0.0 <2.1.0-0
@@ -402,6 +407,10 @@ const replaceXRange = (comp, options) => {
   const r = options.loose ? re[t.XRANGELOOSE] : re[t.XRANGE]
   return comp.replace(r, (ret, gtlt, M, m, p, pr) => {
     debug('xRange', comp, ret, gtlt, M, m, p, pr)
+    if (invalidXRangeOrder(M, m, p)) {
+      return comp
+    }
+
     const xM = isX(M)
     const xm = xM || isX(m)
     const xp = xm || isX(p)

package/dist/node_modules/semver/package.json

@@ -1,6 +1,6 @@
 {
   "name": "semver",
-  "version": "7.8.3",
+  "version": "7.8.4",
   "description": "The semantic version parser used by npm.",
   "main": "index.js",
   "scripts": {

package/dist/pnpm.cjs

@@ -2973,7 +2973,7 @@ var require_lib4 = __commonJS({
     var load_json_file_1 = __importDefault2(require_load_json_file());
     var defaultManifest = {
       name: true ? "pnpm" : "pnpm",
-      version: true ? "10.34.2" : "0.0.0"
+      version: true ? "10.34.3" : "0.0.0"
     };
     var pkgJson;
     if (require.main == null) {
@@ -4876,9 +4876,9 @@ var require_config_chain = __commonJS({
   }
 });
 
-// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/envKeyToSetting.js
+// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/envKeyToSetting.js
 var require_envKeyToSetting = __commonJS({
-  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/envKeyToSetting.js"(exports2, module2) {
+  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/envKeyToSetting.js"(exports2, module2) {
     module2.exports = function(x) {
       const colonIndex = x.indexOf(":");
       if (colonIndex === -1) {
@@ -4948,9 +4948,9 @@ var require_dist2 = __commonJS({
   }
 });
 
-// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/util.js
+// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/util.js
 var require_util = __commonJS({
-  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/util.js"(exports2) {
+  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/util.js"(exports2) {
     "use strict";
     var fs = require("fs");
     var path2 = require("path");
@@ -5058,9 +5058,9 @@ var require_util = __commonJS({
   }
 });
 
-// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/types.js
+// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/types.js
 var require_types = __commonJS({
-  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/types.js"(exports2) {
+  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/types.js"(exports2) {
     "use strict";
     var path2 = require("path");
     var Stream = require("stream").Stream;
@@ -5197,9 +5197,9 @@ var require_types = __commonJS({
   }
 });
 
-// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/conf.js
+// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/conf.js
 var require_conf = __commonJS({
-  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/conf.js"(exports2, module2) {
+  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/conf.js"(exports2, module2) {
     "use strict";
     var { readCAFileSync } = require_dist();
     var fs = require("fs");
@@ -5357,9 +5357,9 @@ var require_conf = __commonJS({
   }
 });
 
-// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/defaults.js
+// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/defaults.js
 var require_defaults = __commonJS({
-  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/lib/defaults.js"(exports2) {
+  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/lib/defaults.js"(exports2) {
     "use strict";
     var os = require("os");
     var path2 = require("path");
@@ -5525,9 +5525,9 @@ var require_defaults = __commonJS({
   }
 });
 
-// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/index.js
+// ../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/index.js
 var require_npm_conf = __commonJS({
-  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.2/node_modules/@pnpm/npm-conf/index.js"(exports2, module2) {
+  "../node_modules/.pnpm/@pnpm+npm-conf@3.0.3/node_modules/@pnpm/npm-conf/index.js"(exports2, module2) {
     "use strict";
     var path2 = require("path");
     var Conf = require_conf();
@@ -5551,8 +5551,16 @@ var require_npm_conf = __commonJS({
       }
       conf.addEnv();
       conf.loadPrefix();
+      const trustedUserconfig = conf.get("userconfig");
+      const trustedPrefix = conf.get("prefix");
+      if (trustedPrefix) {
+        const etc = path2.resolve(trustedPrefix, "etc");
+        conf.root.globalconfig = path2.resolve(etc, "npmrc");
+        conf.root.globalignorefile = path2.resolve(etc, "npmignore");
+      }
+      const trustedGlobalconfig = conf.get("globalconfig");
       const projectConf = path2.resolve(conf.localPrefix, ".npmrc");
-      const userConf = conf.get("userconfig");
+      const userConf = trustedUserconfig;
       if (!conf.get("global") && projectConf !== userConf) {
         warnings.push(conf.addFile(projectConf, "project"));
       } else {
@@ -5562,13 +5570,8 @@ var require_npm_conf = __commonJS({
         const workspaceConf = path2.resolve(conf.get("workspace-prefix"), ".npmrc");
         warnings.push(conf.addFile(workspaceConf, "workspace"));
       }
-      warnings.push(conf.addFile(conf.get("userconfig"), "user"));
-      if (conf.get("prefix")) {
-        const etc = path2.resolve(conf.get("prefix"), "etc");
-        conf.root.globalconfig = path2.resolve(etc, "npmrc");
-        conf.root.globalignorefile = path2.resolve(etc, "npmignore");
-      }
-      warnings.push(conf.addFile(conf.get("globalconfig"), "global"));
+      warnings.push(conf.addFile(trustedUserconfig, "user"));
+      warnings.push(conf.addFile(trustedGlobalconfig, "global"));
       conf.loadUser();
       const caFile = conf.get("cafile");
       if (caFile) {
@@ -16931,11 +16934,15 @@ var require_dropUntrustedEnvExpansions = __commonJS({
     function hasEnvPlaceholder(value) {
       return /\$\{[^}]+\}/.test(value);
     }
+    var DOCS_URL = "https://pnpm.io/npmrc";
+    function configSetExample(key) {
+      return hasEnvPlaceholder(key) ? "" : ` (for example, run: pnpm config set "${key}" <value>)`;
+    }
     function warnIgnoredRequestDestinationEnv(filePath, key, warnings) {
-      warnings.push(`Ignored project-level request destination "${key}" in "${filePath}": environment variables are not expanded in repository-controlled registry or proxy URLs.`);
+      warnings.push(`Ignored project-level request destination "${key}" in "${filePath}": environment variables are not expanded in registry or proxy URLs that come from a project .npmrc, because that file is committed to the repository and a malicious value could redirect requests or leak secrets. Move this setting to a trusted source that pnpm still expands \u2014 put it in your user-level ~/.npmrc, or set it with pnpm config set${configSetExample(key)}. If the value is not secret, you can also write it literally in the project .npmrc. See ${DOCS_URL}`);
     }
     function warnIgnoredAuthValueEnv(filePath, key, warnings) {
-      warnings.push(`Ignored project-level auth setting "${key}" in "${filePath}": environment variables are not expanded in repository-controlled registry credentials.`);
+      warnings.push(`Ignored project-level auth setting "${key}" in "${filePath}": environment variables are not expanded in registry credentials that come from a project .npmrc, because that file is committed to the repository and could leak the secret to an attacker-controlled registry. Move this credential to a trusted source that pnpm still expands \u2014 put the line in your user-level ~/.npmrc, or set it with pnpm config set${configSetExample(key)}. See ${DOCS_URL}`);
     }
   }
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pnpm",
-  "version": "10.34.2",
+  "version": "10.34.3",
   "description": "Fast, disk space efficient package manager",
   "keywords": [
     "pnpm",