Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pnpm for openSUSE:Factory checked in at 2026-06-22 17:29:21 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pnpm (Old) and /work/SRC/openSUSE:Factory/.pnpm.new.1956 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pnpm" Mon Jun 22 17:29:21 2026 rev:59 rq:1360769 version:11.8.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pnpm/pnpm.changes 2026-06-12 19:28:13.483948871 +0200 +++ /work/SRC/openSUSE:Factory/.pnpm.new.1956/pnpm.changes 2026-06-22 17:30:13.327381756 +0200 @@ -1,0 +2,433 @@ +Sat Jun 20 11:08:29 UTC 2026 - Johannes Kastl <[email protected]> + +- update to 11.8.0: + * Minor Changes + - c112b61: Added a --dry-run option to pnpm install. It runs a + full dependency resolution and reports what an install would + change, but writes nothing to disk (no lockfile, no + node_modules) and always exits with code 0. This mirrors the + preview semantics of npm install --dry-run #7340. + - 179ebc4: pnpm run --no-bail now exits with a non-zero exit + code when any of the executed scripts fail, while still + running every matched script to completion. This makes the + exit-code behavior of --no-bail consistent between recursive + and non-recursive runs (recursive runs already failed at the + end). Previously, a non-recursive pnpm run --no-bail always + exited with code 0, even when a script failed #8013. + - 0474a9c: Added support for generating Node.js package maps at + node_modules/.package-map.json during isolated and hoisted + installs. Added the node-experimental-package-map setting to + inject the generated map into pnpm-managed Node.js script + environments, and the node-package-map-type setting to choose + between standard and loose package maps. + - dcededc: pnpm sbom now marks components reachable only + through devDependencies with CycloneDX scope: "excluded" and + the cdx:npm:package:development property. The excluded scope + documents "component usage for test and other non-runtime + purposes", which matches the semantics of a devDependency; + the property is the CycloneDX npm-taxonomy marker emitted by + @cyclonedx/cyclonedx-npm, so both modern (scope) and existing + (property) consumers are covered. Components reachable at + runtime (including installed optionalDependencies) omit scope + and default to required. + - 1495cb0: Added per-package SBOM generation with --out and + --split flags. Use --out out/%s.cdx.json to write one SBOM + per workspace package to individual files, or --split for + NDJSON output to stdout. When --filter selects a single + package, the SBOM root component now uses that package's + metadata. Workspace inter-dependencies (workspace: protocol) + and their transitive dependencies are included. Author, + repository, and license fall back to the root manifest when + the package doesn't define them. + - 293921a: feat(view): support searching project manifest + upward when package name is omitted When running pnpm view + without a package name, the command now searches upward for + the nearest project manifest (package.json, package.yaml, or + package.json5) and uses its name field. If the manifest + exists but lacks a name field, an error is thrown. This + change also replaces the find-up dependency with empathic for + improved performance and consistency across workspace tools. + * Patch Changes + - 29ab905: Fixed pnpm update overriding the version range + policy of a named catalog whose name parses as a version + (e.g. catalog:express4-21). The catalog: reference carries no + pinning of its own, so the prefix from the catalog entry + (such as ~) is now preserved instead of being widened to ^ + #10321. + - bee4bf4: Security: validate config dependency names and + versions from the env lockfile (pnpm-lock.yaml) before using + them to build filesystem paths. A committed lockfile with a + traversal-shaped configDependencies name (such as + ../../PWNED) or version (such as ../../../PWNED) could + previously cause pnpm install to create symlinks or write + package files outside node_modules/.pnpm-config and the + store. Names must now be valid npm package names and versions + must be exact semver versions; the same validation is applied + to optional subdependencies of config dependencies, and to + the legacy workspace-manifest format before any lockfile is + written. See GHSA-qrv3-253h-g69c. + - 96bdd57: Fix link: workspace protocol switching to file: + after pnpm rm is run from inside a workspace package whose + target workspace dependency has its own dependencies, when + injectWorkspacePackages: true is set. Follow-up to #10575, + which fixed the same symptom for workspace packages without + dependencies. + - 302a2f7: No longer warn about using both packageManager and + devEngines.packageManager when the two fields pin the same + package manager at the same version with the same integrity + hash (e.g. both [email protected]+sha512.…). Previously the hash + was stripped from the legacy packageManager field but not + from devEngines.packageManager, so even identical + specifications looked like a mismatch #12028. + The warning still fires on any genuine divergence, and + several cases now state the specific reason instead of a + single generic message: a different package manager, a + different version, or contradictory integrity hashes for the + same version. + - 3f0fb21: Fixed the progress line showing leftover characters + from external processes that write to the terminal between + progress updates (e.g. an SSH passphrase prompt would leave a + fragment like added 0sa':). The interactive reporter now + redraws each frame in place, erasing to the end of the + display before reprinting, so any such remnants are cleared + #12350. + - 564619f: Fixed pnpm approve-builds reporting "no packages + awaiting approval" when a build-script dependency whose + approval was revoked (e.g. after git stash drops the + allowBuilds from pnpm-workspace.yaml) is re-added. The + revoked packages are now correctly recorded in .modules.yaml + so approve-builds can find them. #12221 + - 3d1fd20: Skip the redundant "target bin directory already + contains an exe called node" warning on Windows when the + existing node.exe already matches the target (same hard link + or identical content) pnpm/pnpm#12203. + - 1b02b47: Fix macOS Gatekeeper blocking native binaries + (.node, .dylib, .so) by removing the com.apple.quarantine + extended attribute after importing them from the store. + When pnpm imports files from its content-addressable store + into node_modules, macOS preserves extended attributes, + including com.apple.quarantine. If this xattr is present on a + store blob (e.g. it was first written under a + Gatekeeper-enabled app such as a Git client), it propagates + to node_modules, and Gatekeeper blocks the native binary from + loading even though pnpm already verified the file's + integrity against the lockfile. + After importing a package, pnpm now strips + com.apple.quarantine from its native binaries, matching + Homebrew's behaviour of dropping quarantine from verified + downloads. The cleanup is macOS-only, runs in a single + batched xattr call per package, is restricted to native + binaries (other files are untouched), and is non-fatal (it + logs a warning on unexpected errors). + Fixes #11056 + - 61969fb: Fix pnpm install with optimisticRepeatInstall + incorrectly reporting Already up to date when pnpm-lock.yaml + changed but project manifests did not. This affected + workflows such as checking out or restoring only the lockfile + #12100. + Also fixes checkDepsStatus to use the correct lockfile path + when useGitBranchLockfile is enabled, so the optimistic + fast-path and lockfile modification detection work with + pnpm-lock.<branch>.yaml files instead of always stat'ing + pnpm-lock.yaml. Merge-conflict detection now reads the + resolved lockfile name as well, and with + mergeGitBranchLockfiles enabled every pnpm-lock.*.yaml is + scanned for modifications and conflicts. The git branch is + now resolved by reading .git/HEAD directly (no process spawn) + and uses the workspace directory rather than process.cwd(). + - 5c12968: Fix recursive updates of transitive dependencies + when the update command mixes transitive dependency patterns + with direct dependency selectors. For example, pnpm up -r + "@babel/core" uuid now updates matching transitive + @babel/core dependencies even when uuid is a direct + dependency selector #12103. + - 9d79ba1: Register the pnpm update --no-save flag in the CLI + help and option parser. + - 0474a9c: Fixed pnpm import for Yarn v2 lockfiles when js-yaml + v4 is installed. + - 9e0c375: Fixed pnpm install repeatedly prompting to remove + and reinstall node_modules in a workspace package when + enableGlobalVirtualStore is enabled. The post-install build + step recorded a per-project node_modules/.pnpm virtual store + directory in node_modules/.modules.yaml, overwriting the + global <storeDir>/links value the install step had written. + The next install then detected a virtual-store mismatch + (ERR_PNPM_UNEXPECTED_VIRTUAL_STORE). The build step now + derives the same global virtual store directory as the + install step #12307. + - 223d060: Document the --cpu, --os and --libc flags in the + output of pnpm install --help. These flags were already + supported but were only documented on the website #12359. + - e85aea2: Avoid reading README.md from disk when publishing if + the publish manifest already provides a readme field. The + README is now only read lazily, inside + createExportableManifest, when it is actually needed. + - 3188ae7: Fixed pnpm peers check to accept loose peer + dependency ranges such as >=3.16.0 || >=4.0.0- when the + installed peer version satisfies the range #12149. + - 531f2a3: Fixed pnpm update rewriting a workspace: dependency + that points at a local path (e.g. + workspace:../packages/foo/dist) into a normalized link: or + version-range specifier. Such specifiers are now preserved + verbatim when the workspace protocol is preserved #3902. + - fe66535: Fixed a lockfile non-convergence bug where an + incremental install kept a duplicate transitive dependency + that a fresh install would not produce. When a package is + reused from the lockfile, its child edges are taken verbatim + and bypass the preferred-versions walk, so a transitive + dependency could stay pinned to an older version even after a + direct dependency resolved to a higher version that satisfies + the same range. The resolver now refreshes such a stale pin + to the higher direct-dependency version during resolution — + so the older version is never resolved or fetched, and the + incremental result converges to the fresh one. + - 6d35338: pnpm install detects changes inside local file + dependencies again. The optimistic repeat-install fast path + only tracks manifest and lockfile modification times, so + edits inside a local dependency's directory (or a repacked + local tarball) were reported as "Already up to date". + Projects with local file dependencies (file: and bare local + path or tarball specifiers, declared directly or through + pnpm.overrides) now always run a full install, which + refetches those dependencies, matching pnpm v10 behavior + #11795. + - 4ca9247: Preserve the existing Node.js runtime version prefix + when resolving node@runtime:<range> to a concrete version. + - 30c7590: Create shorter CAFS temporary package directories to + leave room for lifecycle scripts that create IPC socket paths + under TMPDIR. + - 13815ad: Reporter output (warnings, progress) for pnpm store + and pnpm config subcommands now goes to stderr instead of + stdout. This fixes scripts that capture their stdout (e.g. + PNPM_STORE=$(pnpm store path), pnpm config list --json | jq) + from getting warnings mixed into the result. + - 1c05876: Avoid relinking unchanged child dependencies and + remove stale child links during warm installs. + - 817f99d: Fixed lockfile churn where a package's + transitivePeerDependencies could be dropped (and shift + between packages) when the package participates in a + dependency cycle. A cycle re-entry resolves against truncated + children, so it must not be cached as "pure"; otherwise + sibling occurrences of the same package short-circuit and + lose transitive peers depending on traversal order #5108. + - eba03e0: Fix pnpm install reporting "Already up to date" + after a catalog entry in pnpm-workspace.yaml was reverted to + a previous version. After an update modified a catalog, the + workspace state cache stored the pre-update catalog versions, + so reverting the entry back to its original version was not + detected as an outdated state #12418. + - 3b54d79: pnpm update now keeps lockfile overrides that + resolve through a catalog in sync with the catalog. + Previously, when an override referenced a catalog (e.g. + overrides: { foo: 'catalog:' }) and pnpm update bumped that + catalog entry, the lockfile's catalogs advanced while the + resolved overrides kept the old version. The resulting + lockfile was internally inconsistent, so a later pnpm install + --frozen-lockfile failed with + ERR_PNPM_LOCKFILE_CONFIG_MISMATCH. + - 9d0a300: Fixed pnpm version --recursive so it honors the + workspace selection. In recursive mode the version bump now + applies to the packages resolved from the workspace filter + (selectedProjectsGraph), matching the behavior of pnpm + publish --recursive, instead of always bumping every + workspace package #11348. +- update to 11.7: + * Minor Changes + - Added a new setting frozenStore (--frozen-store) that lets + pnpm install run against a package store on a read-only + filesystem (e.g. a Nix store, a read-only bind mount, an OCI + layer). When enabled, pnpm opens the store's SQLite index.db + through the immutable=1 URI — bypassing the WAL/-shm sidecar + creation that otherwise fails on a read-only directory — and + suppresses every store-write path (the index.db writer and + the project-registry write). Pair it with --offline + --frozen-lockfile against a fully-populated store. Under the + global virtual store, package directories live inside the + store, so if the store is missing the build output of a + package whose lifecycle scripts are approved (or that has a + patch), pnpm fails up front with + ERR_PNPM_FROZEN_STORE_NEEDS_BUILD rather than crashing + mid-build on a read-only write — seed the store with those + builds first. Incompatible with --force and with a configured + pnpr server, since both write into the store; the + side-effects cache is likewise not written under frozenStore. + If the store is missing its content directory, the install + fails fast with ERR_PNPM_FROZEN_STORE_INCOMPLETE rather than + attempting to initialize it. The read-only immutable=1 open + requires Node.js >=22.15.0, >=23.11.0, or >=24.0.0; on older + runtimes --frozen-store fails with a clear + ERR_PNPM_FROZEN_STORE_UNSUPPORTED_NODE error. Bin-linking + also tolerates a read-only store: under the global virtual + store a package's bin source lives inside the store, so the + chmod that makes it executable would be refused — with + EPERM/EACCES, or with EROFS on a genuinely read-only + filesystem. That chmod is redundant when the seed already + ships its bins executable with a normalized shebang, so it is + now skipped in that case, while a non-executable bin (or one + still carrying a Windows CRLF shebang) on a read-only store + still errors. + - When pacquet (the Rust port of pnpm) is declared in + configDependencies, pnpm now delegates dependency resolution + to it too — not just materialization — provided the installed + pacquet is new enough to support full resolving installs (>= + 0.11.7). + Previously pacquet only ran in frozen-install mode: pnpm + always resolved the dependency graph itself (writing + pnpm-lock.yaml) and handed pacquet a finished lockfile to + fetch / import / link. With pacquet >= 0.11.7, a non-frozen + pnpm install (default isolated nodeLinker, plain install) is + delegated to pacquet end-to-end in a single pass — pacquet + resolves the manifests, writes the lockfile, and materializes + node_modules. pnpm detects the capability from the installed + pacquet's version; older pacquet releases keep the + resolve-then-materialize split, and add / update / remove + still resolve in pnpm (it has to mutate the manifests first). + This remains an opt-in preview of the Rust install engine + #11723. + - Added a new opt-in --batch flag to pnpm publish --recursive + that sends all selected packages to the registry in a single + PUT /-/pnpm/v1/publish request instead of one request per + package. The target registry has to implement the batch + publish endpoint (pnpr does); registries that don't are + reported with a clear ERR_PNPM_BATCH_PUBLISH_UNSUPPORTED + error. The batch is processed all-or-nothing by pnpr: if any + package in the batch fails validation, none of the packages + are published. + * Patch Changes + - Reject path-traversal and reserved dependency aliases (such ++++ 136 more lines (skipped) ++++ between /work/SRC/openSUSE:Factory/pnpm/pnpm.changes ++++ and /work/SRC/openSUSE:Factory/.pnpm.new.1956/pnpm.changes Old: ---- pnpm-11.6.0.tgz New: ---- pnpm-11.8.0.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pnpm.spec ++++++ --- /var/tmp/diff_new_pack.RDZK6g/_old 2026-06-22 17:30:14.175411297 +0200 +++ /var/tmp/diff_new_pack.RDZK6g/_new 2026-06-22 17:30:14.175411297 +0200 @@ -23,7 +23,7 @@ %global __nodejs_provides %{nil} %global __nodejs_requires %{nil} Name: pnpm -Version: 11.6.0 +Version: 11.8.0 Release: 0 Summary: Package manager for node.js License: MIT ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.RDZK6g/_old 2026-06-22 17:30:14.207412412 +0200 +++ /var/tmp/diff_new_pack.RDZK6g/_new 2026-06-22 17:30:14.211412551 +0200 @@ -1,6 +1,6 @@ -mtime: 1781226166 -commit: 7c0a18ed5e74768a44c097c4ab2ce3f7049f81343fcaca8793c993bd1f2b8af9 +mtime: 1781954222 +commit: 4d6d5f7b215215ed7bfff96cbf4e216f6958b0bc293c8748a7fe766bfa3fb41f url: https://src.opensuse.org/nodejs/pnpm -revision: 7c0a18ed5e74768a44c097c4ab2ce3f7049f81343fcaca8793c993bd1f2b8af9 +revision: 4d6d5f7b215215ed7bfff96cbf4e216f6958b0bc293c8748a7fe766bfa3fb41f projectscmsync: https://src.opensuse.org/nodejs/_ObsPrj.git ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-20 13:17:02.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ pnpm-11.6.0.tgz -> pnpm-11.8.0.tgz ++++++ ++++ 110968 lines of diff (skipped)
