pnpm-9.12.1-bp160.1.9

- update to version 9.12.1:
  * pnpm update --latest should not update the automatically
    installed peer dependencies #6657
  * pnpm publish should be able to publish from a local tarball #7950
  * Prevent EBUSY errors caused by creating symlinks in parallel
    dlx processes #8604
  * Fix maximum call stack size exceeded error related to
    circular workspace dependencies #8599

- update to version 9.12.0:
  * Fix peer dependency resolution dead lock #8570. This change
    might change some of the keys in the snapshots field inside
    pnpm-lock.yaml but it should happen very rarely.
  * pnpm outdated command supports now a --sort-by=name option
    for sorting outdated dependencies by package name #8523
  * Added the ability for overrides to remove dependencies by
    specifying "-" as the field value #8572
  * Fixed an issue where pnpm list --json pkg showed "private":
    false for a private package #8519
  * Packages with libc that differ from pnpm.
    supportedArchitectures.libc are not downloaded #7362
  * Prevent ENOENT errors caused by running store prune in parallel #8586
  * Add issues alias to pnpm bugs #8596

- update to version 9.11.0:
  * Experimental: added pnpm cache commands for inspecting the
    metadata cache #8512
  * Fix a regression in which pnpm deploy with node-linker=hoisted
    produces an empty node_modules directory #6682
  * pnpm deploy should work in workspace with shared-workspace-lockfile=false #8475
  * Don't print a warning when linking packages globally #4761

- update to version 9.10.0:
  * Support for a new CLI flag, --exclude-peers, added to the
    list and why commands. When --exclude-peers is used, peer
    dependencies are not printed in the results, but dependencies
    of peer dependencies are still scanned #8506.
  * Added a new setting to package.json at pnpm.auditConfig.
    ignoreGhsas for ignoring vulnerabilities by their GHSA code #6838.
  * Throw an exception if pnpm switches to the same version of itself.
  * Reduce memory usage during peer dependencies resolution.

- update to version 9.9.0:
  * https://github.com/pnpm/pnpm/compare/v9.8.0...v9.9.0
  * Minor breaking change. We had to optimize how we resolve peer
    dependencies in order to fix some infinite loops and
    out-of-memory errors during peer dependencies resolution.
  * pnpm deploy should write the node_modules/.modules.yaml to the
    node_modules directory within the deploy directory #7731
  * Don't override a symlink in node_modules if it already points
    to the right location pnpm/symlink-dir#54
- changes from 9.8.0:
  * https://github.com/pnpm/pnpm/compare/v9.7.1...v9.8.0
  * Added a new command for upgrading pnpm itself when it isn't
    managed by Corepack: pnpm self-update. This command will work,
    when pnpm was installed via the standalone script from the pnpm
    installation page #8424
  * CLI tools installed in the root of the workspace should be
    added to the PATH, when running scripts and use-node-version is
    set
  * pnpm setup should never switch to another version of pnpm
  * Ignore non-string value in the os, cpu, libc fields, which
    checking optional dependencies #8431
  * Remember the state of edit dir, allow running pnpm patch-commit
    the second time without having to re-run pnpm patch
- changes from 9.7.1:
  * https://github.com/pnpm/pnpm/compare/v9.7.0...v9.7.1
  * Fixed passing public-hoist-pattern and hoist-pattern via env
    variables #8339
  * pnpm setup no longer creates Batch/Powershell scripts on Linux
    and macOS #8418
  * When dlx uses cache, use the real directory path not the
    symlink to the cache #8421
  * pnpm exec now supports executionEnv #8356
  * Remove warnings for non-root pnpm field, add warnings for
    non-root pnpm subfields that aren't executionEnv #8143
  * Replace semver in "peerDependency" with workspace protocol
    [#8355]
  * Fix a bug in patch-commit in which relative path is rejected
    [#8405]
  * Update Node.js in @pnpm/exe to v20
- changes from 9.7.0:
  * https://github.com/pnpm/pnpm/compare/v9.6.0...v9.7.0
  * Added pnpm version management. If the
    manage-package-manager-versions setting is set to true, pnpm
    will switch to the version specified in the packageManager
    field of package.json #8363
  * Added the ability to apply patch to all versions #8337
  * Change the default edit dir location when running pnpm patch
    from a temporary directory to
    node_modules/.pnpm_patches/pkg[@version] to allow the code
    editor to open the edit dir in the same file tree as the main
    project #8379.
  * Substitute environment variables in config keys #6679
  * pnpm install should run node-gyp rebuild if the project has a
    binding.gyp file even if the project doesn't have an install
    script #8293
  * Print warnings to stderr #8342
  * Peer dependencies of optional peer dependencies should be
    automatically installed #8323

- update to version 9.6.0:
  * Support specifying node version (via pnpm.executionEnv.nodeVersion
    in package.json) for running lifecycle scripts per each package
    in a workspace #6720
  * Overrides now support the catalogs: protocol #8303
  * The pnpm deploy command now supports the catalog: protocol #8298
  * The pnpm outdated command now supports the catalog: protocol #8304
  * Correct the error message when trying to run pnpm patch
    without node_modules/.modules.yaml #8257
  * Silent reporting fixed with the pnpm exec command #7608
  * Add registries information to the calculation of dlx cache hash #8299

- update to version 9.5.0:
  * Added support for catalogs #8122
  * Read authentication information from .npmrc in the current
    directory when running dlx #7996
  * Updated @pnpm/tabtab to v0.5.4, enabling zsh autocomplete
    lazy loading #8236
  * Installation with filtering will now work, when dedupe-peer-
    dependents is set to true #6300
  * Fixed dlx not actually using the Node.js version specified by
  - -use-node-version.

- update to version 9.4.0:
  * Some registries allow the exact same content to be published
    under different package names and/or versions. This breaks
    the validity checks of packages in the store. To avoid errors
    when verifying the names and versions of such packages in the
    store, you may now set the strict-store-pkg-content-check
    setting to false #4724
  * Fix package-manager-strict-version missing in config #8195
  * If install is performed on a subset of workspace projects,
    always create an up-to-date lockfile first. So, a partial
    install can be performed only on a fully resolved (non-partial)
    lockfile #8165
  * Handle workspace protocol with any semver range specifier,
    when used in peer dependencies #7578

- update to version 9.3.0:
  * Semi-breaking. Dependency key names in the lockfile are
    shortened if they are longer than 1000 characters. We don't
    expect this change to affect many users. Affected users most
    probably can't run install successfully at the moment. This
    change is required to fix some edge cases in which installation
    fails with an out-of-memory error or "Invalid string length
    (RangeError: Invalid string length)" error. The max allowed
    length of the dependency key can be controlled with the peers-
    suffix-max-length setting #8177.
  * Set reporter-hide-prefix to true by default for pnpm exec. In
    order to show prefix, the user now has to explicitly set reporter
  - hide-prefix=false #8174.
- changes from 9.2.0:
  * If package-manager-strict-version is set to true, pnpm will
    fail if its version doesn't exactly match the version in the
    "packageManager" field of package.json.
  * Update @yarnpkg/pnp to the latest version, fixing issue with
    node: imports #8161.
  * Deduplicate bin names to prevent race condition and corrupted
    bin scripts #7833.
  * pnpm doesn't fail if its version doesn't match the one
    specified in the "packageManager" field of package.json #8087.
  * exec now also streams prefixed output when --recursive or
  - -parallel is specified just as run does #8065.
- changes from 9.1.4:
  * Improved the performance of the resolution stage by changing
    how missing peer dependencies are detected #8144.
- changes from 9.1.3:
  * Fix a bug in which a dependency that is both optional for one
    package but non-optional for another is omitted when optional=false #8066.
  * Clear resolution cache before starting peer dependencies resolution #8109.
  * Reduce memory usage by peer dependencies resolution #8072.

- update to version 9.1.2
- require nodejs >= 18

- update to 10.22.0:
  * Minor Changes
  - Added support for trustPolicyExclude #10164.
    You can now list one or more specific packages or versions
    that pnpm should allow to install, even if those packages
    don't satisfy the trust policy requirement. For example:
    trustPolicy: no-downgrade
    trustPolicyExclude:
  - chokidar@4.0.3
  - webpack@4.47.0 || 5.102.1
  - Allow to override the engines field on publish by the
    publishConfig.engines field.
  * Patch Changes
  - Don't crash when two processes of pnpm are hardlinking the
    contents of a directory to the same destination
    simultaneously #10179.

- update to 10.21.0:
  * Minor Changes
  - Node.js Runtime Installation for Dependencies. Added support
    for automatic Node.js runtime installation for dependencies.
    pnpm will now install the Node.js version required by a
    dependency if that dependency declares a Node.js runtime in
    the "engines" field. For example:
    {
    "engines": {
    "runtime": {
    "name": "node",
    "version": "^24.11.0",
    "onFail": "download"
    }
    }
    }
    If the package with the Node.js runtime dependency is a CLI
    app, pnpm will bind the CLI app to the required Node.js
    version. This ensures that, regardless of the globally
    installed Node.js instance, the CLI will use the compatible
    version of Node.js.
    If the package has a postinstall script, that script will be
    executed using the specified Node.js version.
    Related PR: #10141
  - Added a new setting: trustPolicy.
    When set to no-downgrade, pnpm will fail installation if a
    package’s trust level has decreased compared to previous
    releases — for example, if it was previously published by a
    trusted publisher but now only has provenance or no trust
    evidence.
    This helps prevent installing potentially compromised
    versions of a package.
    Related issue: #8889.
  - Added support for pnpm config get globalconfig to retrieve
    the global config file path #9977.
  * Patch Changes
  - When a user runs pnpm update on a dependency that is not
    directly listed in package.json, none of the direct
    dependencies should be updated #10155.
  - Don't crash when two processes of pnpm are hardlinking the
    contents of a directory to the same destination
    simultaneously #10160.
  - Setting gitBranchLockfile and related settings via
    pnpm-workspace.yaml should work #9651.

- update to 10.20.0:
  * Minor Changes
  - Support --all option in pnpm --help to list all commands
    [#8628].
  * Patch Changes
  - When the latest version doesn't satisfy the maturity
    requirement configured by minimumReleaseAge, pick the highest
    version that is mature enough, even if it has a different
    major version #10100.
  - create command should not verify patch info.
  - Set managePackageManagerVersions to false, when switching to
    a different version of pnpm CLI, in order to avoid subsequent
    switches #10063.
- update to 10.19.0:
  * Minor Changes
  - You can now allow specific versions of dependencies to run
    postinstall scripts. onlyBuiltDependencies now accepts
    package names with lists of trusted versions. For example:
    Related PR: #10104.
    onlyBuiltDependencies:
  - nx@21.6.4 || 21.6.5
  - esbuild@0.25.1
  - Added support for exact versions in minimumReleaseAgeExclude
    [#9985].
    You can now list one or more specific versions that pnpm
    should allow to install, even if those versions don’t satisfy
    the maturity requirement set by minimumReleaseAge. For
    example:
    minimumReleaseAge: 1440
    minimumReleaseAgeExclude:
  - nx@21.6.5
  - webpack@4.47.0 || 5.102.1
- update to 10.18.3:
  * Patch Changes
  - Fix a bug where pnpm would infinitely recurse when using
    verifyDepsBeforeInstall: install and pre/post install scripts
    that called other pnpm scripts #10060.
  - Fixed scoped registry keys (e.g., @scope:registry) being
    parsed as property paths in pnpm config get when
  - -location=project is used #9362.
  - Remove pnpm-specific CLI options before passing to npm
    publish to prevent "Unknown cli config" warnings #9646.
  - Fixed EISDIR error when bin field points to a directory
    [#9441].
  - Preserve version and hasBin for variations packages #10022.
  - Fixed pnpm config set --location=project incorrectly handling
    keys with slashes (auth tokens, registry settings) #9884.
  - When both pnpm-workspace.yaml and .npmrc exist, pnpm config
    set --location=project now writes to pnpm-workspace.yaml
    (matching read priority) #10072.
  - Prevent a table width error in pnpm outdated --long #10040.
  - Sync bin links after injected dependencies are updated by
    build scripts. This ensures that binaries created during
    build processes are properly linked and accessible to
    consuming projects #10057.
- update to 10.18.2:
  * Patch Changes
  - pnpm outdated --long should work #10040.
  - Replace ndjson with split2. Reduce the bundle size of pnpm
    CLI #10054.
  - pnpm dlx should request the full metadata of packages, when
    minimumReleaseAge is set #9963.
  - pnpm version switching should work when the pnpm home
    directory is in a symlinked directory #9715.
  - Fix EPIPE errors when piping output to other commands #10027.
- update to 10.18.1:
  * Patch Changes
  - Don't print a warning, when --lockfile-only is used #8320.
  - pnpm setup creates a command shim to the pnpm executable.
    This is needed to be able to run pnpm self-update on Windows
    [#5700].
  - When using pnpm catalogs and running a normal pnpm install,
    pnpm produced false positive warnings for "skip adding to the
    default catalog because it already exists". This warning now
    only prints when using pnpm add --save-catalog as originally
    intended.
- update to 10.18.0:
  * Minor Changes
  - Added network performance monitoring to pnpm by implementing
    warnings for slow network requests, including both metadata
    fetches and tarball downloads.
    Added configuration options for warning thresholds:
    fetchWarnTimeoutMs and fetchMinSpeedKiBps.
    Warning messages are displayed when requests exceed time
    thresholds or fall below speed minimums
    Related PR: #10025.
  * Patch Changes
  - Retry filesystem operations on EAGAIN errors #9959.
  - Outdated command respects minimumReleaseAge configuration
    [#10030].
  - Correctly apply the cleanupUnusedCatalogs configuration when
    removing dependent packages.
  - Don't fail with a meaningless error when scriptShell is set
    to false #8748.
  - pnpm dlx should not fail when minimumReleaseAge is set
    [#10037].

- update to 10.17.1:
  * Patch Changes
  - When a version specifier cannot be resolved because the versions
    don't satisfy the minimumReleaseAge setting, print this
    information out in the error message #9974.
  - Fix state.json creation path when executing pnpm patch in a
    workspace project #9733.
  - When minimumReleaseAge is set and the latest tag is not mature
    enough, prefer a non-deprecated version as the new latest #9987.

- update to 10.17:
  * Minor Changes
  - The minimumReleaseAgeExclude setting now supports patterns.
    For instance:
    minimumReleaseAge: 1440
    minimumReleaseAgeExclude:
  - "@eslint/*"
  * Patch Changes
  - Don't ignore the minimumReleaseAge check, when the package is
    requested by exact version and the packument is loaded from
    cache #9978.
  - When minimumReleaseAge is set and the active version under a
    dist-tag is not mature enough, do not downgrade to a
    prerelease version in case the original version wasn't a
    prerelease one #9979.
- update to 10.16.1:
  * Patch Changes
  - The full metadata cache should be stored not at the same
    location as the abbreviated metadata. This fixes a bug where
    pnpm was loading the abbreviated metadata from cache and
    couldn't find the "time" field as a result #9963.
  - Forcibly disable ANSI color codes when generating patch diff
    [#9914].
- update to 10.16:
  * Minor Changes
  - There have been several incidents recently where popular
    packages were successfully attacked. To reduce the risk of
    installing a compromised version, we are introducing a new
    setting that delays the installation of newly released
    dependencies. In most cases, such attacks are discovered
    quickly and the malicious versions are removed from the
    registry within an hour.
  - The new setting is called minimumReleaseAge. It specifies the
    number of minutes that must pass after a version is published
    before pnpm will install it. For example, setting
    minimumReleaseAge: 1440 ensures that only packages released
    at least one day ago can be installed.
  - If you set minimumReleaseAge but need to disable this
    restriction for certain dependencies, you can list them under
    the minimumReleaseAgeExclude setting. For instance, with the
    following configuration pnpm will always install the latest
    version of webpack, regardless of its release time:
    minimumReleaseAgeExclude:
  - webpack
  - Added support for finders #9946.
    In the past, pnpm list and pnpm why could only search for
    dependencies by name (and optionally version). For example:
    pnpm why minimist
    prints the chain of dependencies to any installed instance of
    minimist:
    verdaccio 5.20.1
    ├─┬ handlebars 4.7.7
    │ └── minimist 1.2.8
    └─┬ mv 2.1.1
    └─┬ mkdirp 0.5.6
    └── minimist 1.2.8
    What if we want to search by other properties of a
    dependency, not just its name? For instance, find all
    packages that have react@17 in their peer dependencies?
    This is now possible with "finder functions". Finder
    functions can be declared in .pnpmfile.cjs and invoked with
    the --find-by=<function name> flag when running pnpm list or
    pnpm why.
    Let's say we want to find any dependencies that have React 17
    in peer dependencies. We can add this finder to our
    .pnpmfile.cjs:
    module.exports = {
    finders: {
    react17: (ctx) => {
    return ctx.readManifest().peerDependencies?.react === "^17.0.0";
    },
    },
    };
    Now we can use this finder function by running:
    pnpm why --find-by=react17
    pnpm will find all dependencies that have this React in peer
    dependencies and print their exact locations in the
    dependency graph.
    @apollo/client 4.0.4
    ├── @graphql-typed-document-node/core 3.2.0
    └── graphql-tag 2.12.6
    It is also possible to print out some additional information
    in the output by returning a string from the finder. For
    example, with the following finder:
    module.exports = {
    finders: {
    react17: (ctx) => {
    const manifest = ctx.readManifest();
    if (manifest.peerDependencies?.react === "^17.0.0") {
    return `license: ${manifest.license}`;
    }
    return false;
    },
    },
    };
    Every matched package will also print out the license from
    its package.json:
    @apollo/client 4.0.4
    ├── @graphql-typed-document-node/core 3.2.0
    │   license: MIT
    └── graphql-tag 2.12.6
    license: MIT
  * Patch Changes
  - Fix deprecation warning printed when executing pnpm with
    Node.js 24 #9529.
  - Throw an error if nodeVersion is not set to an exact semver
    version #9934.
  - pnpm publish should be able to publish a .tar.gz file #9927.
  - Canceling a running process with Ctrl-C should make pnpm run
    return a non-zero exit code #9626.
- update to 10.15.1:
  * Patch Changes
  - Fix .pnp.cjs crash when importing subpath #9904.
  - When resolving peer dependencies, pnpm looks whether the peer
    dependency is present in the root workspace project's
    dependencies. This change makes it so that the peer
    dependency is correctly resolved even from aliased npm-hosted
    dependencies or other types of dependencies #9913.

- update to 10.15.0:
  * Minor Changes
  - Added the cleanupUnusedCatalogs configuration. When set to
    true, pnpm will remove unused catalog entries during
    installation #9793.
  - Automatically load pnpmfiles from config dependencies that
    are named @*/pnpm-plugin-* #9780.
  - pnpm config get now prints an INI string for an object value
    [#9797].
  - pnpm config get now accepts property paths (e.g. pnpm config
    get catalog.react, pnpm config get .catalog.react, pnpm
    config get
    'packageExtensions["@babel/parser"].peerDependencies["@babel/types"]'),
    and pnpm config set now accepts dot-leading or subscripted
    keys (e.g. pnpm config set .ignoreScripts true).
  - pnpm config get --json now prints a JSON serialization of
    config value, and pnpm config set --json now parses the input
    value as JSON.
  * Patch Changes
  - Semi-breaking. When automatically installing missing peer
    dependencies, prefer versions that are already present in the
    direct dependencies of the root workspace package #9835.
  - When executing the pnpm create command, must verify whether
    the node version is supported even if a cache already exists
    [#9775].
  - When making requests for the non-abbreviated packument, add
  * /* to the Accept header to avoid getting a 406 error on AWS
    CodeArtifact #9862.
  - The standalone exe version of pnpm works with glibc 2.26
    again #9734.
  - Fix a regression in which pnpm dlx pkg --help doesn't pass
  - -help to pkg #9823.

- update to 10.14.0:
  * Minor Changes
  - Added support for JavaScript runtime installation
    (Related PR: #9755.)
    Declare Node.js, Deno, or Bun in devEngines.runtime (inside
    package.json) and let pnpm download and pin it automatically.
    Usage example:
    {
    "devEngines": {
    "runtime": {
    "name": "node",
    "version": "^24.4.0",
    "onFail": "download" // we only support the "download" value for now
    }
    }
    }
    How it works:
  - pnpm install resolves your specified range to the latest
    matching runtime version.
  - The exact version (and checksum) is saved in the lockfile.
  - Scripts use the local runtime, ensuring consistency across
    environments.
    Why this is better:
  - This new setting supports also Deno and Bun (vs. our
    Node-only settings useNodeVersion and
    executionEnv.nodeVersion)
  - Supports version ranges (not just a fixed version).
  - The resolved version is stored in the pnpm lockfile, along
    with an integrity checksum for future validation of the
    Node.js content's validity.
  - It can be used on any workspace project (like
    executionEnv.nodeVersion). So, different projects in a
    workspace can use different runtimes.
  - For now devEngines.runtime setting will install the runtime
    locally, which we will improve in future versions of pnpm
    by using a shared location on the computer.
  - Add --cpu, --libc, and --os to pnpm install, pnpm add, and
    pnpm dlx to customize supportedArchitectures via the CLI
    [#7510].
  * Patch Changes
  - Fix a bug in which pnpm add downloads packages whose libc
    differ from pnpm.supportedArchitectures.libc.
  - The integrities of the downloaded Node.js artifacts are
    verified #9750.
  - Allow dlx to parse CLI flags and options between the dlx
    command and the command to run or between the dlx command and
  - - #9719.
  - pnpm install --prod should removing hoisted dev dependencies
    [#9782].
  - Fix an edge case bug causing local tarballs to not re-link
    into the virtual store. This bug would happen when changing
    the contents of the tarball without renaming the file and
    running a filtered install.
  - Fix a bug causing pnpm install to incorrectly assume the
    lockfile is up to date after changing a local tarball that
    has peers dependencies.

- update to 10.13.1:
  * Patch Changes
  - Run user defined pnpmfiles after pnpmfiles of plugins.
- update to 10.13.0:
  * Minor Changes
  - Added the possibility to load multiple pnpmfiles. The pnpmfile
    setting can now accept a list of pnpmfile locations #9702.
  - pnpm will now automatically load the pnpmfile.cjs file from any
    config dependency named @pnpm/plugin-* or pnpm-plugin-* #9729.
  - The order in which config dependencies are initialized should
    not matter — they are initialized in alphabetical order. If a
    specific order is needed, the paths to the pnpmfile.cjs files in
    the config dependencies can be explicitly listed using the
    pnpmfile setting in pnpm-workspace.yaml.
  * Patch Changes
  - When patching dependencies installed via pkg.pr.new, treat them
    as Git tarball URLs #9694.
  - Prevent conflicts between local projects' config and the global
    config in dangerouslyAllowAllBuilds, onlyBuiltDependencies,
    onlyBuiltDependenciesFile, and neverBuiltDependencies #9628.
  - Sort keys in pnpm-workspace.yaml with deep #9701.
  - The pnpm rebuild command should not add pkgs included in
    ignoredBuiltDependencies to ignoredBuilds in
    node_modules/.modules.yaml #9338.
  - Replaced shell-quote with shlex for quoting command arguments
    [#9381].

- update to 10.12.4:
  * Patch Changes
  - Fix pnpm licenses command for local dependencies #9583.
  - Fix a bug in which pnpm ls --filter=not-exist --json prints
    nothing instead of an empty array #9672.
  - Fix a deadlock that sometimes happens during peer dependency
    resolution #9673.
  - Running pnpm install after pnpm fetch should hoist all
    dependencies that need to be hoisted.
  - Fixes a regression introduced in v10.12.2 by #9648; resolves
    [#9689].

- update to 10.12.3:
  * Patch Changes
  - Restore hoisting of optional peer dependencies when installing
    with an outdated lockfile.  Regression introduced in v10.12.2 by
    [#9648]; resolves #9685.