Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pnpm for openSUSE:Factory checked in at 2026-06-12 19:27:20 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pnpm (Old) and /work/SRC/openSUSE:Factory/.pnpm.new.1981 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pnpm" Fri Jun 12 19:27:20 2026 rev:58 rq:1358804 version:11.6.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pnpm/pnpm.changes 2026-06-08 14:23:46.973232547 +0200 +++ /work/SRC/openSUSE:Factory/.pnpm.new.1981/pnpm.changes 2026-06-12 19:28:13.483948871 +0200 @@ -1,0 +2,105 @@ +Fri Jun 12 00:59:48 UTC 2026 - Avindra Goolcharan <[email protected]> + +- Update to 11.6.0: + * pnpm install completes without re-resolving when pnpm-lock. + yaml was deleted but node_modules is intact: the up-to-date + check now treats the current lockfile (node_modules/.pnpm/lock. + yaml) — the record of what the previous install materialized — + as the wanted lockfile, verifies the manifests still match it, + restores pnpm-lock.yaml from it, and reports "Already up to date". + Previously this scenario triggered a full resolution and a re- + verification of every locked package against the registry. + * 615c669: Added support for configuring URL-scoped registry + settings through npm_config_//… and pnpm_config_//… + environment variables, for example: + * Improved the warning printed when a project .npmrc uses an + environment variable in a registry/proxy URL or in registry + credentials. The message now explains why the setting was + ignored and how to migrate it to a trusted source — for example + by moving the line to the user-level ~/.npmrc or running pnpm + config set "<key>" <value> — with a link to https://pnpm.io/npmrc. + The pnpm config set example is only suggested when the key has + no ${...} placeholder, so the snippet is always safe to copy-paste. + * Print a "Lockfile passes supply-chain policies (verified 2h + ago)" message when lockfile verification is skipped because a + cached verdict for the same lockfile content and policy is reused. + Previously the cached short-circuit was completely silent, + which made it look like the policy gate never ran #12324. + * Platform-specific optional dependencies are now skipped even + when their os/cpu/libc fields are missing from the registry + metadata or the lockfile. Some registries strip these fields + from the package metadata, which made pnpm download and install + the binaries of every platform regardless of + supportedArchitectures. The missing platform fields of an + optional dependency are now inferred from its name (e.g. @nx/nx- + win32-arm64-msvc → os: win32, cpu: arm64), so foreign-platform + binaries are skipped without even downloading them #11702. + +------------------------------------------------------------------- +Thu Jun 11 19:52:40 UTC 2026 - Avindra Goolcharan <[email protected]> + +- Update to 11.5.3: + *⚠️ Security fix — environment variables in a project .npmrc + * Stopped expanding environment variables in repository- + controlled registry/proxy request destinations and registry + credential values from .npmrc, and in workspace registry URLs + from pnpm-workspace.yaml. Move dynamic registry URL and token + configuration to trusted user, global, CLI, or environment config. + * Resolve package-manager bootstrap dependencies with trusted + user or CLI registry and network config, and reject package- + manager env-lockfile records that do not use registry package + paths with integrity-only resolutions before auto-switch execution. + * Avoid writing packageManagerDependencies to pnpm-lock.yaml + when package manager policy is set to onFail: ignore or + pmOnFail: ignore #12228. + * Avoid running dependency-status auto-install when the + dependency status is unavailable without a project manifest. + * Using the $ version reference syntax in overrides (e.g. "react": "$react") + now prints a deprecation warning. The syntax still works, but + catalogs are the recommended way to keep an overridden + version in sync with the rest of the workspace. Reference a + catalog entry with the catalog: protocol instead. + * Fixed pnpm config get globalconfig to return the global config + .yaml path again pnpm/pnpm#11962. + * Fixed bare --color so it does not consume the following CLI + flag, allowing command shorthands like --parallel to expand + correctly and forms like pnpm --color with current <command> + to dispatch the inner command instead of failing with MISSING_WITH_CURRENT_CMD. + * Fix pnpm install ignoring enableGlobalVirtualStore toggle by + including it in the workspace state settings check #12142. + * Security: pnpm now verifies the npm registry signature of a + package-manager binary before spawning it, so a cloned + repository cannot make pnpm download and execute an arbitrary native binary. + * Made peer-dependent deduplication deterministic. When a peer- + suffixed package variant was a subset of two or more mutually + incompatible larger variants, the variant it collapsed into + depended on the order importers were resolved in, which + varies between machines. This could resolve the same + workspace to different lockfiles on different platforms and + make pnpm dedupe --check alternate between passing and failing. + * Reject invalid package names and versions from staged tarball + manifests before deriving filenames for pnpm stage download. + * Clarified in CLI help that the pnpm store is trusted shared + state and store integrity checks are corruption detection, + not a tamper boundary for untrusted store writers. + * Reject reserved manifest bin names ("", ".", "..", and scoped + forms such as @scope/..) when resolving a package's bins. + These names previously passed the bin-name guard and, when + joined to the global bin directory during global remove/update + /add operations, could resolve to the global bin directory + itself or its parent and have it recursively deleted. + * Require trusted package identity before package-name + allowBuilds entries can approve lifecycle scripts for git, git + -hosted tarball, direct tarball, and local directory artifacts. + To approve one of those artifacts explicitly, use its peer- + suffix-free lockfile depPath as the allowBuilds key. Lockfile + verification now rejects lockfiles where a registry-style + dependency path (name@semver) is backed by a git, directory, + or git-hosted tarball resolution ( + ERR_PNPM_RESOLUTION_SHAPE_MISMATCH), so the dependency path + is a reliable artifact identity by the time scripts can run. + * Security: pnpm now verifies the OpenPGP signature of a + downloaded Node.js runtime's SHASUMS256.txt before trusting + its integrity hashes. + +------------------------------------------------------------------- Old: ---- pnpm-11.5.2.tgz New: ---- pnpm-11.6.0.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pnpm.spec ++++++ --- /var/tmp/diff_new_pack.yVTcZx/_old 2026-06-12 19:28:15.908050300 +0200 +++ /var/tmp/diff_new_pack.yVTcZx/_new 2026-06-12 19:28:15.920050802 +0200 @@ -23,7 +23,7 @@ %global __nodejs_provides %{nil} %global __nodejs_requires %{nil} Name: pnpm -Version: 11.5.2 +Version: 11.6.0 Release: 0 Summary: Package manager for node.js License: MIT ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.yVTcZx/_old 2026-06-12 19:28:16.244064360 +0200 +++ /var/tmp/diff_new_pack.yVTcZx/_new 2026-06-12 19:28:16.288066201 +0200 @@ -1,6 +1,6 @@ -mtime: 1780688011 -commit: 689963951c1f094406a113d08252730ed06b417d18cbb31dd5f832fb3867e10b +mtime: 1781226166 +commit: 7c0a18ed5e74768a44c097c4ab2ce3f7049f81343fcaca8793c993bd1f2b8af9 url: https://src.opensuse.org/nodejs/pnpm -revision: 689963951c1f094406a113d08252730ed06b417d18cbb31dd5f832fb3867e10b +revision: 7c0a18ed5e74768a44c097c4ab2ce3f7049f81343fcaca8793c993bd1f2b8af9 projectscmsync: https://src.opensuse.org/nodejs/_ObsPrj.git ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-12 03:02:46.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ pnpm-11.5.2.tgz -> pnpm-11.6.0.tgz ++++++ ++++ 80873 lines of diff (skipped)
