Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package pnpm for openSUSE:Factory checked in 
at 2026-06-22 17:29:21
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pnpm (Old)
 and      /work/SRC/openSUSE:Factory/.pnpm.new.1956 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "pnpm"

Mon Jun 22 17:29:21 2026 rev:59 rq:1360769 version:11.8.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/pnpm/pnpm.changes        2026-06-12 
19:28:13.483948871 +0200
+++ /work/SRC/openSUSE:Factory/.pnpm.new.1956/pnpm.changes      2026-06-22 
17:30:13.327381756 +0200
@@ -1,0 +2,433 @@
+Sat Jun 20 11:08:29 UTC 2026 - Johannes Kastl 
<[email protected]>
+
+- update to 11.8.0:
+  * Minor Changes
+    - c112b61: Added a --dry-run option to pnpm install. It runs a
+      full dependency resolution and reports what an install would
+      change, but writes nothing to disk (no lockfile, no
+      node_modules) and always exits with code 0. This mirrors the
+      preview semantics of npm install --dry-run #7340.
+    - 179ebc4: pnpm run --no-bail now exits with a non-zero exit
+      code when any of the executed scripts fail, while still
+      running every matched script to completion. This makes the
+      exit-code behavior of --no-bail consistent between recursive
+      and non-recursive runs (recursive runs already failed at the
+      end). Previously, a non-recursive pnpm run --no-bail always
+      exited with code 0, even when a script failed #8013.
+    - 0474a9c: Added support for generating Node.js package maps at
+      node_modules/.package-map.json during isolated and hoisted
+      installs. Added the node-experimental-package-map setting to
+      inject the generated map into pnpm-managed Node.js script
+      environments, and the node-package-map-type setting to choose
+      between standard and loose package maps.
+    - dcededc: pnpm sbom now marks components reachable only
+      through devDependencies with CycloneDX scope: "excluded" and
+      the cdx:npm:package:development property. The excluded scope
+      documents "component usage for test and other non-runtime
+      purposes", which matches the semantics of a devDependency;
+      the property is the CycloneDX npm-taxonomy marker emitted by
+      @cyclonedx/cyclonedx-npm, so both modern (scope) and existing
+      (property) consumers are covered. Components reachable at
+      runtime (including installed optionalDependencies) omit scope
+      and default to required.
+    - 1495cb0: Added per-package SBOM generation with --out and
+      --split flags. Use --out out/%s.cdx.json to write one SBOM
+      per workspace package to individual files, or --split for
+      NDJSON output to stdout. When --filter selects a single
+      package, the SBOM root component now uses that package's
+      metadata. Workspace inter-dependencies (workspace: protocol)
+      and their transitive dependencies are included. Author,
+      repository, and license fall back to the root manifest when
+      the package doesn't define them.
+    - 293921a: feat(view): support searching project manifest
+      upward when package name is omitted When running pnpm view
+      without a package name, the command now searches upward for
+      the nearest project manifest (package.json, package.yaml, or
+      package.json5) and uses its name field.  If the manifest
+      exists but lacks a name field, an error is thrown.  This
+      change also replaces the find-up dependency with empathic for
+      improved performance and consistency across workspace tools.
+  * Patch Changes
+    - 29ab905: Fixed pnpm update overriding the version range
+      policy of a named catalog whose name parses as a version
+      (e.g. catalog:express4-21). The catalog: reference carries no
+      pinning of its own, so the prefix from the catalog entry
+      (such as ~) is now preserved instead of being widened to ^
+      #10321.
+    - bee4bf4: Security: validate config dependency names and
+      versions from the env lockfile (pnpm-lock.yaml) before using
+      them to build filesystem paths. A committed lockfile with a
+      traversal-shaped configDependencies name (such as
+      ../../PWNED) or version (such as ../../../PWNED) could
+      previously cause pnpm install to create symlinks or write
+      package files outside node_modules/.pnpm-config and the
+      store. Names must now be valid npm package names and versions
+      must be exact semver versions; the same validation is applied
+      to optional subdependencies of config dependencies, and to
+      the legacy workspace-manifest format before any lockfile is
+      written. See GHSA-qrv3-253h-g69c.
+    - 96bdd57: Fix link: workspace protocol switching to file:
+      after pnpm rm is run from inside a workspace package whose
+      target workspace dependency has its own dependencies, when
+      injectWorkspacePackages: true is set. Follow-up to #10575,
+      which fixed the same symptom for workspace packages without
+      dependencies.
+    - 302a2f7: No longer warn about using both packageManager and
+      devEngines.packageManager when the two fields pin the same
+      package manager at the same version with the same integrity
+      hash (e.g. both [email protected]+sha512.…). Previously the hash
+      was stripped from the legacy packageManager field but not
+      from devEngines.packageManager, so even identical
+      specifications looked like a mismatch #12028.
+      The warning still fires on any genuine divergence, and
+      several cases now state the specific reason instead of a
+      single generic message: a different package manager, a
+      different version, or contradictory integrity hashes for the
+      same version.
+    - 3f0fb21: Fixed the progress line showing leftover characters
+      from external processes that write to the terminal between
+      progress updates (e.g. an SSH passphrase prompt would leave a
+      fragment like added 0sa':). The interactive reporter now
+      redraws each frame in place, erasing to the end of the
+      display before reprinting, so any such remnants are cleared
+      #12350.
+    - 564619f: Fixed pnpm approve-builds reporting "no packages
+      awaiting approval" when a build-script dependency whose
+      approval was revoked (e.g. after git stash drops the
+      allowBuilds from pnpm-workspace.yaml) is re-added. The
+      revoked packages are now correctly recorded in .modules.yaml
+      so approve-builds can find them. #12221
+    - 3d1fd20: Skip the redundant "target bin directory already
+      contains an exe called node" warning on Windows when the
+      existing node.exe already matches the target (same hard link
+      or identical content) pnpm/pnpm#12203.
+    - 1b02b47: Fix macOS Gatekeeper blocking native binaries
+      (.node, .dylib, .so) by removing the com.apple.quarantine
+      extended attribute after importing them from the store.
+      When pnpm imports files from its content-addressable store
+      into node_modules, macOS preserves extended attributes,
+      including com.apple.quarantine. If this xattr is present on a
+      store blob (e.g. it was first written under a
+      Gatekeeper-enabled app such as a Git client), it propagates
+      to node_modules, and Gatekeeper blocks the native binary from
+      loading even though pnpm already verified the file's
+      integrity against the lockfile.
+      After importing a package, pnpm now strips
+      com.apple.quarantine from its native binaries, matching
+      Homebrew's behaviour of dropping quarantine from verified
+      downloads. The cleanup is macOS-only, runs in a single
+      batched xattr call per package, is restricted to native
+      binaries (other files are untouched), and is non-fatal (it
+      logs a warning on unexpected errors).
+      Fixes #11056
+    - 61969fb: Fix pnpm install with optimisticRepeatInstall
+      incorrectly reporting Already up to date when pnpm-lock.yaml
+      changed but project manifests did not. This affected
+      workflows such as checking out or restoring only the lockfile
+      #12100.
+      Also fixes checkDepsStatus to use the correct lockfile path
+      when useGitBranchLockfile is enabled, so the optimistic
+      fast-path and lockfile modification detection work with
+      pnpm-lock.<branch>.yaml files instead of always stat'ing
+      pnpm-lock.yaml. Merge-conflict detection now reads the
+      resolved lockfile name as well, and with
+      mergeGitBranchLockfiles enabled every pnpm-lock.*.yaml is
+      scanned for modifications and conflicts. The git branch is
+      now resolved by reading .git/HEAD directly (no process spawn)
+      and uses the workspace directory rather than process.cwd().
+    - 5c12968: Fix recursive updates of transitive dependencies
+      when the update command mixes transitive dependency patterns
+      with direct dependency selectors. For example, pnpm up -r
+      "@babel/core" uuid now updates matching transitive
+      @babel/core dependencies even when uuid is a direct
+      dependency selector #12103.
+    - 9d79ba1: Register the pnpm update --no-save flag in the CLI
+      help and option parser.
+    - 0474a9c: Fixed pnpm import for Yarn v2 lockfiles when js-yaml
+      v4 is installed.
+    - 9e0c375: Fixed pnpm install repeatedly prompting to remove
+      and reinstall node_modules in a workspace package when
+      enableGlobalVirtualStore is enabled. The post-install build
+      step recorded a per-project node_modules/.pnpm virtual store
+      directory in node_modules/.modules.yaml, overwriting the
+      global <storeDir>/links value the install step had written.
+      The next install then detected a virtual-store mismatch
+      (ERR_PNPM_UNEXPECTED_VIRTUAL_STORE). The build step now
+      derives the same global virtual store directory as the
+      install step #12307.
+    - 223d060: Document the --cpu, --os and --libc flags in the
+      output of pnpm install --help. These flags were already
+      supported but were only documented on the website #12359.
+    - e85aea2: Avoid reading README.md from disk when publishing if
+      the publish manifest already provides a readme field. The
+      README is now only read lazily, inside
+      createExportableManifest, when it is actually needed.
+    - 3188ae7: Fixed pnpm peers check to accept loose peer
+      dependency ranges such as >=3.16.0 || >=4.0.0- when the
+      installed peer version satisfies the range #12149.
+    - 531f2a3: Fixed pnpm update rewriting a workspace: dependency
+      that points at a local path (e.g.
+      workspace:../packages/foo/dist) into a normalized link: or
+      version-range specifier. Such specifiers are now preserved
+      verbatim when the workspace protocol is preserved #3902.
+    - fe66535: Fixed a lockfile non-convergence bug where an
+      incremental install kept a duplicate transitive dependency
+      that a fresh install would not produce. When a package is
+      reused from the lockfile, its child edges are taken verbatim
+      and bypass the preferred-versions walk, so a transitive
+      dependency could stay pinned to an older version even after a
+      direct dependency resolved to a higher version that satisfies
+      the same range. The resolver now refreshes such a stale pin
+      to the higher direct-dependency version during resolution —
+      so the older version is never resolved or fetched, and the
+      incremental result converges to the fresh one.
+    - 6d35338: pnpm install detects changes inside local file
+      dependencies again. The optimistic repeat-install fast path
+      only tracks manifest and lockfile modification times, so
+      edits inside a local dependency's directory (or a repacked
+      local tarball) were reported as "Already up to date".
+      Projects with local file dependencies (file: and bare local
+      path or tarball specifiers, declared directly or through
+      pnpm.overrides) now always run a full install, which
+      refetches those dependencies, matching pnpm v10 behavior
+      #11795.
+    - 4ca9247: Preserve the existing Node.js runtime version prefix
+      when resolving node@runtime:<range> to a concrete version.
+    - 30c7590: Create shorter CAFS temporary package directories to
+      leave room for lifecycle scripts that create IPC socket paths
+      under TMPDIR.
+    - 13815ad: Reporter output (warnings, progress) for pnpm store
+      and pnpm config subcommands now goes to stderr instead of
+      stdout. This fixes scripts that capture their stdout (e.g.
+      PNPM_STORE=$(pnpm store path), pnpm config list --json | jq)
+      from getting warnings mixed into the result.
+    - 1c05876: Avoid relinking unchanged child dependencies and
+      remove stale child links during warm installs.
+    - 817f99d: Fixed lockfile churn where a package's
+      transitivePeerDependencies could be dropped (and shift
+      between packages) when the package participates in a
+      dependency cycle. A cycle re-entry resolves against truncated
+      children, so it must not be cached as "pure"; otherwise
+      sibling occurrences of the same package short-circuit and
+      lose transitive peers depending on traversal order #5108.
+    - eba03e0: Fix pnpm install reporting "Already up to date"
+      after a catalog entry in pnpm-workspace.yaml was reverted to
+      a previous version. After an update modified a catalog, the
+      workspace state cache stored the pre-update catalog versions,
+      so reverting the entry back to its original version was not
+      detected as an outdated state #12418.
+    - 3b54d79: pnpm update now keeps lockfile overrides that
+      resolve through a catalog in sync with the catalog.
+      Previously, when an override referenced a catalog (e.g.
+      overrides: { foo: 'catalog:' }) and pnpm update bumped that
+      catalog entry, the lockfile's catalogs advanced while the
+      resolved overrides kept the old version. The resulting
+      lockfile was internally inconsistent, so a later pnpm install
+      --frozen-lockfile failed with
+      ERR_PNPM_LOCKFILE_CONFIG_MISMATCH.
+    - 9d0a300: Fixed pnpm version --recursive so it honors the
+      workspace selection. In recursive mode the version bump now
+      applies to the packages resolved from the workspace filter
+      (selectedProjectsGraph), matching the behavior of pnpm
+      publish --recursive, instead of always bumping every
+      workspace package #11348.
+- update to 11.7:
+  * Minor Changes
+    - Added a new setting frozenStore (--frozen-store) that lets
+      pnpm install run against a package store on a read-only
+      filesystem (e.g. a Nix store, a read-only bind mount, an OCI
+      layer). When enabled, pnpm opens the store's SQLite index.db
+      through the immutable=1 URI — bypassing the WAL/-shm sidecar
+      creation that otherwise fails on a read-only directory — and
+      suppresses every store-write path (the index.db writer and
+      the project-registry write). Pair it with --offline
+      --frozen-lockfile against a fully-populated store. Under the
+      global virtual store, package directories live inside the
+      store, so if the store is missing the build output of a
+      package whose lifecycle scripts are approved (or that has a
+      patch), pnpm fails up front with
+      ERR_PNPM_FROZEN_STORE_NEEDS_BUILD rather than crashing
+      mid-build on a read-only write — seed the store with those
+      builds first. Incompatible with --force and with a configured
+      pnpr server, since both write into the store; the
+      side-effects cache is likewise not written under frozenStore.
+      If the store is missing its content directory, the install
+      fails fast with ERR_PNPM_FROZEN_STORE_INCOMPLETE rather than
+      attempting to initialize it. The read-only immutable=1 open
+      requires Node.js >=22.15.0, >=23.11.0, or >=24.0.0; on older
+      runtimes --frozen-store fails with a clear
+      ERR_PNPM_FROZEN_STORE_UNSUPPORTED_NODE error. Bin-linking
+      also tolerates a read-only store: under the global virtual
+      store a package's bin source lives inside the store, so the
+      chmod that makes it executable would be refused — with
+      EPERM/EACCES, or with EROFS on a genuinely read-only
+      filesystem. That chmod is redundant when the seed already
+      ships its bins executable with a normalized shebang, so it is
+      now skipped in that case, while a non-executable bin (or one
+      still carrying a Windows CRLF shebang) on a read-only store
+      still errors.
+    - When pacquet (the Rust port of pnpm) is declared in
+      configDependencies, pnpm now delegates dependency resolution
+      to it too — not just materialization — provided the installed
+      pacquet is new enough to support full resolving installs (>=
+      0.11.7).
+      Previously pacquet only ran in frozen-install mode: pnpm
+      always resolved the dependency graph itself (writing
+      pnpm-lock.yaml) and handed pacquet a finished lockfile to
+      fetch / import / link. With pacquet >= 0.11.7, a non-frozen
+      pnpm install (default isolated nodeLinker, plain install) is
+      delegated to pacquet end-to-end in a single pass — pacquet
+      resolves the manifests, writes the lockfile, and materializes
+      node_modules. pnpm detects the capability from the installed
+      pacquet's version; older pacquet releases keep the
+      resolve-then-materialize split, and add / update / remove
+      still resolve in pnpm (it has to mutate the manifests first).
+      This remains an opt-in preview of the Rust install engine
+      #11723.
+    - Added a new opt-in --batch flag to pnpm publish --recursive
+      that sends all selected packages to the registry in a single
+      PUT /-/pnpm/v1/publish request instead of one request per
+      package. The target registry has to implement the batch
+      publish endpoint (pnpr does); registries that don't are
+      reported with a clear ERR_PNPM_BATCH_PUBLISH_UNSUPPORTED
+      error. The batch is processed all-or-nothing by pnpr: if any
+      package in the batch fails validation, none of the packages
+      are published.
+  * Patch Changes
+    - Reject path-traversal and reserved dependency aliases (such
++++ 136 more lines (skipped)
++++ between /work/SRC/openSUSE:Factory/pnpm/pnpm.changes
++++ and /work/SRC/openSUSE:Factory/.pnpm.new.1956/pnpm.changes

Old:
----
  pnpm-11.6.0.tgz

New:
----
  pnpm-11.8.0.tgz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pnpm.spec ++++++
--- /var/tmp/diff_new_pack.RDZK6g/_old  2026-06-22 17:30:14.175411297 +0200
+++ /var/tmp/diff_new_pack.RDZK6g/_new  2026-06-22 17:30:14.175411297 +0200
@@ -23,7 +23,7 @@
 %global __nodejs_provides %{nil}
 %global __nodejs_requires %{nil}
 Name:           pnpm
-Version:        11.6.0
+Version:        11.8.0
 Release:        0
 Summary:        Package manager for node.js
 License:        MIT

++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.RDZK6g/_old  2026-06-22 17:30:14.207412412 +0200
+++ /var/tmp/diff_new_pack.RDZK6g/_new  2026-06-22 17:30:14.211412551 +0200
@@ -1,6 +1,6 @@
-mtime: 1781226166
-commit: 7c0a18ed5e74768a44c097c4ab2ce3f7049f81343fcaca8793c993bd1f2b8af9
+mtime: 1781954222
+commit: 4d6d5f7b215215ed7bfff96cbf4e216f6958b0bc293c8748a7fe766bfa3fb41f
 url: https://src.opensuse.org/nodejs/pnpm
-revision: 7c0a18ed5e74768a44c097c4ab2ce3f7049f81343fcaca8793c993bd1f2b8af9
+revision: 4d6d5f7b215215ed7bfff96cbf4e216f6958b0bc293c8748a7fe766bfa3fb41f
 projectscmsync: https://src.opensuse.org/nodejs/_ObsPrj.git
 

++++++ build.specials.obscpio ++++++

++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore      1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore      2026-06-20 13:17:02.000000000 +0200
@@ -0,0 +1 @@
+.osc

++++++ pnpm-11.6.0.tgz -> pnpm-11.8.0.tgz ++++++
++++ 110968 lines of diff (skipped)

Reply via email to