Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pnpm for openSUSE:Factory checked in at 2026-05-08 16:46:06 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pnpm (Old) and /work/SRC/openSUSE:Factory/.pnpm.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pnpm" Fri May 8 16:46:06 2026 rev:56 rq:1351492 version:10.33.4 Changes: -------- --- /work/SRC/openSUSE:Factory/pnpm/pnpm.changes 2026-05-06 19:20:05.982529352 +0200 +++ /work/SRC/openSUSE:Factory/.pnpm.new.1966/pnpm.changes 2026-05-08 16:46:16.079418241 +0200 @@ -1,0 +2,42 @@ +Wed May 6 19:02:12 UTC 2026 - Johannes Kastl <[email protected]> + +- update to 10.33.4: + * Patch Changes + - Pin the integrity of git-hosted tarballs + (codeload.github.com, gitlab.com, bitbucket.org) in the + lockfile so that subsequent installs detect a tampered or + substituted tarball and refuse to install it. Previously the + lockfile only stored the tarball URL for git dependencies, so + a compromised git host or a man-in-the-middle could serve + arbitrary code on later installs without lockfile changes. + - A new gitHosted: true field is recorded on git-hosted tarball + resolutions in the lockfile, letting every reader/writer + route them by a single typed check instead of + pattern-matching the tarball URL in each call site. Lockfiles + written by older pnpm versions are enriched on load (URL + fallback) so the field can be relied on uniformly across the + codebase. + - Fix a regression where pnpm --recursive --filter '!<pkg>' + run/exec/test/add would include the workspace root in the + matched projects. The workspace root is now correctly + excluded by default when only negative --filter arguments are + provided, matching the documented behavior. To include the + root, pass --include-workspace-root #11341. +- update to 10.33.3: + * Patch Changes + - When self-updating from v10's @pnpm/exe to v11+ on Intel + macOS (darwin-x64), pnpm self-update now transparently + switches to the JS-only pnpm package on npm instead of + installing @pnpm/exe@v11+ (which doesn't ship a working + binary for Intel Macs because of an upstream Node.js SEA bug + — see #11423 and nodejs/node#62893). Without this, the + self-update would silently leave the user with no working + pnpm binary. The new install requires Node.js to be available + on PATH; a warning is printed when the swap happens. All + other host/version combinations are unchanged. + - pnpm self-update (with no version argument) no longer + downgrades pnpm when the registry's latest dist-tag points to + an older release than the currently active version. Run pnpm + self-update latest to force a downgrade #11418. + +------------------------------------------------------------------- Old: ---- pnpm-10.33.2.tgz New: ---- pnpm-10.33.4.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pnpm.spec ++++++ --- /var/tmp/diff_new_pack.PYllsN/_old 2026-05-08 16:46:16.639441570 +0200 +++ /var/tmp/diff_new_pack.PYllsN/_new 2026-05-08 16:46:16.647441904 +0200 @@ -23,7 +23,7 @@ %global __nodejs_provides %{nil} %global __nodejs_requires %{nil} Name: pnpm -Version: 10.33.2 +Version: 10.33.4 Release: 0 Summary: Fast, disk space efficient package manager License: MIT ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.PYllsN/_old 2026-05-08 16:46:16.687443570 +0200 +++ /var/tmp/diff_new_pack.PYllsN/_new 2026-05-08 16:46:16.691443737 +0200 @@ -1,6 +1,6 @@ -mtime: 1777570102 -commit: 5b8353d4bef6a21d7313c24142232d9e3bdb8c610872ed1b1626c301c03f3b77 +mtime: 1778094215 +commit: 3e0a9bff6fb3326c9f985926155849c1f27d3fa22abff5dd16ed8edbd140ef01 url: https://src.opensuse.org/nodejs/pnpm -revision: 5b8353d4bef6a21d7313c24142232d9e3bdb8c610872ed1b1626c301c03f3b77 +revision: 3e0a9bff6fb3326c9f985926155849c1f27d3fa22abff5dd16ed8edbd140ef01 projectscmsync: https://src.opensuse.org/nodejs/_ObsPrj.git ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-05-06 21:03:35.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ pnpm-10.33.2.tgz -> pnpm-10.33.4.tgz ++++++ ++++ 8869 lines of diff (skipped)
