Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package pnpm for openSUSE:Factory checked in at 2026-07-03 16:04:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/pnpm (Old) and /work/SRC/openSUSE:Factory/.pnpm.new.1982 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "pnpm" Fri Jul 3 16:04:48 2026 rev:60 rq:1363544 version:11.9.0 Changes: -------- --- /work/SRC/openSUSE:Factory/pnpm/pnpm.changes 2026-06-22 17:30:13.327381756 +0200 +++ /work/SRC/openSUSE:Factory/.pnpm.new.1982/pnpm.changes 2026-07-03 16:08:07.175945582 +0200 @@ -1,0 +2,159 @@ +Sun Jun 28 14:58:33 UTC 2026 - Johannes Kastl <[email protected]> + +- update to 11.9.0: + * Minor Changes + - bae694f: Some registries generate tarballs on-demand and + cannot provide an integrity checksum in their package + metadata. In that case pnpm now computes the integrity from + the downloaded tarball and stores it in the lockfile, so the + entry is verifiable on subsequent installs instead of being + written without an integrity (which would fail the next + install). This also applies to --lockfile-only: the tarball + is downloaded so its integrity can be computed. A lockfile + entry that is still missing its integrity is rejected as a + ERR_PNPM_MISSING_TARBALL_INTEGRITY lockfile verification + violation (the install fails closed) rather than being + silently re-fetched. + - 6c35a43: Added --exclude-peers to pnpm sbom. With + auto-install-peers (the default), peer dependencies resolve + into the lockfile and are otherwise indistinguishable from + the package's own dependencies. The flag drops peer + dependencies (and any transitive subtree reachable only + through them) from the SBOM. CycloneDX 1.7 has no scope or + relationship that expresses "consumer-provided peer", so + omission is the only spec-clean handling. The flag name + matches pnpm list --exclude-peers; note the SBOM flag prunes + a peer's exclusive subtree, which is stricter than pnpm list + (which only hides leaf peers). + * Patch Changes + - 25a829e: pnpm audit --fix now writes a single combined + minimumReleaseAgeExclude entry per package (e.g. [email protected] + || 0.21.1) instead of one entry per version, matching the + format documented for the setting. Existing per-version + entries in pnpm-workspace.yaml are merged into the combined + form rather than left as duplicates. Installs that + auto-collect immature versions into minimumReleaseAgeExclude + now report the same combined entries, so the "Added N + entries" message matches what is written to the manifest + #12534. + - 1cbb5f2: Fixed non-deterministic peer resolution that could + add or remove an optional transitive peer — for example + @babel/core, reached through styled-jsx — from a package's + peer-dependency suffix across otherwise identical installs, + churning the lockfile and causing intermittent pnpm dedupe + --check failures in CI. When a package's children are + resolved by one occurrence (the "owner") and reused by a + deeper consumer, whether that consumer inherited the owner's + missing peers depended on whether the owner's resolution had + finished yet — a race under concurrent resolution. The + decision is now a function of the dependency graph's + structure rather than resolution-completion order. + - d577eea: Fixed a Windows flakiness in pnpm dlx where a failed + install could surface a spurious EBUSY: resource busy or + locked error. The cleanup of a partially-populated dlx cache + is now best-effort with retries and no longer masks the + original error. + - ec7cf70: Shortened the pnpm dlx cache path so deep dependency + trees no longer overflow Windows' MAX_PATH, which could make + a dependency's lifecycle script fail with spawn cmd.exe + ENOENT. + - 05b95ab: Fixed pnpm hanging (and crashing with an unhandled + promise rejection) when a non-retryable network error such as + SELF_SIGNED_CERT_IN_CHAIN occurs while fetching from a + registry. The error is now rejected through the returned + promise instead of being thrown inside the detached retry + callback. + - d3f68e2: Fix a pnpm audit performance regression on lockfiles + that contain dependency cycles. The reachable-vulnerability + pruning added in pnpm 11.5.1 only memoized acyclic subtrees, + so any node whose subtree touched a cycle — together with all + of its ancestors — was recomputed on every query, making the + path walk quadratic. Reachability is now computed once per + node using Tarjan's strongly-connected-components algorithm, + so cyclic graphs are handled in linear time #12212. + - The audit path walk also no longer recurses, so a deeply + nested dependency graph can no longer overflow the call + stack, and the install path to each finding is tracked + without per-node copying, keeping memory linear in the graph + depth. + - 322f88f: Fix failed optional dependency updates so they don't + rewrite unrelated dependency specs #11267. + - 1488db1: When enableGlobalVirtualStore is toggled on for a + project that was previously installed without it, stale + hoisted symlinks under node_modules/.pnpm/node_modules are + now replaced instead of being left pointing at the old + per-project virtual store location #9739. + - 6545793: Fixed pnpm install --ignore-workspace overwriting + the allowBuilds map in pnpm-workspace.yaml. The ignored + builds of a package with a build script were auto-populated + into allowBuilds even though --ignore-workspace was passed, + clobbering committed true/false values with the set this to + true or false placeholder #12469. + - fbdc0eb: Fixed minimumReleaseAgeExclude and + trustPolicyExclude so multiple exact-version entries for the + same package behave the same as a single || disjunction + entry. Previously only the first matching rule's versions + were honored, so a config like [[email protected], + [email protected]] could still flag [email protected] as + violating minimumReleaseAge, while [[email protected] || 2.5.6] + worked as expected #12463. + - fa7004b: The in-memory package metadata cache is now + populated on the exact-version disk fast path, so repeated + resolutions of the same package within one install no longer + re-read and re-parse the on-disk metadata. In large monorepos + this brings the time for adding a new package down from + minutes to seconds. The in-memory cache key now also includes + the registry, so a package of the same name served by two + different registries in a single install can no longer share + a cache slot and resolve the wrong tarball. + - 0a154b1: Fixed pnpm patch dropping the package name (and + leaking internal option fields) when the patched dependency + resolves to a single git-hosted version. + - 4d3fe4b: The pnpr resolver endpoints moved under the reserved + /-/pnpr namespace: POST /v1/resolve is now POST + /-/pnpr/v0/resolve and POST /v1/verify-lockfile is now POST + /-/pnpr/v0/verify-lockfile. The capability handshake at GET + /-/pnpr advertises protocol version 0 to match. This keeps + every pnpr-proprietary route in npm's reserved namespace, so + it can never collide with a package path. + - 0ec878d: Removing a runtime dependency now removes the + matching devEngines.runtime or engines.runtime entry that was + materialized from it. Blank runtime selectors are normalized + to latest. + - 17e7f2c: pnpm sbom now emits a CycloneDX issue-tracker + external reference for components (and the root) whose + package.json declares a bugs URL. Email-only bugs entries are + skipped, since the reference requires a URL. + - a84d2a1: Add @pnpm/resolving.tarball-url, which builds and + recognizes the canonical npm tarball URL of a package. It + vendors getNpmTarballUrl (previously the external + get-npm-tarball-url package) and adds + isCanonicalRegistryTarballUrl, the predicate the lockfile + writer uses to decide whether a tarball URL is derivable from + name+version+registry (and can therefore be omitted from + pnpm-lock.yaml). + - Exposing isCanonicalRegistryTarballUrl lets a custom resolver + (pnpmfile resolvers) fronting a proxy that serves tarballs on + a non-canonical path (e.g. an ephemeral localhost:<port>) + rewrite the resolved tarball to the canonical form, so + nothing host-specific is persisted to the lockfile. + Previously this logic was private to @pnpm/lockfile.utils. + - Two correctness fixes are included while consolidating the + logic: the scoped-package unescape now handles uppercase %2F + as well as %2f (percent-encoding is case-insensitive), and + protocol-insensitive comparison strips only a leading + http(s):// scheme instead of splitting on the first :// + (which could truncate URLs containing a later ://). + - 852d537: Lockfile verification no longer reports a registry + metadata fetch failure (for example a 403/401 on a private + registry, or a network error) as + ERR_PNPM_TARBALL_URL_MISMATCH. When the registry can't be + reached to verify an entry, the install now aborts with the + registry's own fetch error (such as ERR_PNPM_FETCH_403, which + already explains the authentication situation) instead of + mislabeling a transport failure as lockfile tampering. + Registry fetch errors no longer leak basic-auth credentials + embedded in the registry URL (https://user:pass@host/) into + their message. + +------------------------------------------------------------------- Old: ---- pnpm-11.8.0.tgz New: ---- pnpm-11.9.0.tgz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pnpm.spec ++++++ --- /var/tmp/diff_new_pack.VG7ZwL/_old 2026-07-03 16:08:08.599995218 +0200 +++ /var/tmp/diff_new_pack.VG7ZwL/_new 2026-07-03 16:08:08.599995218 +0200 @@ -23,7 +23,7 @@ %global __nodejs_provides %{nil} %global __nodejs_requires %{nil} Name: pnpm -Version: 11.8.0 +Version: 11.9.0 Release: 0 Summary: Package manager for node.js License: MIT ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.VG7ZwL/_old 2026-07-03 16:08:08.647996891 +0200 +++ /var/tmp/diff_new_pack.VG7ZwL/_new 2026-07-03 16:08:08.655997170 +0200 @@ -1,6 +1,6 @@ -mtime: 1781954222 -commit: 4d6d5f7b215215ed7bfff96cbf4e216f6958b0bc293c8748a7fe766bfa3fb41f +mtime: 1782658772 +commit: be4992ed368e74d0bbb22a50ffd090451a9801e7dc73f848da63eedbad04100c url: https://src.opensuse.org/nodejs/pnpm -revision: 4d6d5f7b215215ed7bfff96cbf4e216f6958b0bc293c8748a7fe766bfa3fb41f +revision: be4992ed368e74d0bbb22a50ffd090451a9801e7dc73f848da63eedbad04100c projectscmsync: https://src.opensuse.org/nodejs/_ObsPrj.git ++++++ build.specials.obscpio ++++++ ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2026-06-28 16:59:32.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ pnpm-11.8.0.tgz -> pnpm-11.9.0.tgz ++++++ ++++ 58298 lines of diff (skipped)
