Skip to content

chore(deps): update pnpm to v8.8.0

Renovate Bot requested to merge renovate/pnpm-8.x into develop

This MR contains the following updates:

Package Change Age Adoption Passing Confidence
pnpm (source) 8.3.1 -> 8.8.0 age adoption passing confidence

Release Notes

pnpm/pnpm

v8.8.0

Compare Source

Minor Changes

  • Add --reporter-hide-prefix option for run command to hide project name as prefix for lifecycle log outputs of running scripts #​7061.

Patch Changes

  • Pass through the --ignore-scripts command to install, when running pnpm dedupe --ignore-scripts #​7102.
  • Throw meaningful error for config sub commands#​7106.
  • When the node-linker is set to hoisted, the package.json files of the existing dependencies inside node_modules will be checked to verify their actual versions. The data in the node_modules/.modules.yaml and node_modules/.pnpm/lock.yaml may not be fully reliable, as an installation may fail after changes to dependencies were made but before those state files were updated #​7107.
  • Don't update git-hosted dependencies when adding an unrelated dependency #​7008.

Our Gold Sponsors

Our Silver Sponsors

v8.7.6

Compare Source

Patch Changes

  • Don't run the prepublishOnly scripts of git-hosted dependencies #​7026.
  • Fix a bug in which use-node-version or node-version isn't passed down to checkEngine when using pnpm workspace, resulting in an error #​6981.
  • Don't print out each deprecated subdependency separately with its deprecation message. Just print out a summary of all the deprecated subdependencies #​6707.
  • Fixed an ENOENT error that was sometimes happening during install with "hoisted" node_modules #​6756.

Our Gold Sponsors

Our Silver Sponsors

v8.7.5

Compare Source

Patch Changes

  • Improve performance of installation by using a worker for creating the symlinks inside node_modules/.pnpm #​7069.
  • Tarballs that have hard links are now unpacked successfully. This fixes a regression introduced in v8.7.0, which was shipped with our new in-house tarball parser #​7062.

Our Gold Sponsors

Our Silver Sponsors

v8.7.4

Compare Source

Patch Changes

  • Fix a bug causing the pnpm server to hang if a tarball worker was requested while another worker was exiting #​7041.
  • Fixes a regression published with pnpm v8.7.3. Don't hang while reading package.json from the content-addressable store #​7051.
  • Allow create scoped package with preferred version. #​7053
  • Reverting a change shipped in v8.7 that caused issues with the pnpm deploy command and "injected dependencies" #​6943.

Our Gold Sponsors

Our Silver Sponsors

v8.7.3

Compare Source

Patch Changes

  • Fix a bug causing errors to be printed as "Cannot read properties of undefined (reading 'code')" instead of the underlying reason when using the pnpm store server #​7032

Our Gold Sponsors

Our Silver Sponsors

v8.7.2

Compare Source

v8.7.1

Compare Source

Patch Changes

  • Fixed an issue with extracting some old versions of tarballs #​6991.
  • Side-effects cache will now be leveraged when running install in a workspace that uses dedicated lockfiles for each project #​6890.
  • Reduce concurrency in the pnpm -r publish command #​6968.
  • Improved the pnpm update --interactive output by grouping dependencies by type. Additionally, a new column has been added with links to the documentation for outdated packages #​6978.

Our Gold Sponsors

Our Silver Sponsors

v8.7.0

Compare Source

Minor Changes

  • Improve performance of installation by using a worker pool for extracting packages and writing them to the content-addressable store #​6850
  • The default value of the resolution-mode setting is changed to highest. This setting was changed to lowest-direct in v8.0.0 and some users were not happy with the change. A twitter poll concluded that most of the users want the old behaviour (resolution-mode set to highest by default). This is a semi-breaking change but should not affect users that commit their lockfile #​6463.

Patch Changes

  • Warn when linking a package with peerDependencies #​615.
  • Add support for npm lockfile v3 in pnpm import #​6233.
  • Override peerDependencies in pnpm.overrides #​6759.
  • Respect workspace alias syntax in pkg graph #​6922
  • Emit a clear error message when users attempt to specify an undownloadable node version #​6916.
  • pnpm patch should write patch files with a trailing newline #​6905.
  • Dedupe deps with the same alias in direct dependencies 6966
  • Don't prefix install output for the dlx command.
  • Performance optimizations. Package tarballs are now download directly to memory and built to an ArrayBuffer. Hashing and other operations are avoided until the stream has been fully received #​6819.

Our Gold Sponsors

Our Silver Sponsors

v8.6.12

Compare Source

Patch Changes

  • Make the error message friendlier when a user attempts to run a command that does not exist #​6887.
  • pnpm patch should work correctly when shared-workspace-file is set to false #​6885.
  • pnpm env use should retry deleting the previous Node.js executable #​6587.
  • pnpm dlx should not print an error stack when the underlying script execution fails #​6698.
  • When showing the download progress of large tarball files, always display the same number of digits after the decimal point #​6901.
  • Report download progress less frequently to improve performance #​6906.
  • pnpm install --frozen-lockfile --lockfile-only should fail if the lockfile is not up to date with the package.json files #​6913.

Our Gold Sponsors

Our Silver Sponsors

v8.6.11

Compare Source

Patch Changes

  • Change the install error message when a lockfile is wanted but absent to indicate the wanted lockfile is absent, not present. This now reflects the actual error #​6851.
  • When dealing with a local dependency that is a path to a symlink, a new symlink should be created to the original symlink, not to the actual directory location.
  • The length of the temporary file names in the content-addressable store reduced in order to prevent ENAMETOOLONG errors from happening #​6842.
  • Don't print "added" stats, when installing with --lockfile-only.
  • Installation of a git-hosted dependency should not fail if the pnpm-lock.yaml file of the installed dependency is not up-to-date #​6865.
  • Don't ignore empty strings in params #​6594.
  • Always set dedupe-peer-dependents to false, when running installation during deploy #​6858.
  • When several containers use the same store simultaneously, there's a chance that multiple containers may create a temporary file at the same time. In such scenarios, pnpm could fail to rename the temporary file in one of the containers. This issue has been addressed: pnpm will no longer fail if the temporary file is absent but the destination file exists.
  • Authorization token should be found in the configuration, when the requested URL is explicitly specified with a default port (443 on HTTPS or 80 on HTTP) #​6863.

Our Gold Sponsors

Our Silver Sponsors

v8.6.10

Compare Source

Patch Changes

  • Installation succeeds if a non-optional dependency of an optional dependency has failing installation scripts #​6822.
  • The length of the temporary file names in the content-addressable store reduced in order to prevent ENAMETOOLONG errors from happening #​6842.
  • Ignore empty patch content when patch-commit.
  • Sort keys in packageExtensions before calculating packageExtensionsChecksum #​6824.
  • Pass the right scheme to git ls-remote in order to prevent a fallback to git+ssh that would result in a 'host key verification failed' issue #​6806
  • The "postpublish" script of a git-hosted dependency is not executed, while building the dependency #​6822.

Our Gold Sponsors

Our Silver Sponsors

v8.6.9

Compare Source

Patch Changes

  • Temporarily revert the fix to #​6805 to fix the regression it caused #​6827.

Our Gold Sponsors

Our Silver Sponsors

v8.6.8

Compare Source

Patch Changes

  • When the same file is appended multiple times into a tarball, the last occurrence is selected when unpacking the tarball.
  • Fixed a bug in which pnpm passed the wrong scheme to git ls-remote, causing a fallback to git+ssh and resulting in a 'host key verification failed' issue #​6805.
  • Added support for publishConfig.registry in package.json for publishing #​6775.
  • pnpm rebuild now uploads the built artifacts to the content-addressable store.
  • If a command cannot be created in .bin, the exact error message is now displayed.
  • Treat linked dependencies with a tag version type as up-to-date #​6592.
  • pnpm setup now prints more details when it cannot detect the active shell.

Our Gold Sponsors

Our Silver Sponsors

v8.6.7

Compare Source

Patch Changes

  • Ensure consistent output for scripts executed concurrently, both within a single project and across multiple projects. Each script's output will now be printed in a separate section of the terminal, when running multiple scripts in a single project using regex #​6692.
  • The --parallel CLI flag should work on single project #​6692.
  • Optimizing project manifest normalization, reducing amoung of data copying #​6763.
  • Move loading wantedLockfile outside dependenciesHierarchyForPackage, preventing OOM crash when loading the same lock file too many times #​6757.
  • Replace ineffective use of ramda difference with better alternative #​6760.

Our Gold Sponsors

Our Silver Sponsors

v8.6.6

Compare Source

Patch Changes

  • Installation of a git-hosted dependency without package.json should not fail, when the dependency is read from cache #​6721.
  • Local workspace bin files that should be compiled first are linked to dependent projects after compilation #​1801.
  • Prefer versions found in parent package dependencies only #​6737.
  • Multiple performance optimizations implemented by @​zxbodya:
    • avoid copying preferredVersions object #​6735
    • avoid object copy in resolvePeersOfNode #​6736
    • preferredVersions in resolveDependenciesOfImporters #​6748
    • remove ramda isEmpty usages #​6753
    • use Maps and Sets instead of objects #​6749
    • optimize splitNodeId, fix invalid nodeId #​6755

Our Gold Sponsors

Our Silver Sponsors

v8.6.5

Compare Source

Patch Changes

  • Improve the performance of searching for auth tokens #​6717.

Our Gold Sponsors

Our Silver Sponsors

v8.6.4

Compare Source

Patch Changes

  • In cases where both aliased and non-aliased dependencies exist to the same package, non-aliased dependencies will be used for resolving peer dependencies, addressing issue #​6588.
  • Ignore the port in the URL, while searching for authentication token in the .npmrc file #​6354.
  • Don't add the version of a local directory dependency to the lockfile. This information is not used anywhere by pnpm and is only causing more Git conflicts #​6695.

Our Gold Sponsors

Our Silver Sponsors

v8.6.3

Compare Source

Patch Changes

  • When running a script in multiple projects, the script outputs should preserve colours #​2148.
  • Don't crash when the APPDATA env variable is not set on Windows #​6659.
  • Don't fail when a package is archived in a tarball with malformed tar headers #​5362.
  • Peer dependencies of subdependencies should be installed, when node-linker is set to hoisted #​6680.
  • Throw a meaningful error when applying a patch to a dependency fails.
  • pnpm update --global --latest should work #​3779.
  • pnpm license ls should work even when there is a patched git protocol dependency #​6595

Our Gold Sponsors

Our Silver Sponsors

v8.6.2

Compare Source

Patch Changes

  • Change lockfile version back to 6.0 as previous versions of pnpm fail to parse the version correctly #​6648
  • When patching a dependency, only consider files specified in the 'files' field of its package.json. Ignore all others #​6565
  • Should always treat local file dependency as new dependency #​5381
  • Output a warning message when "pnpm" or "resolutions" are configured in a non-root workspace project #​6636

Our Gold Sponsors

Our Silver Sponsors

v8.6.1

Compare Source

Patch Changes

  • When dedupe-peer-dependents is enabled (default), use the path (not id) to determine compatibility.

    When multiple dependency groups can be deduplicated, the latter ones are sorted according to number of peers to allow them to benefit from deduplication.

    Resolves: #​6605

  • Some minor performance improvements by removing await from loops #​6617.

Our Gold Sponsors

Our Silver Sponsors

v8.6.0

Compare Source

Minor Changes

  • Some settings influence the structure of the lockfile, so we cannot reuse the lockfile if those settings change. As a result, we need to store such settings in the lockfile. This way we will know with which settings the lockfile has been created.

    A new field will now be present in the lockfile: settings. It will store the values of two settings: autoInstallPeers and excludeLinksFromLockfile. If someone tries to perform a frozen-lockfile installation and their active settings don't match the ones in the lockfile, then an error message will be thrown.

    The lockfile format version is bumped from v6.0 to v6.1.

    Related MR: #​6557 Related issue: #​6312

  • A new setting, exclude-links-from-lockfile, is now supported. When enabled, specifiers of local linked dependencies won't be duplicated in the lockfile.

    This setting was primarily added for use by Bit CLI, which links core aspects to node_modules from external directories. As such, the locations may vary across different machines, resulting in the generation of lockfiles with differing locations.

Patch Changes

  • Don't print "Lockfile is up-to-date" message before finishing all the lockfile checks #​6544.
  • When updating dependencies, preserve the range prefix in aliased dependencies. So npm:[email protected] becomes npm:[email protected].
  • Print a meaningful error when a project referenced by the workspace: protocol is not found in the workspace #​4477.
  • pnpm rebuild should not fail when node-linker is set to hoisted and there are skipped optional dependencies #​6553.
  • Peers resolution should not fail when a linked in dependency resolves a peer dependency.
  • Build projects in a workspace in correct order #​6568.

Our Gold Sponsors

Our Silver Sponsors

v8.5.1

Compare Source

Patch Changes

  • Expanded missing command error, including 'did you mean' #​6492.
  • When installation fails because the lockfile is not up-to-date with the package.json file(s), print out what are the differences #​6536.
  • Normalize current working directory on Windows #​6524.

Our Gold Sponsors

Our Silver Sponsors

v8.5.0

Compare Source

Minor Changes

  • pnpm patch-remove command added #​6521.

Patch Changes

  • pnpm link -g <pkg-name> should not modify the package.json file #​4341.
  • The deploy command should not ask for confirmation to purge the node_modules directory #​6510.
  • Show cyclic workspace dependency details #​5059.
  • Node.js range specified through the engines field should match prerelease versions #​6509.

Our Gold Sponsors

Our Silver Sponsors

v8.4.0

Compare Source

Minor Changes

  • pnpm publish supports the --provenance CLI option #​6435.

Patch Changes

  • Link the bin files of local workspace dependencies, when node-linker is set to hoisted 6486.
  • Ask the user to confirm the removal of node_modules directory unless the --force option is passed.
  • Do not create a node_modules folder with a .modules.yaml file if there are no dependencies inside node_modules.

Our Gold Sponsors

Our Silver Sponsors

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this MR and you won't be reminded about this update again.

  • If you want to rebase/retry this MR, check this box

This MR has been generated by Renovate Bot.

Edited by Renovate Bot

Merge request reports