Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package pnpm for openSUSE:Factory checked in 
at 2026-07-03 16:04:48
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/pnpm (Old)
 and      /work/SRC/openSUSE:Factory/.pnpm.new.1982 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "pnpm"

Fri Jul  3 16:04:48 2026 rev:60 rq:1363544 version:11.9.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/pnpm/pnpm.changes        2026-06-22 
17:30:13.327381756 +0200
+++ /work/SRC/openSUSE:Factory/.pnpm.new.1982/pnpm.changes      2026-07-03 
16:08:07.175945582 +0200
@@ -1,0 +2,159 @@
+Sun Jun 28 14:58:33 UTC 2026 - Johannes Kastl 
<[email protected]>
+
+- update to 11.9.0:
+  * Minor Changes
+    - bae694f: Some registries generate tarballs on-demand and
+      cannot provide an integrity checksum in their package
+      metadata. In that case pnpm now computes the integrity from
+      the downloaded tarball and stores it in the lockfile, so the
+      entry is verifiable on subsequent installs instead of being
+      written without an integrity (which would fail the next
+      install). This also applies to --lockfile-only: the tarball
+      is downloaded so its integrity can be computed. A lockfile
+      entry that is still missing its integrity is rejected as a
+      ERR_PNPM_MISSING_TARBALL_INTEGRITY lockfile verification
+      violation (the install fails closed) rather than being
+      silently re-fetched.
+    - 6c35a43: Added --exclude-peers to pnpm sbom. With
+      auto-install-peers (the default), peer dependencies resolve
+      into the lockfile and are otherwise indistinguishable from
+      the package's own dependencies. The flag drops peer
+      dependencies (and any transitive subtree reachable only
+      through them) from the SBOM. CycloneDX 1.7 has no scope or
+      relationship that expresses "consumer-provided peer", so
+      omission is the only spec-clean handling. The flag name
+      matches pnpm list --exclude-peers; note the SBOM flag prunes
+      a peer's exclusive subtree, which is stricter than pnpm list
+      (which only hides leaf peers).
+  * Patch Changes
+    - 25a829e: pnpm audit --fix now writes a single combined
+      minimumReleaseAgeExclude entry per package (e.g. [email protected]
+      || 0.21.1) instead of one entry per version, matching the
+      format documented for the setting. Existing per-version
+      entries in pnpm-workspace.yaml are merged into the combined
+      form rather than left as duplicates. Installs that
+      auto-collect immature versions into minimumReleaseAgeExclude
+      now report the same combined entries, so the "Added N
+      entries" message matches what is written to the manifest
+      #12534.
+    - 1cbb5f2: Fixed non-deterministic peer resolution that could
+      add or remove an optional transitive peer — for example
+      @babel/core, reached through styled-jsx — from a package's
+      peer-dependency suffix across otherwise identical installs,
+      churning the lockfile and causing intermittent pnpm dedupe
+      --check failures in CI. When a package's children are
+      resolved by one occurrence (the "owner") and reused by a
+      deeper consumer, whether that consumer inherited the owner's
+      missing peers depended on whether the owner's resolution had
+      finished yet — a race under concurrent resolution. The
+      decision is now a function of the dependency graph's
+      structure rather than resolution-completion order.
+    - d577eea: Fixed a Windows flakiness in pnpm dlx where a failed
+      install could surface a spurious EBUSY: resource busy or
+      locked error. The cleanup of a partially-populated dlx cache
+      is now best-effort with retries and no longer masks the
+      original error.
+    - ec7cf70: Shortened the pnpm dlx cache path so deep dependency
+      trees no longer overflow Windows' MAX_PATH, which could make
+      a dependency's lifecycle script fail with spawn cmd.exe
+      ENOENT.
+    - 05b95ab: Fixed pnpm hanging (and crashing with an unhandled
+      promise rejection) when a non-retryable network error such as
+      SELF_SIGNED_CERT_IN_CHAIN occurs while fetching from a
+      registry. The error is now rejected through the returned
+      promise instead of being thrown inside the detached retry
+      callback.
+    - d3f68e2: Fix a pnpm audit performance regression on lockfiles
+      that contain dependency cycles. The reachable-vulnerability
+      pruning added in pnpm 11.5.1 only memoized acyclic subtrees,
+      so any node whose subtree touched a cycle — together with all
+      of its ancestors — was recomputed on every query, making the
+      path walk quadratic. Reachability is now computed once per
+      node using Tarjan's strongly-connected-components algorithm,
+      so cyclic graphs are handled in linear time #12212.
+    - The audit path walk also no longer recurses, so a deeply
+      nested dependency graph can no longer overflow the call
+      stack, and the install path to each finding is tracked
+      without per-node copying, keeping memory linear in the graph
+      depth.
+    - 322f88f: Fix failed optional dependency updates so they don't
+      rewrite unrelated dependency specs #11267.
+    - 1488db1: When enableGlobalVirtualStore is toggled on for a
+      project that was previously installed without it, stale
+      hoisted symlinks under node_modules/.pnpm/node_modules are
+      now replaced instead of being left pointing at the old
+      per-project virtual store location #9739.
+    - 6545793: Fixed pnpm install --ignore-workspace overwriting
+      the allowBuilds map in pnpm-workspace.yaml. The ignored
+      builds of a package with a build script were auto-populated
+      into allowBuilds even though --ignore-workspace was passed,
+      clobbering committed true/false values with the set this to
+      true or false placeholder #12469.
+    - fbdc0eb: Fixed minimumReleaseAgeExclude and
+      trustPolicyExclude so multiple exact-version entries for the
+      same package behave the same as a single || disjunction
+      entry. Previously only the first matching rule's versions
+      were honored, so a config like [[email protected],
+      [email protected]] could still flag [email protected] as
+      violating minimumReleaseAge, while [[email protected] || 2.5.6]
+      worked as expected #12463.
+    - fa7004b: The in-memory package metadata cache is now
+      populated on the exact-version disk fast path, so repeated
+      resolutions of the same package within one install no longer
+      re-read and re-parse the on-disk metadata. In large monorepos
+      this brings the time for adding a new package down from
+      minutes to seconds. The in-memory cache key now also includes
+      the registry, so a package of the same name served by two
+      different registries in a single install can no longer share
+      a cache slot and resolve the wrong tarball.
+    - 0a154b1: Fixed pnpm patch dropping the package name (and
+      leaking internal option fields) when the patched dependency
+      resolves to a single git-hosted version.
+    - 4d3fe4b: The pnpr resolver endpoints moved under the reserved
+      /-/pnpr namespace: POST /v1/resolve is now POST
+      /-/pnpr/v0/resolve and POST /v1/verify-lockfile is now POST
+      /-/pnpr/v0/verify-lockfile. The capability handshake at GET
+      /-/pnpr advertises protocol version 0 to match. This keeps
+      every pnpr-proprietary route in npm's reserved namespace, so
+      it can never collide with a package path.
+    - 0ec878d: Removing a runtime dependency now removes the
+      matching devEngines.runtime or engines.runtime entry that was
+      materialized from it. Blank runtime selectors are normalized
+      to latest.
+    - 17e7f2c: pnpm sbom now emits a CycloneDX issue-tracker
+      external reference for components (and the root) whose
+      package.json declares a bugs URL. Email-only bugs entries are
+      skipped, since the reference requires a URL.
+    - a84d2a1: Add @pnpm/resolving.tarball-url, which builds and
+      recognizes the canonical npm tarball URL of a package. It
+      vendors getNpmTarballUrl (previously the external
+      get-npm-tarball-url package) and adds
+      isCanonicalRegistryTarballUrl, the predicate the lockfile
+      writer uses to decide whether a tarball URL is derivable from
+      name+version+registry (and can therefore be omitted from
+      pnpm-lock.yaml).
+    - Exposing isCanonicalRegistryTarballUrl lets a custom resolver
+      (pnpmfile resolvers) fronting a proxy that serves tarballs on
+      a non-canonical path (e.g. an ephemeral localhost:<port>)
+      rewrite the resolved tarball to the canonical form, so
+      nothing host-specific is persisted to the lockfile.
+      Previously this logic was private to @pnpm/lockfile.utils.
+    - Two correctness fixes are included while consolidating the
+      logic: the scoped-package unescape now handles uppercase %2F
+      as well as %2f (percent-encoding is case-insensitive), and
+      protocol-insensitive comparison strips only a leading
+      http(s):// scheme instead of splitting on the first ://
+      (which could truncate URLs containing a later ://).
+    - 852d537: Lockfile verification no longer reports a registry
+      metadata fetch failure (for example a 403/401 on a private
+      registry, or a network error) as
+      ERR_PNPM_TARBALL_URL_MISMATCH. When the registry can't be
+      reached to verify an entry, the install now aborts with the
+      registry's own fetch error (such as ERR_PNPM_FETCH_403, which
+      already explains the authentication situation) instead of
+      mislabeling a transport failure as lockfile tampering.
+      Registry fetch errors no longer leak basic-auth credentials
+      embedded in the registry URL (https://user:pass@host/) into
+      their message.
+
+-------------------------------------------------------------------

Old:
----
  pnpm-11.8.0.tgz

New:
----
  pnpm-11.9.0.tgz

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pnpm.spec ++++++
--- /var/tmp/diff_new_pack.VG7ZwL/_old  2026-07-03 16:08:08.599995218 +0200
+++ /var/tmp/diff_new_pack.VG7ZwL/_new  2026-07-03 16:08:08.599995218 +0200
@@ -23,7 +23,7 @@
 %global __nodejs_provides %{nil}
 %global __nodejs_requires %{nil}
 Name:           pnpm
-Version:        11.8.0
+Version:        11.9.0
 Release:        0
 Summary:        Package manager for node.js
 License:        MIT

++++++ _scmsync.obsinfo ++++++
--- /var/tmp/diff_new_pack.VG7ZwL/_old  2026-07-03 16:08:08.647996891 +0200
+++ /var/tmp/diff_new_pack.VG7ZwL/_new  2026-07-03 16:08:08.655997170 +0200
@@ -1,6 +1,6 @@
-mtime: 1781954222
-commit: 4d6d5f7b215215ed7bfff96cbf4e216f6958b0bc293c8748a7fe766bfa3fb41f
+mtime: 1782658772
+commit: be4992ed368e74d0bbb22a50ffd090451a9801e7dc73f848da63eedbad04100c
 url: https://src.opensuse.org/nodejs/pnpm
-revision: 4d6d5f7b215215ed7bfff96cbf4e216f6958b0bc293c8748a7fe766bfa3fb41f
+revision: be4992ed368e74d0bbb22a50ffd090451a9801e7dc73f848da63eedbad04100c
 projectscmsync: https://src.opensuse.org/nodejs/_ObsPrj.git
 

++++++ build.specials.obscpio ++++++

++++++ build.specials.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' old/.gitignore new/.gitignore
--- old/.gitignore      1970-01-01 01:00:00.000000000 +0100
+++ new/.gitignore      2026-06-28 16:59:32.000000000 +0200
@@ -0,0 +1 @@
+.osc

++++++ pnpm-11.8.0.tgz -> pnpm-11.9.0.tgz ++++++
++++ 58298 lines of diff (skipped)

Reply via email to