pnpm-10.22.0-bp160.1.1

- update to 10.22.0:
  * Minor Changes
  - Added support for trustPolicyExclude #10164.
    You can now list one or more specific packages or versions
    that pnpm should allow to install, even if those packages
    don't satisfy the trust policy requirement. For example:
    trustPolicy: no-downgrade
    trustPolicyExclude:
  - chokidar@4.0.3
  - webpack@4.47.0 || 5.102.1
  - Allow to override the engines field on publish by the
    publishConfig.engines field.
  * Patch Changes
  - Don't crash when two processes of pnpm are hardlinking the
    contents of a directory to the same destination
    simultaneously #10179.

- update to 10.21.0:
  * Minor Changes
  - Node.js Runtime Installation for Dependencies. Added support
    for automatic Node.js runtime installation for dependencies.
    pnpm will now install the Node.js version required by a
    dependency if that dependency declares a Node.js runtime in
    the "engines" field. For example:
    {
    "engines": {
    "runtime": {
    "name": "node",
    "version": "^24.11.0",
    "onFail": "download"
    }
    }
    }
    If the package with the Node.js runtime dependency is a CLI
    app, pnpm will bind the CLI app to the required Node.js
    version. This ensures that, regardless of the globally
    installed Node.js instance, the CLI will use the compatible
    version of Node.js.
    If the package has a postinstall script, that script will be
    executed using the specified Node.js version.
    Related PR: #10141
  - Added a new setting: trustPolicy.
    When set to no-downgrade, pnpm will fail installation if a
    package’s trust level has decreased compared to previous
    releases — for example, if it was previously published by a
    trusted publisher but now only has provenance or no trust
    evidence.
    This helps prevent installing potentially compromised
    versions of a package.
    Related issue: #8889.
  - Added support for pnpm config get globalconfig to retrieve
    the global config file path #9977.
  * Patch Changes
  - When a user runs pnpm update on a dependency that is not
    directly listed in package.json, none of the direct
    dependencies should be updated #10155.
  - Don't crash when two processes of pnpm are hardlinking the
    contents of a directory to the same destination
    simultaneously #10160.
  - Setting gitBranchLockfile and related settings via
    pnpm-workspace.yaml should work #9651.

- update to 10.20.0:
  * Minor Changes
  - Support --all option in pnpm --help to list all commands
    [#8628].
  * Patch Changes
  - When the latest version doesn't satisfy the maturity
    requirement configured by minimumReleaseAge, pick the highest
    version that is mature enough, even if it has a different
    major version #10100.
  - create command should not verify patch info.
  - Set managePackageManagerVersions to false, when switching to
    a different version of pnpm CLI, in order to avoid subsequent
    switches #10063.
- update to 10.19.0:
  * Minor Changes
  - You can now allow specific versions of dependencies to run
    postinstall scripts. onlyBuiltDependencies now accepts
    package names with lists of trusted versions. For example:
    Related PR: #10104.
    onlyBuiltDependencies:
  - nx@21.6.4 || 21.6.5
  - esbuild@0.25.1
  - Added support for exact versions in minimumReleaseAgeExclude
    [#9985].
    You can now list one or more specific versions that pnpm
    should allow to install, even if those versions don’t satisfy
    the maturity requirement set by minimumReleaseAge. For
    example:
    minimumReleaseAge: 1440
    minimumReleaseAgeExclude:
  - nx@21.6.5
  - webpack@4.47.0 || 5.102.1
- update to 10.18.3:
  * Patch Changes
  - Fix a bug where pnpm would infinitely recurse when using
    verifyDepsBeforeInstall: install and pre/post install scripts
    that called other pnpm scripts #10060.
  - Fixed scoped registry keys (e.g., @scope:registry) being
    parsed as property paths in pnpm config get when
  - -location=project is used #9362.
  - Remove pnpm-specific CLI options before passing to npm
    publish to prevent "Unknown cli config" warnings #9646.
  - Fixed EISDIR error when bin field points to a directory
    [#9441].
  - Preserve version and hasBin for variations packages #10022.
  - Fixed pnpm config set --location=project incorrectly handling
    keys with slashes (auth tokens, registry settings) #9884.
  - When both pnpm-workspace.yaml and .npmrc exist, pnpm config
    set --location=project now writes to pnpm-workspace.yaml
    (matching read priority) #10072.
  - Prevent a table width error in pnpm outdated --long #10040.
  - Sync bin links after injected dependencies are updated by
    build scripts. This ensures that binaries created during
    build processes are properly linked and accessible to
    consuming projects #10057.
- update to 10.18.2:
  * Patch Changes
  - pnpm outdated --long should work #10040.
  - Replace ndjson with split2. Reduce the bundle size of pnpm
    CLI #10054.
  - pnpm dlx should request the full metadata of packages, when
    minimumReleaseAge is set #9963.
  - pnpm version switching should work when the pnpm home
    directory is in a symlinked directory #9715.
  - Fix EPIPE errors when piping output to other commands #10027.
- update to 10.18.1:
  * Patch Changes
  - Don't print a warning, when --lockfile-only is used #8320.
  - pnpm setup creates a command shim to the pnpm executable.
    This is needed to be able to run pnpm self-update on Windows
    [#5700].
  - When using pnpm catalogs and running a normal pnpm install,
    pnpm produced false positive warnings for "skip adding to the
    default catalog because it already exists". This warning now
    only prints when using pnpm add --save-catalog as originally
    intended.
- update to 10.18.0:
  * Minor Changes
  - Added network performance monitoring to pnpm by implementing
    warnings for slow network requests, including both metadata
    fetches and tarball downloads.
    Added configuration options for warning thresholds:
    fetchWarnTimeoutMs and fetchMinSpeedKiBps.
    Warning messages are displayed when requests exceed time
    thresholds or fall below speed minimums
    Related PR: #10025.
  * Patch Changes
  - Retry filesystem operations on EAGAIN errors #9959.
  - Outdated command respects minimumReleaseAge configuration
    [#10030].
  - Correctly apply the cleanupUnusedCatalogs configuration when
    removing dependent packages.
  - Don't fail with a meaningless error when scriptShell is set
    to false #8748.
  - pnpm dlx should not fail when minimumReleaseAge is set
    [#10037].

- update to 10.17.1:
  * Patch Changes
  - When a version specifier cannot be resolved because the versions
    don't satisfy the minimumReleaseAge setting, print this
    information out in the error message #9974.
  - Fix state.json creation path when executing pnpm patch in a
    workspace project #9733.
  - When minimumReleaseAge is set and the latest tag is not mature
    enough, prefer a non-deprecated version as the new latest #9987.

- update to 10.17:
  * Minor Changes
  - The minimumReleaseAgeExclude setting now supports patterns.
    For instance:
    minimumReleaseAge: 1440
    minimumReleaseAgeExclude:
  - "@eslint/*"
  * Patch Changes
  - Don't ignore the minimumReleaseAge check, when the package is
    requested by exact version and the packument is loaded from
    cache #9978.
  - When minimumReleaseAge is set and the active version under a
    dist-tag is not mature enough, do not downgrade to a
    prerelease version in case the original version wasn't a
    prerelease one #9979.
- update to 10.16.1:
  * Patch Changes
  - The full metadata cache should be stored not at the same
    location as the abbreviated metadata. This fixes a bug where
    pnpm was loading the abbreviated metadata from cache and
    couldn't find the "time" field as a result #9963.
  - Forcibly disable ANSI color codes when generating patch diff
    [#9914].
- update to 10.16:
  * Minor Changes
  - There have been several incidents recently where popular
    packages were successfully attacked. To reduce the risk of
    installing a compromised version, we are introducing a new
    setting that delays the installation of newly released
    dependencies. In most cases, such attacks are discovered
    quickly and the malicious versions are removed from the
    registry within an hour.
  - The new setting is called minimumReleaseAge. It specifies the
    number of minutes that must pass after a version is published
    before pnpm will install it. For example, setting
    minimumReleaseAge: 1440 ensures that only packages released
    at least one day ago can be installed.
  - If you set minimumReleaseAge but need to disable this
    restriction for certain dependencies, you can list them under
    the minimumReleaseAgeExclude setting. For instance, with the
    following configuration pnpm will always install the latest
    version of webpack, regardless of its release time:
    minimumReleaseAgeExclude:
  - webpack
  - Added support for finders #9946.
    In the past, pnpm list and pnpm why could only search for
    dependencies by name (and optionally version). For example:
    pnpm why minimist
    prints the chain of dependencies to any installed instance of
    minimist:
    verdaccio 5.20.1
    ├─┬ handlebars 4.7.7
    │ └── minimist 1.2.8
    └─┬ mv 2.1.1
    └─┬ mkdirp 0.5.6
    └── minimist 1.2.8
    What if we want to search by other properties of a
    dependency, not just its name? For instance, find all
    packages that have react@17 in their peer dependencies?
    This is now possible with "finder functions". Finder
    functions can be declared in .pnpmfile.cjs and invoked with
    the --find-by=<function name> flag when running pnpm list or
    pnpm why.
    Let's say we want to find any dependencies that have React 17
    in peer dependencies. We can add this finder to our
    .pnpmfile.cjs:
    module.exports = {
    finders: {
    react17: (ctx) => {
    return ctx.readManifest().peerDependencies?.react === "^17.0.0";
    },
    },
    };
    Now we can use this finder function by running:
    pnpm why --find-by=react17
    pnpm will find all dependencies that have this React in peer
    dependencies and print their exact locations in the
    dependency graph.
    @apollo/client 4.0.4
    ├── @graphql-typed-document-node/core 3.2.0
    └── graphql-tag 2.12.6
    It is also possible to print out some additional information
    in the output by returning a string from the finder. For
    example, with the following finder:
    module.exports = {
    finders: {
    react17: (ctx) => {
    const manifest = ctx.readManifest();
    if (manifest.peerDependencies?.react === "^17.0.0") {
    return `license: ${manifest.license}`;
    }
    return false;
    },
    },
    };
    Every matched package will also print out the license from
    its package.json:
    @apollo/client 4.0.4
    ├── @graphql-typed-document-node/core 3.2.0
    │   license: MIT
    └── graphql-tag 2.12.6
    license: MIT
  * Patch Changes
  - Fix deprecation warning printed when executing pnpm with
    Node.js 24 #9529.
  - Throw an error if nodeVersion is not set to an exact semver
    version #9934.
  - pnpm publish should be able to publish a .tar.gz file #9927.
  - Canceling a running process with Ctrl-C should make pnpm run
    return a non-zero exit code #9626.
- update to 10.15.1:
  * Patch Changes
  - Fix .pnp.cjs crash when importing subpath #9904.
  - When resolving peer dependencies, pnpm looks whether the peer
    dependency is present in the root workspace project's
    dependencies. This change makes it so that the peer
    dependency is correctly resolved even from aliased npm-hosted
    dependencies or other types of dependencies #9913.

- update to 10.15.0:
  * Minor Changes
  - Added the cleanupUnusedCatalogs configuration. When set to
    true, pnpm will remove unused catalog entries during
    installation #9793.
  - Automatically load pnpmfiles from config dependencies that
    are named @*/pnpm-plugin-* #9780.
  - pnpm config get now prints an INI string for an object value
    [#9797].
  - pnpm config get now accepts property paths (e.g. pnpm config
    get catalog.react, pnpm config get .catalog.react, pnpm
    config get
    'packageExtensions["@babel/parser"].peerDependencies["@babel/types"]'),
    and pnpm config set now accepts dot-leading or subscripted
    keys (e.g. pnpm config set .ignoreScripts true).
  - pnpm config get --json now prints a JSON serialization of
    config value, and pnpm config set --json now parses the input
    value as JSON.
  * Patch Changes
  - Semi-breaking. When automatically installing missing peer
    dependencies, prefer versions that are already present in the
    direct dependencies of the root workspace package #9835.
  - When executing the pnpm create command, must verify whether
    the node version is supported even if a cache already exists
    [#9775].
  - When making requests for the non-abbreviated packument, add
  * /* to the Accept header to avoid getting a 406 error on AWS
    CodeArtifact #9862.
  - The standalone exe version of pnpm works with glibc 2.26
    again #9734.
  - Fix a regression in which pnpm dlx pkg --help doesn't pass
  - -help to pkg #9823.

- update to 10.14.0:
  * Minor Changes
  - Added support for JavaScript runtime installation
    (Related PR: #9755.)
    Declare Node.js, Deno, or Bun in devEngines.runtime (inside
    package.json) and let pnpm download and pin it automatically.
    Usage example:
    {
    "devEngines": {
    "runtime": {
    "name": "node",
    "version": "^24.4.0",
    "onFail": "download" // we only support the "download" value for now
    }
    }
    }
    How it works:
  - pnpm install resolves your specified range to the latest
    matching runtime version.
  - The exact version (and checksum) is saved in the lockfile.
  - Scripts use the local runtime, ensuring consistency across
    environments.
    Why this is better:
  - This new setting supports also Deno and Bun (vs. our
    Node-only settings useNodeVersion and
    executionEnv.nodeVersion)
  - Supports version ranges (not just a fixed version).
  - The resolved version is stored in the pnpm lockfile, along
    with an integrity checksum for future validation of the
    Node.js content's validity.
  - It can be used on any workspace project (like
    executionEnv.nodeVersion). So, different projects in a
    workspace can use different runtimes.
  - For now devEngines.runtime setting will install the runtime
    locally, which we will improve in future versions of pnpm
    by using a shared location on the computer.
  - Add --cpu, --libc, and --os to pnpm install, pnpm add, and
    pnpm dlx to customize supportedArchitectures via the CLI
    [#7510].
  * Patch Changes
  - Fix a bug in which pnpm add downloads packages whose libc
    differ from pnpm.supportedArchitectures.libc.
  - The integrities of the downloaded Node.js artifacts are
    verified #9750.
  - Allow dlx to parse CLI flags and options between the dlx
    command and the command to run or between the dlx command and
  - - #9719.
  - pnpm install --prod should removing hoisted dev dependencies
    [#9782].
  - Fix an edge case bug causing local tarballs to not re-link
    into the virtual store. This bug would happen when changing
    the contents of the tarball without renaming the file and
    running a filtered install.
  - Fix a bug causing pnpm install to incorrectly assume the
    lockfile is up to date after changing a local tarball that
    has peers dependencies.

- update to 10.13.1:
  * Patch Changes
  - Run user defined pnpmfiles after pnpmfiles of plugins.
- update to 10.13.0:
  * Minor Changes
  - Added the possibility to load multiple pnpmfiles. The pnpmfile
    setting can now accept a list of pnpmfile locations #9702.
  - pnpm will now automatically load the pnpmfile.cjs file from any
    config dependency named @pnpm/plugin-* or pnpm-plugin-* #9729.
  - The order in which config dependencies are initialized should
    not matter — they are initialized in alphabetical order. If a
    specific order is needed, the paths to the pnpmfile.cjs files in
    the config dependencies can be explicitly listed using the
    pnpmfile setting in pnpm-workspace.yaml.
  * Patch Changes
  - When patching dependencies installed via pkg.pr.new, treat them
    as Git tarball URLs #9694.
  - Prevent conflicts between local projects' config and the global
    config in dangerouslyAllowAllBuilds, onlyBuiltDependencies,
    onlyBuiltDependenciesFile, and neverBuiltDependencies #9628.
  - Sort keys in pnpm-workspace.yaml with deep #9701.
  - The pnpm rebuild command should not add pkgs included in
    ignoredBuiltDependencies to ignoredBuilds in
    node_modules/.modules.yaml #9338.
  - Replaced shell-quote with shlex for quoting command arguments
    [#9381].

- update to 10.12.4:
  * Patch Changes
  - Fix pnpm licenses command for local dependencies #9583.
  - Fix a bug in which pnpm ls --filter=not-exist --json prints
    nothing instead of an empty array #9672.
  - Fix a deadlock that sometimes happens during peer dependency
    resolution #9673.
  - Running pnpm install after pnpm fetch should hoist all
    dependencies that need to be hoisted.
  - Fixes a regression introduced in v10.12.2 by #9648; resolves
    [#9689].

- update to 10.12.3:
  * Patch Changes
  - Restore hoisting of optional peer dependencies when installing
    with an outdated lockfile.  Regression introduced in v10.12.2 by
    [#9648]; resolves #9685.